QGIS API Documentation  3.0.2-Girona (307d082)
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include "qgis_core.h"
21 #include "qgis_sip.h"
22 #include <QObject>
23 #include <QMutex>
24 #include <QNetworkReply>
25 #include <QNetworkRequest>
26 #include <QSqlDatabase>
27 #include <QSqlError>
28 #include <QSqlQuery>
29 #include <QStringList>
30 
31 #ifndef QT_NO_SSL
32 #include <QSslCertificate>
33 #include <QSslKey>
34 #include <QtCrypto>
35 #include "qgsauthcertutils.h"
36 #endif
37 
38 #include "qgsauthconfig.h"
39 #include "qgsauthmethod.h"
40 
41 // Qt5KeyChain library
42 #include "keychain.h"
43 
44 #ifndef SIP_RUN
45 namespace QCA
46 {
47  class Initializer;
48 }
49 #endif
50 class QgsAuthMethod;
51 class QgsAuthMethodEdit;
52 class QgsAuthProvider;
53 class QTimer;
54 
55 
61 class CORE_EXPORT QgsAuthManager : public QObject
62 {
63  Q_OBJECT
64 
65  public:
66 
69  {
70  INFO = 0,
71  WARNING = 1,
72  CRITICAL = 2
73  };
74  Q_ENUM( MessageLevel );
75 
84  bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
85 
86  ~QgsAuthManager() override;
87 
89  QSqlDatabase authDatabaseConnection() const;
90 
92  const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
93 
95  const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
96 
97 
99  bool isDisabled() const;
100 
102  const QString disabledMessage() const;
103 
108  const QString authenticationDatabasePath() const { return mAuthDbPath; }
109 
115  bool setMasterPassword( bool verify = false );
116 
123  bool setMasterPassword( const QString &pass, bool verify = false );
124 
130  bool verifyMasterPassword( const QString &compare = QString() );
131 
133  bool masterPasswordIsSet() const;
134 
136  bool masterPasswordHashInDatabase() const;
137 
142  void clearMasterPassword() { mMasterPass = QString(); }
143 
148  bool masterPasswordSame( const QString &pass ) const;
149 
158  bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
159 
164  bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
165 
178  void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
179 
188  void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
189 
191  QString authManTag() const { return AUTH_MAN_TAG; }
192 
194  bool registerCoreAuthMethods();
195 
197  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
198 
200  void updateConfigAuthMethods();
201 
206  QgsAuthMethod *configAuthMethod( const QString &authcfg );
207 
212  QString configAuthMethodKey( const QString &authcfg ) const;
213 
217  QStringList authMethodsKeys( const QString &dataprovider = QString() );
218 
223  QgsAuthMethod *authMethod( const QString &authMethodKey );
224 
230  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
231 
237  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
238 
243  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
244 
246  const QString uniqueConfigId() const;
247 
252  bool configIdUnique( const QString &id ) const;
253 
258  bool hasConfigId( const QString &txt ) const;
259 
261  QString configIdRegex() const { return AUTH_CFG_REGEX;}
262 
264  QStringList configIds() const;
265 
271  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT );
272 
278  bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
279 
287  bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
288 
294  bool removeAuthenticationConfig( const QString &authcfg );
295 
300  bool removeAllAuthenticationConfigs();
301 
306  bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
307 
314  bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
315 
316 
318 
326  bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
327  const QString &dataprovider = QString() );
328 
336  bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
337  const QString &dataprovider = QString() );
338 
346  bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
347  const QString &dataprovider = QString() );
348 
356  bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
357  const QString &dataprovider = QString() );
358 
360 
362  bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
363 
372  QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
373 
375  bool existsAuthSetting( const QString &key );
376 
378  bool removeAuthSetting( const QString &key );
379 
380 #ifndef QT_NO_SSL
381 
384  bool initSslCaches();
385 
387  bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
388 
395  const QSslCertificate certIdentity( const QString &id );
396 
404  const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
405 
412  const QStringList certIdentityBundleToPem( const QString &id );
413 
419  const QList<QSslCertificate> certIdentities();
420 
422 
428  QStringList certIdentityIds() const;
429 
431  bool existsCertIdentity( const QString &id );
432 
434  bool removeCertIdentity( const QString &id );
435 
436 
438  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
439 
447  const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
448 
455  const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
456 
462  const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
463 
465  bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
466 
468  bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
469 
476  QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
477 
479  void dumpIgnoredSslErrorsCache_();
480 
482  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
483 
485  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
486 
488  bool rebuildIgnoredSslErrorCache();
489 
490 
492  bool storeCertAuthorities( const QList<QSslCertificate> &certs );
493 
495  bool storeCertAuthority( const QSslCertificate &cert );
496 
498 
505  const QSslCertificate certAuthority( const QString &id );
506 
508  bool existsCertAuthority( const QSslCertificate &cert );
509 
511  bool removeCertAuthority( const QSslCertificate &cert );
512 
518  const QList<QSslCertificate> systemRootCAs();
519 
525  const QList<QSslCertificate> extraFileCAs();
526 
532  const QList<QSslCertificate> databaseCAs();
533 
539  const QMap<QString, QSslCertificate> mappedDatabaseCAs();
540 
547  const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
548  {
549  return mCaCertsCache;
550  }
551 
553  bool rebuildCaCertsCache();
554 
556  bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
557 
564  QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
565 
567  bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
568 
570  bool removeCertTrustPolicy( const QSslCertificate &cert );
571 
578  QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
579 
581  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
582 
584  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
585 
591  const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
592 
594  bool rebuildCertTrustCache();
595 
602  const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
603 
609  const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
