2 files changed, 349 insertions, 241 deletions
diff --git a/lisp/auth-source-pass.el b/lisp/auth-source-pass.el
index af421645cbc..295bda507b0 100644
--- a/lisp/auth-source-pass.el
+++ b/lisp/auth-source-pass.el
@@ -197,10 +197,17 @@ CONTENTS is the contents of a password-store formatted file."
 Disambiguate between user provided inside HOST (e.g., user@server.com) and
 inside USER by giving priority to USER.  Same for PORT."
+  (apply #'auth-source-pass--find-match-unambiguous (auth-source-pass--disambiguate host user port)))
+(defun auth-source-pass--disambiguate (host &optional user port)
+  "Return (HOST USER PORT) after disambiguation.
+Disambiguate between having user provided inside HOST (e.g.,
+user@server.com) and inside USER by giving priority to USER.
+Same for PORT."
  (let* ((url (url-generic-parse-url (if (string-match-p ".*://" host)
                                         host
                                       (format "https://%s" host)))))
-    (auth-source-pass--find-match-unambiguous
+    (list
     (or (url-host url) host)
     (or user (url-user url))
     ;; url-port returns 443 (because of the https:// above) by default
@@ -212,74 +219,49 @@ If many matches are found, return the first one.  If no match is found,
 return nil.
 HOSTNAME should not contain any username or port number."
-  (cl-reduce
+  (let ((all-entries (auth-source-pass-entries))
-   (lambda (result entries)
+        (suffixes (auth-source-pass--generate-entry-suffixes hostname user port)))
-     (or result
+    (auth-source-pass--do-debug "searching for entries matching hostname=%S, user=%S, port=%S"
-         (pcase (length entries)
+                                hostname (or user "") (or port ""))
-           (0 nil)
+    (auth-source-pass--do-debug "corresponding suffixes to search for: %S" suffixes)
-           (1 (auth-source-pass-parse-entry (car entries)))
+    (catch 'auth-source-pass-break
-           (_ (auth-source-pass--select-from-entries entries user)))))
+      (dolist (suffix suffixes)
-   (auth-source-pass--matching-entries hostname user port)
+        (let* ((matching-entries (auth-source-pass--entries-matching-suffix suffix all-entries))
-   :initial-value nil))
+               (best-entry-data (auth-source-pass--select-from-entries matching-entries user)))
+          (pcase (length matching-entries)
+            (0 (auth-source-pass--do-debug "found no entries matching %S" suffix))
+            (1 (auth-source-pass--do-debug "found 1 entry matching %S: %S"
+                                           suffix
+                                           (car matching-entries)))
+            (_ (auth-source-pass--do-debug "found %s entries matching %S: %S"
+                                           (length matching-entries)
+                                           suffix
+                                           matching-entries)))
+          (when best-entry-data
+            (throw 'auth-source-pass-break best-entry-data)))))))
 (defun auth-source-pass--select-from-entries (entries user)
  "Return best matching password-store entry data from ENTRIES.
 If USER is non nil, give precedence to entries containing a user field
 matching USER."
-  (cl-reduce
+  (let (fallback)
-   (lambda (result entry)
+    (catch 'auth-source-pass-break
-     (let ((entry-data (auth-source-pass-parse-entry entry)))
+      (dolist (entry entries fallback)
-       (cond ((equal (auth-source-pass--get-attr "user" result) user)
+        (let ((entry-data (auth-source-pass-parse-entry entry)))
-              result)
+          (when (and entry-data (not fallback))
-             ((equal (auth-source-pass--get-attr "user" entry-data) user)
+            (setq fallback entry-data)
-              entry-data)
+            (when (or (not user) (equal (auth-source-pass--get-attr "user" entry-data) user))
-             (t
+              (throw 'auth-source-pass-break entry-data))))))))
-              result))))
-   entries
+(defun auth-source-pass--entries-matching-suffix (suffix entries)
-   :initial-value (auth-source-pass-parse-entry (car entries))))
+  "Return entries matching SUFFIX.
+If ENTRIES is nil, use the result of calling `auth-source-pass-entries' instead."
-(defun auth-source-pass--matching-entries (hostname user port)
+  (cl-remove-if-not
-  "Return all matching password-store entries for HOSTNAME, USER, & PORT.
