Re: TRAMP, auth-source and Secret Service API "label" prompt

[Michael Albinus]

Gustavo Barros <gusbrs.2016@gmail.com> writes:

> Hi All,

Hi Gustavo,

I'm adding Ted in Cc, because he is the author of auth-source.el. For
the same reason, I quote your analysis completely.

> This is a follow-up report, from a discussion which started between
> Michael Albinus and me at Reddit (https://redd.it/l2dw9j).
>
> The behavior I met, which I thought was somehow "normal" and was trying
> to disable, was that, whenever I tried to use TRAMP's sudo method (I
> haven't tested others), I was first prompted for a password, as
> expected, but after entering the password, I received a second prompt
> "Enter label for root@localhost (default root@localhost):". I just
> accepted the default, and the authentication succeeded. And this
> happened even though I have set `auth-source-save-behavior' to nil.
>
> Well, Michael told me at Reddit this is not expected behavior, so I
> started playing with my settings in the area, and found the culprit to
> be my `auth-sources' setting, which was:
>
> #+begin_src emacs-lisp
> (setq auth-sources '(default
>                      "secrets:session"
>                      "secrets:Login"
>                      "~/.authinfo.gpg"))
> #+end_src

Tramp searches via auth-source-search with the parameter ":create t". In
case it doesn't find a password in the sources, it creates the password
in the *first* source specified in auth-sources, which is
"secrets:session" in your case. As said in the documentation, this is a
temporary password collection, which does not survive an Emacs session.

However, it shouldn't even try to create the entry, because you have set
auth-source-save-behavior to nil.

> Being `auth-source-save-behavior' and `auth-sources' the only options
> from `auth-source.el' which I (knowingly, deliberately) configure in my
> init file.  That setting for `auth-sources' is literally given as
> example in (info "(auth) Secret Service API").
>
> It turns out that, if a source which is not from the Secret Service API
> (`secrets.el') has the highest priority there, the prompt is gone.  So I
> went with:
>
> #+begin_src emacs-lisp
> (setq auth-sources '("~/.authinfo.gpg"
>                      default
>                      "secrets:session"
>                      "secrets:Login"))
> #+end_src

Indeed. The creation function acknowledges auth-source-save-behavior
being nil, and it is silent.

> Michael found it strange, as I did, and suggested this should probably
> be reported to `report-emacs-bug'.  So I tried to generate a
> reproduction recipe starting from `emacs -Q' which, unfortunately, I
> could not.  There is some interaction with something in my init which I
> could not pin down.
>
> Nevertheless, this bothered me now, so I tried to understand why this
> was happening.  I started following the code trail.  The prompt itself
> is from `auth-source-secrets-create' (in `auth-source.el'), and going up
> from there I eventually came to `auth-source-search' which is called by
> `tramp-read-passwd' in the following manner:
>
> #+begin_src emacs-lisp
> (auth-source-search
>  :max 1
>  (and user :user)
>  (if domain
>      (concat
>       user tramp-prefix-domain-format domain)
>    user)
>  :host
>  (if port
>      (concat
>       host tramp-prefix-port-format port)
>    host)
>  :port method
>  :require (cons :secret (and user '(:user)))
>  :create t)
> #+end_src
>
> And, indeed, `tramp-read-passwd' is asking auth-source to create a new
> entry if one does not exist with `:create t'.

More precisely, Tramp is proposing (sigh!) to create a password if it
doesn't exist yet. auth-source-save-behavior let you overrule this proposal.

> What particularly bothered me in this prompt was the fact of being
> prompted for a "label" to save a password which was never meant to be
> saved in the first place, since I set `auth-source-save-behavior' to
> nil.  And it appears "create" and "save" are indeed two separate
> operations for `auth-source', the docstring for `auth-source-search'
> implies that in: "The token can hold a :save-function key.  If you call
> that, the user will be prompted to save the data to the backend.  You
> can't request that this should happen right after creation, because
> `auth-source-search' has no way of knowing if the token is actually
> useful.  So the caller must arrange to call this function."
>
> My first thought was thus to condition directly to
> `auth-source-save-behavior', and I've suggested Michael at Reddit it
> might be interesting to use `:create (if auth-source-save-behavior t)',
> so that `tramp-read-passwd' never tried to create the `auth-source'
> entry if none was found, and none was meant to be saved.
>
> I did test this, and it does work, in the sense that when
> `auth-source-save-behavior' is set to nil, regardless of the order of
> the sources in `auth-sources', that prompt does not occur.

Tramp shouldn't handle auth-source-save-behavior on its own, I
believe. It is just a contract between auth-source.el and the user;
Tramp is not involved.

> But, since then I had what I regard a better idea: why not provide the
> label?  This is pretty much standard behavior for applications which
> store passwords in the Login keyring.  And it is not specially
> complicated, as the label must exist, but does not have to be unique.
> The docstring for `secrets-create-item' states this explicitly: "The
> label ITEM does not have to be unique in COLLECTION."
>
> So, `tramp-read-passwd' could go with something like:
>
> #+begin_src emacs-lisp
> :label (concat "Tramp password"
>                (when (or user host) " for ")
>                (when user (format "%s" user))
>                (when host (format "@%s" host)))
> #+end_src
>
> keeping the current value of `:create t'.
>
> That would automatically generate a label "Tramp password for
> root@localhost" for the case at hand.  I've tested this, and the prompt
> is gone for all cases, regardless of the order of entries in
> `auth-sources'.  When `auth-source-save-behavior' is nil, it works as
> expected (no prompt).  And there is a change in behavior when
> `auth-source-save-behavior' is non-nil, the prompt is also gone, and the
> password is saved according to the relevant settings with that label
> (and answer in case of 'ask).

Tramp doesn't know the Secret Sercice API of auth-source.el, and so it
doesn't know that something like a label is needed.

(Well, this is a shameless lie: I'm the maintainer of Tramp, and the
author of secrets.el. But from the design point of view, this stands.)

> A couple of caveats.  First, I really don't know well `auth-sources.el'
> and just tried to figure out what was happening in this case.  As far as
> I understand the `:label' key will just be ignored by other backends of
> `auth-source' where it is not meaningful.  But someone more acquainted
> with `auth-source' should probably judge.  Second, I'm not sure that
> particular label I suggested is general enough to cover all relevant
> TRAMP methods, some further polishing there by someone more experienced
> in the ways of TRAMP might be needed.
>
> And, well, third, I understand, of course, that the fact I could not
> generate a clean reproduction recipe with `emacs -Q' does beg the
> question of whether any change is granted at all, because we really
> don't know how relevant the "issue" is.  So, feel free to disregard the
> suggestion.

As far as I understand, auth-source.el shouldn't ask for a label, when
auth-source-save-behavior is nil, because no entry in the Secret Service
API shall be created. This seems to be a bug to me in
auth-source-secrets-create. It shall ask only sor a label, if
auth-source-save-behavior has the value 'ask. If it has the value t,
there shouldn't also be a question about the label; just the default
label shall be used.

> Still, I hope this is somehow useful.
>
> Best regards,
> Gustavo.
>
> PS: Please keep me CC's, as I'm not subscribed to the list.

Best regards, Michael.