From ddfda64826800a7b737fa161fd9d793fa6b42f06 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 18 Mar 2020 22:07:33 -0400
Subject: imap-dl: use retriever.authentication configuration

After discussion with Sean Whitton and Robbie Harwood, I think makes
more sense to have a straight "retriever.authentication" configuration
setting rather than a rather odd boolean "use_kerberos".

This is a divergence from getmail, but that seems OK at this point.

The implementation now also makes it pretty straightforward to add new
authentication mechanisms if someone wants to add them.

One additional thing that would be nice would be for imap-dl to be
able to dynamically choose the "best" available authentication method.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthorseman.net>
---
 imap-dl       | 17 +++++++++++++----
 imap-dl.1.pod | 10 +++++-----
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/imap-dl b/imap-dl
index 83ce84f..4f5abbb 100755
--- a/imap-dl
+++ b/imap-dl
@@ -185,12 +185,21 @@ def scan_msgs(configfile:str, verbose:bool) -> None:
                            port=int(conf.get('retriever', 'port', fallback=993)),
                            ssl_context=ctx) as imap:
         username:str = conf.get('retriever', 'username')
-        use_kerberos = conf.getboolean('retriever', 'use_kerberos',
-                                       fallback=False)
-        if use_kerberos:
+        authentication:str = conf.get('retriever', 'authentication',
+                                      fallback='basic')
+        # FIXME: have the default automatically choose an opinionated
+        # best authentication method.  e.g., if the gssapi module is
+        # installed and the user has a reasonable identity in their
+        # local credential cache, choose kerberos, otherwise, choose
+        # "basic".
+        if authentication == 'kerberos':
             auth_gssapi(username, imap, conf, server)
-        else:
+        elif authentication == 'basic':
             auth_builtin(username, imap, conf, server)
+        else:
+            # FIXME: implement other authentication mechanisms
+            raise Exception(f'retriever.authentication should be one of:\n'
+                            '"basic" or "kerberos", got "{authentication}"')
 
         if verbose: # only enable debugging after login to avoid leaking credentials in the log
             imap.debug = 4
diff --git a/imap-dl.1.pod b/imap-dl.1.pod
index 5864267..88e3129 100644
--- a/imap-dl.1.pod
+++ b/imap-dl.1.pod
@@ -43,14 +43,14 @@ options:
 
 B<retriever.server> is the dns name of the mailserver.
 
+B<retriever.authentication> is either "basic" (the default, using the
+IMAP LOGIN verb) or "kerberos" (IMAP AUTHENTICATE with GSSAPI,
+requires the python3-gssapi module).
+
 B<retriever.username> is the username of the IMAP account.
 
 B<retriever.password> is the password for the IMAP account when using
-plaintext passwords.
-
-B<retriever.use_kerberos> (boolean) requests that Kerberos (through GSSAPI) is
-to be used instead of password-based auth.  There is no need to specify
-password when using Kerberos.  This requires the python3-gssapi module.
+B<retriever.authentication> is set to "basic".
 
 B<retriever.ssl_ciphers> is an OpenSSL cipher string to use instead of the
 defaults.  (The defaults are good; this should be avoided except to work
-- 
cgit v1.2.3