+   (lambda (entry) (string-match-p
+               (format "\\(^\\|/\\)%s$" (regexp-quote suffix))
-The result is a list of lists of password-store entries, where
+               entry))
-each sublist contains entries that actually exist in the
+   (or entries (auth-source-pass-entries))))
-password-store matching one of the entry name formats that
-auth-source-pass expects, most specific to least specific."
-  (let* ((entries-lists (mapcar
-                         #'cdr
-                         (auth-source-pass--accumulate-matches hostname user port)))
-         (entries (apply #'cl-concatenate (cons 'list entries-lists))))
-    (if entries
-        (auth-source-pass--do-debug (format "found: %S" entries))
-      (auth-source-pass--do-debug "no matches found"))
-    entries-lists))
-(defun auth-source-pass--accumulate-matches (hostname user port)
-  "Accumulate matching password-store entries into sublists.
-Entries matching supported formats that combine HOSTNAME, USER, &
-PORT are accumulated into sublists where the car of each sublist
-is a regular expression for matching paths in the password-store
-and the remainder is the list of matching entries."
-  (let ((suffix-match-lists
-         (mapcar (lambda (suffix) (list (format "\\(^\\|/\\)%s$" suffix)))
-                 (auth-source-pass--generate-entry-suffixes hostname user port))))
-    (cl-reduce #'auth-source-pass--entry-reducer
-               (auth-source-pass-entries)
-               :initial-value suffix-match-lists)))
-(defun auth-source-pass--entry-reducer (match-lists entry)
-  "Match MATCH-LISTS sublists against ENTRY.
-The result is a copy of match-lists with the entry added to the
-end of any sublists for which the regular expression at the head
-of the list matches the entry name."
-  (mapcar (lambda (match-list)
-            (if (string-match (car match-list) entry)
-                (append match-list (list entry))
-              match-list))
-          match-lists))
 (defun auth-source-pass--generate-entry-suffixes (hostname user port)
  "Return a list of possible entry path suffixes in the password-store.
diff --git a/test/lisp/auth-source-pass-tests.el b/test/lisp/auth-source-pass-tests.el
index 2c28f799453..6f0d308cebf 100644
--- a/test/lisp/auth-source-pass-tests.el
+++ b/test/lisp/auth-source-pass-tests.el
@@ -52,11 +52,21 @@
 (defvar auth-source-pass--debug-log nil
  "Contains a list of all messages passed to `auth-source-do-debug`.")
-(defun auth-source-pass--should-have-message-containing (regexp)
+(defun auth-source-pass--have-message-matching (regexp)
-  "Assert that at least one `auth-source-do-debug` matched REGEXP."
+  "Return non-nil iff at least one `auth-source-do-debug` match REGEXP."
-  (should (seq-find (lambda (message)
+  (seq-find (lambda (message)
-                      (string-match regexp message))
+              (string-match regexp message))
-                    auth-source-pass--debug-log)))
+            auth-source-pass--debug-log))
+(defun auth-source-pass--explain--have-message-matching (regexp)
+  "Explainer function for `auth-source-pass--have-message-matching'.
+REGEXP is the same as in `auth-source-pass--have-message-matching'."
+  `(regexp
+    ,regexp
+    messages
+    ,(mapconcat #'identity auth-source-pass--debug-log "\n- ")))
+(put #'auth-source-pass--have-message-matching 'ert-explainer #'auth-source-pass--explain--have-message-matching)
 (defun auth-source-pass--debug (&rest msg)
  "Format MSG and add that to `auth-source-pass--debug-log`.
@@ -78,6 +88,82 @@ This function is intended to be set to `auth-source-debug`."
           (auth-source-pass--parse-log nil))
       ,@body)))
+(defun auth-source-pass--explain-match-entry-p (entry hostname &optional user port)
+  "Explainer function for `auth-source-pass-match-entry-p'.
+ENTRY, HOSTNAME, USER and PORT are the same as in `auth-source-pass-match-entry-p'."
+  `(entry
+    ,entry
+    store
+    ,(auth-source-pass-entries)
+    matching-entries
+    ,(auth-source-pass--matching-entries hostname user port)))
+(put 'auth-source-pass-match-entry-p 'ert-explainer #'auth-source-pass--explain-match-entry-p)
+(defun auth-source-pass--includes-sorted-entries (entries hostname &optional user port)
+  "Return non-nil iff ENTRIES matching the parameters are found in store.
+ENTRIES should be sorted from most specific to least specific.
+HOSTNAME, USER and PORT are passed unchanged to
+`auth-source-pass--matching-entries'."