610 
612  bool rebuildTrustedCaCertsCache();
613 
619  const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
620 
626  const QByteArray trustedCaCertsPemText();
627 
628 #endif
629 
634  const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
635 
640  bool passwordHelperDelete() SIP_SKIP;
641 
646  bool passwordHelperEnabled() const SIP_SKIP;
647 
652  void setPasswordHelperEnabled( const bool enabled ) SIP_SKIP;
653 
658  bool passwordHelperLoggingEnabled() const SIP_SKIP;
659 
664  void setPasswordHelperLoggingEnabled( const bool enabled ) SIP_SKIP;
665 
670  bool passwordHelperSync() SIP_SKIP;
671 
673  static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
674 
676  static const QString AUTH_MAN_TAG;
677 
678  signals:
679 
684  void passwordHelperFailure();
685 
690  void passwordHelperSuccess();
691 
699  void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
700 
708  void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
709 
710 
715  void masterPasswordVerified( bool verified );
716 
718  void authDatabaseEraseRequested();
719 
721  void authDatabaseChanged();
722 
723  public slots:
725  void clearAllCachedConfigs();
726 
728  void clearCachedConfig( const QString &authcfg );
729 
730  private slots:
731  void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
732 
742  void tryToStartDbErase();
743 
744  protected:
745 
750  static QgsAuthManager *instance() SIP_SKIP;
751 
752  explicit QgsAuthManager() SIP_SKIP;
753 
754  private:
755 
757  // Password Helper methods
758 
760  QString passwordHelperName() const;
761 
763  void passwordHelperLog( const QString &msg ) const;
764 
766  QString passwordHelperRead();
767 
769  bool passwordHelperWrite( const QString &password );
770 
772  void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
773 
775  void passwordHelperClearErrors();
776 
781  void passwordHelperProcessError();
782 
783  bool createConfigTables();
784 
785  bool createCertTables();
786 
787  bool masterPasswordInput();
788 
789  bool masterPasswordRowsInDb( int *rows ) const;
790 
791  bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
792 
793  bool masterPasswordStoreInDb() const;
794 
795  bool masterPasswordClearDb();
796 
797  const QString masterPasswordCiv() const;
798 
799  bool verifyPasswordCanDecryptConfigs() const;
800 
801  bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
802 
803  bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
804 
805  bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
806 
807  bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
808 
809  bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
810 
811  bool authDbOpen() const;
812 
813  bool authDbQuery( QSqlQuery *query ) const;
814 
815  bool authDbStartTransaction() const;
816 
817  bool authDbCommit() const;
818 
819  bool authDbTransactionQuery( QSqlQuery *query ) const;
820 
821 #ifndef QT_NO_SSL
822  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
823 #endif
824 
825  const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
826 
827  const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
828 
829  const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
830 
831  const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
832 
833  const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
834 
835  static QgsAuthManager *sInstance;
836  static const QString AUTH_CONFIG_TABLE;
837  static const QString AUTH_PASS_TABLE;
838  static const QString AUTH_SETTINGS_TABLE;
839  static const QString AUTH_IDENTITIES_TABLE;
840  static const QString AUTH_SERVERS_TABLE;
841  static const QString AUTH_AUTHORITIES_TABLE;
842  static const QString AUTH_TRUST_TABLE;
843  static const QString AUTH_CFG_REGEX;
844 
845  bool mAuthInit = false;
846  QString mAuthDbPath;
847 
848  QCA::Initializer *mQcaInitializer = nullptr;
849 
850  QHash<QString, QString> mConfigAuthMethods;
851  QHash<QString, QgsAuthMethod *> mAuthMethods;
852 
853  QString mMasterPass;
854  int mPassTries = 0;
855  bool mAuthDisabled = false;
856  QString mAuthDisabledMessage;
857  QTimer *mScheduledDbEraseTimer = nullptr;
858  bool mScheduledDbErase = false;
859  int mScheduledDbEraseRequestWait = 3 ; // in seconds
860  bool mScheduledDbEraseRequestEmitted = false;
861  int mScheduledDbEraseRequestCount = 0;
862  QMutex *mMutex = nullptr;
863 
864 #ifndef QT_NO_SSL
865  // mapping of sha1 digest and cert source and cert
866  // appending removes duplicates
867  QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
868  // list of sha1 digests per policy
869  QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
870  // cache of certs ready to be utilized in network connections
871  QList<QSslCertificate> mTrustedCaCertsCache;
872  // cache of SSL errors to be ignored in network connections, per sha-hostport
873  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
874 #endif
875 
877  // Password Helper Variables
878 
880  bool mPasswordHelperVerificationError = false;
881 
883  QString mPasswordHelperErrorMessage;
884 
886  QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
887 
889  bool mPasswordHelperLoggingEnabled = false;
890 
892  bool mPasswordHelperFailedInit = false;
893 
895  static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
896 
898  static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
899 
900  friend class QgsApplication;
901 
902 };
903 
904 #endif // QGSAUTHMANAGER_H
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
Extends QApplication to provide access to QGIS specific resources such as theme paths, database paths etc.
Configuration container for SSL server connection exceptions or overrides.
Abstract base class for the edit widget of authentication method plugins.
#define SIP_INOUT
Definition: qgis_sip.h:64
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME
The display name of the password helper (platform dependent)
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QString authManTag() const
Simple text tag describing authentication system for message logs.
#define SIP_SKIP
Definition: qgis_sip.h:119
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:38
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:36
CaCertSource
Type of CA certificate source.
void clearMasterPassword()
Clear supplied master password.
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections ...
QString configIdRegex() const
Return regular expression for authcfg=.{7} key/value token for authentication ids.
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
static const QString AUTH_MAN_TAG
The display name of the Authentication Manager.
CertTrustPolicy
Type of certificate trust policy.
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
const QString passwordHelperErrorMessage()
Error message getter.
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection&#39;s sha:host:port.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap