Allow multiple sources of repository credential values to be specified + control env var lookup via namespaced keywords

[cemerick]

There are various ways to specify alternative sources for repository credentials — including profiles (quite verbose if all you want to do is pull creds from the environment instead of from :gpg) and unquote (yuck). A passing comment by @technomancy suggested a third way that might be a sweet spot.

In short, allow repository credentials to be specified like so:

{:url ...
 :username [:env/repo1_username :gpg]
 :passphrase [:env :gpg]
}

Any values acceptable as a value for :username, :passphrase, and :password (:env, :gpg, :env/*, and strings) could be used in a vector instead.

Vector values in repository maps could contain N values to control credential lookup; the first one that yields a non-nil value is accepted as the replacement for the vector. In the example above, :username will have the value of (System/getenv "REPO1_USERNAME"), or the value of :username from the gpg credentials file if the environment var isn't defined. :passphrase will look for the LEIN_PASSPHRASE env var, and then fall back to gpg.

Open question: should :env continue to be allowed as a value? The convention of using it to look up an env var of (str "LEIN_" map-key) seems contrived compared to using namespaced keywords to control what env var should be used (and the latter allows more than one pair of credentials to be resolved from the environment).

[cemerick]

The referenced commit implements these changes. It:

1. retains support for :env
2. requires that :gpg be specified for each slot that should be looked up; so, repository maps like this won't work anymore:
   
   

{:url ... :creds :gpg}

Each slot that should be loaded from the gpg store needs to be listed explicitly, e.g.:

{:url ... :username :gpg :passphrase :gpg}

The behaviour of merging repository maps with gpg store matches based on :gpg being a value in any slot always struck me as odd.

Looking for feedback on both points, and the objectives of this issue in general. If this patch (or some variant) is acceptable, then I'll add/update documentation before pushing.

[cemerick]

Fixed, and on master.

I added the 2.0.0 milestone to this just in case that's being used to track changes/features/etc.

As discussed in irc, this includes a warning message if :gpg is found outside of a :creds entry in a repository map:

Warning: if you want to load all credentials for a repository from
~/.lein/credentials.clj.gpg, add :creds :gpg in the repository map.

This message should presumably be removed prior to 2.0.0 final; there's a TODO comment next to it in the source (I don't think we're creating issues to remind of such things?).