+  (if (seq-empty-p entries)
+      t
+    (and
+     (auth-source-pass-match-entry-p (car entries) hostname user port)
+     (auth-source-pass--includes-sorted-entries (cdr entries) hostname user port))))
+(defun auth-source-pass--explain-includes-sorted-entries (entries hostname &optional user port)
+  "Explainer function for `auth-source-pass--includes-sorted-entries'.
+ENTRIES, HOSTNAME, USER and PORT are the same as in `auth-source-pass--includes-sorted-entries'."
+  `(store
+    ,(auth-source-pass-entries)
+    matching-entries
+    ,(auth-source-pass--matching-entries hostname user port)
+    entries
+    ,entries))
+(put 'auth-source-pass--includes-sorted-entries 'ert-explainer #'auth-source-pass--explain-includes-sorted-entries)
+(defun auth-source-pass--explain-match-any-entry-p (hostname &optional user port)
+  "Explainer function for `auth-source-pass-match-any-entry-p'.
+HOSTNAME, USER and PORT are the same as in `auth-source-pass-match-any-entry-p'."
+  `(store
+    ,(auth-source-pass-entries)
+    matching-entries
+    ,(auth-source-pass--matching-entries hostname user port)))
+(put 'auth-source-pass-match-any-entry-p 'ert-explainer #'auth-source-pass--explain-match-any-entry-p)
+(defun auth-source-pass--matching-entries (hostname &optional user port)
+  "Return password-store entries matching HOSTNAME, USER, PORT.
+The result is a list of lists of password-store entries.  Each
+sublist contains the password-store entries whose names match a
+suffix in `auth-source-pass--generate-entry-suffixes'.  The
+result is ordered the same way as the suffixes."
+  (let ((entries (auth-source-pass-entries)))
+    (mapcar (lambda (suffix) (auth-source-pass--entries-matching-suffix suffix entries))
+            (auth-source-pass--generate-entry-suffixes hostname user port))))
+(defun auth-source-pass-match-entry-p (entry hostname &optional user port)
+  "Return non-nil iff an ENTRY matching the parameters is found in store.
+HOSTNAME, USER and PORT are passed unchanged to
+`auth-source-pass--matching-entries'."
+  (cl-find-if
+   (lambda (entries) (cl-find entry entries :test #'string=))
+   (auth-source-pass--matching-entries hostname user port)))
+(defun auth-source-pass-match-any-entry-p (hostname &optional user port)
+  "Return non-nil iff there is at least one entry matching the parameters.
+HOSTNAME, USER and PORT are passed unchanged to
+`auth-source-pass--matching-entries'."
+  (cl-find-if #'identity (auth-source-pass--matching-entries hostname user port)))
 (ert-deftest auth-source-pass-any-host ()
  (auth-source-pass--with-store '(("foo" ("port" . "foo-port") ("host" . "foo-user"))
                                  ("bar"))
@@ -93,6 +179,101 @@ This function is intended to be set to `auth-source-debug`."
                                  ("bar"))
    (should-not (auth-source-pass-search :host "baz"))))
+(ert-deftest auth-source-pass--disambiguate-extract-host-from-hostname ()
+  ;; no user or port
+  (should (equal (cl-first (auth-source-pass--disambiguate "foo")) "foo"))
+  ;; only user
+  (should (equal (cl-first (auth-source-pass--disambiguate "user@foo")) "foo"))
+  ;; only port
+  (should (equal (cl-first (auth-source-pass--disambiguate "https://foo")) "foo"))
+  (should (equal (cl-first (auth-source-pass--disambiguate "foo:80")) "foo"))
+  ;; both user and port
+  (should (equal (cl-first (auth-source-pass--disambiguate "https://user@foo")) "foo"))
+  (should (equal (cl-first (auth-source-pass--disambiguate "user@foo:80")) "foo"))
+  ;; all of the above with a trailing path
+  (should (equal (cl-first (auth-source-pass--disambiguate "foo/path")) "foo"))
+  (should (equal (cl-first (auth-source-pass--disambiguate "user@foo/path")) "foo"))
+  (should (equal (cl-first (auth-source-pass--disambiguate "https://foo/path")) "foo"))
+  (should (equal (cl-first (auth-source-pass--disambiguate "foo:80/path")) "foo"))
+  (should (equal (cl-first (auth-source-pass--disambiguate "https://user@foo/path")) "foo"))
+  (should (equal (cl-first (auth-source-pass--disambiguate "user@foo:80/path")) "foo")))
+(ert-deftest auth-source-pass--disambiguate-extract-user-from-hostname ()
+  ;; no user or port
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo")) nil))
+  ;; only user
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo")) "user"))
+  ;; only port
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://foo")) nil))
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo:80")) nil))
+  ;; both user and port
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://user@foo")) "user"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo:80")) "user"))
+  ;; all of the above with a trailing path
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo/path")) nil))
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo/path")) "user"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://foo/path")) nil))
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo:80/path")) nil))
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://user@foo/path")) "user"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo:80/path")) "user")))
+(ert-deftest auth-source-pass--disambiguate-prefer-user-parameter ()
+  ;; no user or port
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo" "user2")) "user2"))
+  ;; only user
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo" "user2")) "user2"))
+  ;; only port
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://foo" "user2")) "user2"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo:80" "user2")) "user2"))
+  ;; both user and port
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://user@foo" "user2")) "user2"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo:80" "user2")) "user2"))
+  ;; all of the above with a trailing path
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo/path" "user2")) "user2"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo/path" "user2")) "user2"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://foo/path" "user2")) "user2"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "foo:80/path" "user2")) "user2"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "https://user@foo/path" "user2")) "user2"))
+  (should (equal (cl-second (auth-source-pass--disambiguate "user@foo:80/path" "user2")) "user2")))
+(ert-deftest auth-source-pass--disambiguate-extract-port-from-hostname ()
+  ;; no user or port
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo")) "443"))
+  ;; only user
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo")) "443"))
+  ;; only port
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://foo")) "443"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo:80")) "80"))
+  ;; both user and port
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://user@foo")) "443"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo:80")) "80"))
+  ;; all of the above with a trailing path
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo/path")) "443"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo/path")) "443"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://foo/path")) "443"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo:80/path")) "80"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://user@foo/path")) "443"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo:80/path")) "80")))
+(ert-deftest auth-source-pass--disambiguate-prefer-port-parameter ()
+  ;; no user or port
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo" "user2" "8080")) "8080"))
+  ;; only user
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo" "user2" "8080")) "8080"))
+  ;; only port
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://foo" "user2" "8080")) "8080"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo:80" "user2" "8080")) "8080"))
+  ;; both user and port
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://user@foo" "user2" "8080")) "8080"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo:80" "user2" "8080")) "8080"))
+  ;; all of the above with a trailing path
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo/path" "user2" "8080")) "8080"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo/path" "user2" "8080")) "8080"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://foo/path" "user2" "8080")) "8080"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "foo:80/path" "user2" "8080")) "8080"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "https://user@foo/path" "user2" "8080")) "8080"))
+  (should (equal (cl-third (auth-source-pass--disambiguate "user@foo:80/path" "user2" "8080")) "8080")))
 (ert-deftest auth-source-pass-find-match-minimal-parsing ()
  (let ((store-contents
         '(("baz" ("secret" . "baz password"))
@@ -121,156 +302,110 @@ This function is intended to be set to `auth-source-debug`."
      (should (equal auth-source-pass--parse-log '("bar.baz"))))
    (auth-source-pass--with-store store-contents
      (auth-source-pass--find-match "baz" nil nil)
-      (should (equal auth-source-pass--parse-log '("baz"))))))
+      (should (equal auth-source-pass--parse-log '("baz"))))
+    (auth-source-pass--with-store
-(ert-deftest auth-source-pass-find-match-matching-at-entry-name ()
+        '(("dir1/bar.com" ("key" . "val"))
-  (auth-source-pass--with-store
+          ("dir2/bar.com" ("key" . "val"))
-      '(("foo" ("secret" . "foo password")))
+          ("dir3/bar.com" ("key" . "val")))
-    (let ((result (auth-source-pass--find-match "foo" nil nil)))
+      (auth-source-pass--find-match "bar.com" nil nil)
-      (should (equal (auth-source-pass--get-attr "secret" result)
+      (should (= (length auth-source-pass--parse-log) 1)))))
-                     "foo password")))))
+(ert-deftest auth-source-pass--find-match-return-parsed-data ()
-(ert-deftest auth-source-pass-find-match-matching-at-entry-name-part ()
+  (auth-source-pass--with-store '(("bar.com" ("key" . "val")))
-  (auth-source-pass--with-store
+    (should (consp (auth-source-pass--find-match "bar.com" nil nil))))
-      '(("foo" ("secret" . "foo password")))
+  (auth-source-pass--with-store '(("dir1/bar.com" ("key1" . "val1")) ("dir2/bar.com" ("key2" . "val2")))
-    (let ((result (auth-source-pass--find-match "https://foo" nil nil)))
+    (should (consp (auth-source-pass--find-match "bar.com" nil nil)))))
-      (should (equal (auth-source-pass--get-attr "secret" result)
-                     "foo password")))))
+(ert-deftest auth-source-pass--matching-entries ()
-(ert-deftest auth-source-pass-find-match-matching-at-entry-name-ignoring-user ()
-  (auth-source-pass--with-store
-      '(("foo" ("secret" . "foo password")))
-    (let ((result (auth-source-pass--find-match "https://SomeUser@foo" nil nil)))
-      (should (equal (auth-source-pass--get-attr "secret" result)
-                     "foo password")))))
-(ert-deftest auth-source-pass-find-match-matching-at-entry-name-with-user ()
-  (auth-source-pass--with-store
-      '(("SomeUser@foo" ("secret" . "SomeUser@foo password")))
-    (let ((result (auth-source-pass--find-match "https://SomeUser@foo" nil nil)))
-      (should (equal (auth-source-pass--get-attr "secret" result)
-                     "SomeUser@foo password")))))
-(ert-deftest auth-source-pass-find-match-matching-at-entry-name-prefer-full ()
-  (auth-source-pass--with-store
-      '(("SomeUser@foo" ("secret" . "SomeUser@foo password"))
-        ("foo" ("secret" . "foo password")))
-    (let ((result (auth-source-pass--find-match "https://SomeUser@foo" nil nil)))
-      (should (equal (auth-source-pass--get-attr "secret" result)
-                     "SomeUser@foo password")))))
-(ert-deftest auth-source-pass-find-match-matching-at-entry-name-prefer-full-reversed ()
-  (auth-source-pass--with-store
-      '(("foo" ("secret" . "foo password"))
-        ("SomeUser@foo" ("secret" . "SomeUser@foo password")))
-    (let ((result (auth-source-pass--find-match "https://SomeUser@foo" nil nil)))
-      (should (equal (auth-source-pass--get-attr "secret" result)
-                     "SomeUser@foo password")))))
-(ert-deftest auth-source-pass-matching-entries-name-without-subdomain ()
  (auth-source-pass--with-store '(("bar.com"))
-    (should (equal (auth-source-pass--matching-entries "foo.bar.com" nil nil)
+    (should (auth-source-pass-match-entry-p "bar.com" "bar.com"))
-                   '(nil ("bar.com") nil)))))
+    ;; match even if sub-domain is asked for
+    (should (auth-source-pass-match-entry-p "bar.com" "foo.bar.com"))
-(ert-deftest auth-source-pass-matching-entries-name-without-subdomain-with-user ()
+    ;; match even if a user is asked for
-  (auth-source-pass--with-store '(("someone@bar.com"))
+    (should (auth-source-pass-match-entry-p "bar.com" "bar.com" "user"))
-    (should (equal (auth-source-pass--matching-entries "foo.bar.com" "someone" nil)
+    ;; match even if user as an @ sign
-                   '(nil nil nil ("someone@bar.com") nil nil nil nil nil)))))
+    (should (auth-source-pass-match-entry-p "bar.com" "bar.com" "user@someplace"))
+    ;; match even if a port is asked for
-(ert-deftest auth-source-pass-matching-entries-name-without-subdomain-with-bad-user ()
+    (should (auth-source-pass-match-entry-p "bar.com" "bar.com" nil "8080"))
-  (auth-source-pass--with-store '(("someoneelse@bar.com"))
+    ;; match even if a user and a port are asked for
-    (should (equal (auth-source-pass--matching-entries "foo.bar.com" "someone" nil)
+    (should (auth-source-pass-match-entry-p "bar.com" "bar.com" "user" "8080"))
-                   '(nil nil nil nil nil nil nil nil nil)))))
+    ;; don't match if a '.' is replaced with another character
+    (auth-source-pass--with-store '(("barXcom"))
-(ert-deftest auth-source-pass-matching-entries-name-without-subdomain-prefer-full ()
+      (should-not (auth-source-pass-match-any-entry-p "bar.com" nil nil)))))
-  (auth-source-pass--with-store '(("bar.com") ("foo.bar.com"))
-    (should (equal (auth-source-pass--matching-entries "foo.bar.com" nil nil)
+(ert-deftest auth-source-pass--matching-entries-find-entries-with-a-username ()
-                   '(("foo.bar.com") ("bar.com") nil)))))
+  (auth-source-pass--with-store '(("user@foo"))
+    (should (auth-source-pass-match-entry-p "user@foo" "foo" "user")))
-(ert-deftest auth-source-pass-dont-match-at-folder-name ()
+  ;; match even if sub-domain is asked for
-  (auth-source-pass--with-store '(("foo.bar.com/foo"))
+  (auth-source-pass--with-store '(("user@bar.com"))
-    (should (equal (auth-source-pass--matching-entries "foo.bar.com" nil nil)
+    (should (auth-source-pass-match-entry-p "user@bar.com" "foo.bar.com" "user")))
-                   '(nil nil nil)))))
+  ;; don't match if no user is asked for
+  (auth-source-pass--with-store '(("user@foo"))
-(ert-deftest auth-source-pass-matching-entries-host-port-and-subdir-user ()
+    (should-not (auth-source-pass-match-any-entry-p "foo")))
-  (auth-source-pass--with-store '(("bar.com:443/someone"))
+  ;; don't match if user is different
-    (should (equal (auth-source-pass--matching-entries "bar.com" "someone" "443")
+  (auth-source-pass--with-store '(("user1@foo"))
-                   '(nil ("bar.com:443/someone") nil nil nil nil
+    (should-not (auth-source-pass-match-any-entry-p "foo" "user2")))
-                         nil nil nil nil nil nil)))))
+  ;; don't match if sub-domain is asked for but user is different
+  (auth-source-pass--with-store '(("user1@bar.com"))
-(ert-deftest auth-source-pass-matching-entries-host-port-and-subdir-user-with-custom-separator ()
+    (should-not (auth-source-pass-match-any-entry-p "foo.bar.com" "user2"))))
+(ert-deftest auth-source-pass--matching-entries-find-entries-with-a-port ()
+  (auth-source-pass--with-store '(("bar.com:8080"))
+    (should (auth-source-pass-match-entry-p "bar.com:8080" "bar.com" nil "8080"))))
+(ert-deftest auth-source-pass--matching-entries-find-entries-with-slash ()
+  ;; match if entry filename matches user
+  (auth-source-pass--with-store '(("foo.com/user"))
+    (should (auth-source-pass-match-entry-p "foo.com/user" "foo.com" "user")))
+  ;; match with port if entry filename matches user
+  (auth-source-pass--with-store '(("foo.com:8080/user"))
+    (should (auth-source-pass-match-entry-p "foo.com:8080/user" "foo.com" "user" "8080")))
+  ;; don't match if entry filename doesn't match user
+  (auth-source-pass--with-store '(("foo.com/baz"))
+    (should-not (auth-source-pass-match-any-entry-p "foo.com" "user"))))
+(ert-deftest auth-source-pass-matching-entries-with-custom-separator ()
  (let ((auth-source-pass-port-separator "#"))
    (auth-source-pass--with-store '(("bar.com#443/someone"))
-      (should (equal (auth-source-pass--matching-entries "bar.com" "someone" "443")
+      (should (auth-source-pass-match-entry-p "bar.com#443/someone" "bar.com" "someone" "443")))))
-                     '(nil ("bar.com#443/someone") nil nil nil nil
-                           nil nil nil nil nil nil))))))
+(ert-deftest auth-source-pass--matching-entries-sort-results ()
+  (auth-source-pass--with-store '(("user@foo") ("foo"))
-(ert-deftest auth-source-pass-matching-entries-extracting-user-from-host ()
+    (should (auth-source-pass--includes-sorted-entries '("user@foo" "foo") "foo" "user")))
-  (auth-source-pass--with-store
+  ;; same, but store is reversed
-      '(("foo.com/bar" ("secret" . "foo.com/bar password")))
-    (let ((result (auth-source-pass--find-match "https://bar@foo.com" nil nil)))
-      (should (equal (auth-source-pass--get-attr "secret" result)
-                     "foo.com/bar password")))))
-(ert-deftest auth-source-pass-matching-entries-with-user-first ()
  (auth-source-pass--with-store '(("foo") ("user@foo"))
-    (should (equal (auth-source-pass--matching-entries "foo" "user" nil)
+    (should (auth-source-pass--includes-sorted-entries '("user@foo" "foo") "foo" "user")))
-                   '(("user@foo") nil ("foo"))))
+  ;; with sub-domain
-    (auth-source-pass--should-have-message-containing "found: (\"user@foo\" \"foo\"")))
+  (auth-source-pass--with-store '(("bar.com") ("foo.bar.com"))
+    (should (auth-source-pass--includes-sorted-entries '("foo.bar.com" "bar.com") "foo.bar.com")))
-(ert-deftest auth-source-pass-give-priority-to-desired-user ()
+  ;; matching user in the entry data takes priority
-  (auth-source-pass--with-store
+  (auth-source-pass--with-store '(("dir1/bar.com") ("dir2/bar.com" ("user" . "user")))
-      '(("foo" ("secret" . "foo password"))
+    (should (auth-source-pass--includes-sorted-entries
-        ("subdir/foo" ("secret" . "subdir/foo password") ("user" . "someone")))
+             '("dir2/bar.com" "dir1/bar.com")
-    (let ((result (auth-source-pass--find-match "foo" "someone" nil)))
+             "bar.com" "user")))
-      (should (equal (auth-source-pass--get-attr "secret" result)
+  ;; same, but store is reversed
-                     "subdir/foo password"))
+  (auth-source-pass--with-store '(("dir2/bar.com" ("user" . "user")) ("dir1/bar.com"))
-      (should (equal (auth-source-pass--get-attr "user" result)
+    (should (auth-source-pass--includes-sorted-entries
-                     "someone")))
+             '("dir2/bar.com" "dir1/bar.com")
-    (auth-source-pass--should-have-message-containing "found: (\"foo\" \"subdir/foo\"")))
+             "bar.com" "user"))))
-(ert-deftest auth-source-pass-give-priority-to-desired-user-reversed ()
+(ert-deftest auth-source-pass-all-supported-organizations ()
-  (auth-source-pass--with-store
+  ;; test every possible entry to store this data: user=rms host=gnu.org port=22
-      '(("foo" ("secret" . "foo password") ("user" . "someone"))
+  (dolist (entry '(;; only host name
-        ("subdir/foo" ("secret" . "subdir/foo password")))
+                   "gnu.org"
-    (let ((result (auth-source-pass--find-match "foo" "someone" nil)))
+                   ;; hostname + user
-      (should (equal (auth-source-pass--get-attr "secret" result)
+                   "gnu.org/rms" "rms@gnu.org"
-                     "foo password")))
+                   ;; hostname + port
-    (auth-source-pass--should-have-message-containing "found: (\"foo\" \"subdir/foo\"")))
+                   "gnu.org:22"
+                   ;; hostname + user + port
-(ert-deftest auth-source-pass-return-first-when-several-matches ()
+                   "gnu.org:22/rms" "rms@gnu.org:22"
-  (auth-source-pass--with-store
+                   ;; all of the above in a random folder
-      '(("foo" ("secret" . "foo password"))
+                   "a/b/gnu.org"
-        ("subdir/foo" ("secret" . "subdir/foo password")))
+                   "a/b/gnu.org/rms" "a/b/rms@gnu.org"
-    (let ((result (auth-source-pass--find-match "foo" nil nil)))
+                   "a/b/gnu.org:22"
-      (should (equal (auth-source-pass--get-attr "secret" result)
+                   "a/b/gnu.org:22/rms" "a/b/rms@gnu.org:22"))
-                     "foo password")))
+    (auth-source-pass--with-store `((,entry))
-    (auth-source-pass--should-have-message-containing "found: (\"foo\" \"subdir/foo\"")))
+      (should (auth-source-pass-match-entry-p entry "gnu.org" "rms" "22")))))
-(ert-deftest auth-source-pass-matching-entries-make-divansantana-happy ()
-  (auth-source-pass--with-store '(("host.com"))
-    (should (equal (auth-source-pass--matching-entries "smtp.host.com" "myusername@host.co.za" nil)
-                   '(nil nil nil nil nil ("host.com") nil nil nil)))))
-(ert-deftest auth-source-pass-find-host-without-port ()
-  (auth-source-pass--with-store
-      '(("host.com" ("secret" . "host.com password")))
-    (let ((result (auth-source-pass--find-match "host.com:8888" "someuser" nil)))
-      (should (equal (auth-source-pass--get-attr "secret" result)
-                     "host.com password")))))
-(ert-deftest auth-source-pass-matching-entries-host-with-port ()
-  (auth-source-pass--with-store '(("host.com:443"))
-    (should (equal (auth-source-pass--matching-entries "host.com" "someuser" "443")
-                   '(nil nil nil nil ("host.com:443") nil
-                         nil nil nil nil nil nil)))))
-(ert-deftest auth-source-pass-matching-entries-with-custom-port-separator ()
-  (let ((auth-source-pass-port-separator "#"))
-    (auth-source-pass--with-store '(("host.com#443"))
-      (should (equal (auth-source-pass--matching-entries "host.com" "someuser" "443")
-                     '(nil nil nil nil ("host.com#443") nil
-                           nil nil nil nil nil nil))))))
 (defmacro auth-source-pass--with-store-find-foo (store &rest body)
  "Use STORE while executing BODY.  \"foo\" is the matched entry."
@@ -300,33 +435,6 @@ This function is intended to be set to `auth-source-debug`."
      (should (equal (plist-get result :port) 512))
      (should (equal (plist-get result :user) "anuser")))))
-(ert-deftest auth-source-pass-build-result-passes-full-host-to-find-match ()
-  (let (passed-host)
-    (cl-letf (((symbol-function 'auth-source-pass--find-match)
-               (lambda (host _user _port)
-                 (setq passed-host host)
-                 nil)))
-      (auth-source-pass--build-result "https://user@host.com:123" nil nil)
-      (should (equal passed-host "https://user@host.com:123"))
-      (auth-source-pass--build-result "https://user@host.com" nil nil)
-      (should (equal passed-host "https://user@host.com"))
-      (auth-source-pass--build-result "user@host.com" nil nil)
-      (should (equal passed-host "user@host.com"))
-      (auth-source-pass--build-result "user@host.com:443" nil nil)
-      (should (equal passed-host "user@host.com:443")))))
-(ert-deftest auth-source-pass-only-return-entries-that-can-be-open ()
-  (auth-source-pass--with-store
-      '(("foo.site.com" ("secret" . "foo.site.com password"))
-        ("bar.site.com") ; An entry name with no data is invalid
-        ("mail/baz.site.com/scott" ("secret" . "mail/baz.site.com/scott password")))
-    (should (equal (auth-source-pass--find-match "foo.site.com" "someuser" nil)
-                   '(("secret" . "foo.site.com password"))))
-    (should (equal (auth-source-pass--find-match "bar.site.com" "someuser" nil)
-                   nil))
-    (should (equal (auth-source-pass--find-match "baz.site.com" "scott" nil)
-                   '(("secret" . "mail/baz.site.com/scott password"))))))
 (ert-deftest auth-source-pass-can-start-from-auth-source-search ()
  (auth-source-pass--with-store '(("gitlab.com" ("user" . "someone")))
    (auth-source-pass-enable)
@@ -334,6 +442,24 @@ This function is intended to be set to `auth-source-debug`."
      (should (equal (plist-get result :user) "someone"))
      (should (equal (plist-get result :host) "gitlab.com")))))
+(ert-deftest auth-source-pass-prints-meaningful-debug-log ()
+  (auth-source-pass--with-store '()
+    (auth-source-pass--find-match "gitlab.com" nil nil)
+    (should (auth-source-pass--have-message-matching
+             "entries matching hostname=\"gitlab.com\""))
+    (should (auth-source-pass--have-message-matching
+             "corresponding suffixes to search for: .*\"gitlab.com\""))
+    (should (auth-source-pass--have-message-matching
+             "found no entries matching \"gitlab.com\"")))
+  (auth-source-pass--with-store '(("gitlab.com"))
+    (auth-source-pass--find-match "gitlab.com" nil nil)
+    (should (auth-source-pass--have-message-matching
+             "found 1 entry matching \"gitlab.com\": \"gitlab.com\"")))
+  (auth-source-pass--with-store '(("a/gitlab.com") ("b/gitlab.com"))
+    (auth-source-pass--find-match "gitlab.com" nil nil)
+    (should (auth-source-pass--have-message-matching
+             "found 2 entries matching \"gitlab.com\": (\"a/gitlab.com\" \"b/gitlab.com\")"))))
 (provide 'auth-source-pass-tests)
 ;;; auth-source-pass-tests.el ends here