api/3.0/qgsauthmanager_8h_source.html

 /***************************************************************************
     qgsauthmanager.h
     ---------------------
     begin                : October 5, 2014
     copyright            : (C) 2014 by Boundless Spatial, Inc. USA
     author               : Larry Shaffer
     email                : lshaffer at boundlessgeo dot com
  ***************************************************************************
  *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
  *   it under the terms of the GNU General Public License as published by  *
  *   the Free Software Foundation; either version 2 of the License, or     *
  *   (at your option) any later version.                                   *
  *                                                                         *
  ***************************************************************************/

 #ifndef QGSAUTHMANAGER_H
 #define QGSAUTHMANAGER_H

 #include "qgis_core.h"
 #include "qgis_sip.h"
 #include <QObject>
 #include <QMutex>
 #include <QNetworkReply>
 #include <QNetworkRequest>
 #include <QSqlDatabase>
 #include <QSqlError>
 #include <QSqlQuery>
 #include <QStringList>

 #ifndef QT_NO_SSL
 #include <QSslCertificate>
 #include <QSslKey>
 #include <QtCrypto>
 #include "qgsauthcertutils.h"
 #endif

 #include "qgsauthconfig.h"
 #include "qgsauthmethod.h"

 // Qt5KeyChain library
 #include "keychain.h"

 #ifndef SIP_RUN
 namespace QCA
 {
   class Initializer;
 }
 #endif
 class QgsAuthMethod;
 class QgsAuthMethodEdit;
 class QgsAuthProvider;
 class QTimer;


 class CORE_EXPORT QgsAuthManager : public QObject
 {
     Q_OBJECT

   public:

     enum MessageLevel
     {
       INFO = 0,
       WARNING = 1,
       CRITICAL = 2
     };
     Q_ENUM( MessageLevel );

     bool init( const QString &pluginPath = QString(),  const QString &authDatabasePath = QString() );

     ~QgsAuthManager() override;

     QSqlDatabase authDatabaseConnection() const;

     const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }

     const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }


     bool isDisabled() const;

     const QString disabledMessage() const;

     const QString authenticationDatabasePath() const { return mAuthDbPath; }

     bool setMasterPassword( bool verify = false );

     bool setMasterPassword( const QString &pass, bool verify = false );

     bool verifyMasterPassword( const QString &compare = QString() );

     bool masterPasswordIsSet() const;

     bool masterPasswordHashInDatabase() const;

     void clearMasterPassword() { mMasterPass = QString(); }

     bool masterPasswordSame( const QString &pass ) const;

     bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );

     bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP

     void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;

     void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }

     QString authManTag() const { return AUTH_MAN_TAG; }

     bool registerCoreAuthMethods();

     QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );

     void updateConfigAuthMethods();

     QgsAuthMethod *configAuthMethod( const QString &authcfg );

     QString configAuthMethodKey( const QString &authcfg ) const;

     QStringList authMethodsKeys( const QString &dataprovider = QString() );

     QgsAuthMethod *authMethod( const QString &authMethodKey );

     QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;

     QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );

     QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );

     const QString uniqueConfigId() const;

     bool configIdUnique( const QString &id ) const;

     bool hasConfigId( const QString &txt ) const;

     QString configIdRegex() const { return AUTH_CFG_REGEX;}

     QStringList configIds() const;

     bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT );

     bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );

     bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );

     bool removeAuthenticationConfig( const QString &authcfg );

     bool removeAllAuthenticationConfigs();

     bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );

     bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );


     bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
                                const QString &dataprovider = QString() );

     bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
                              const QString &dataprovider = QString() );

     bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
                                    const QString &dataprovider = QString() );

     bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
                              const QString &dataprovider = QString() );


     bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );

     QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );

     bool existsAuthSetting( const QString &key );

     bool removeAuthSetting( const QString &key );

 #ifndef QT_NO_SSL

     bool initSslCaches();

     bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );

     const QSslCertificate certIdentity( const QString &id );

     const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;

     const QStringList certIdentityBundleToPem( const QString &id );

     const QList<QSslCertificate> certIdentities();


     QStringList certIdentityIds() const;

     bool existsCertIdentity( const QString &id );

     bool removeCertIdentity( const QString &id );


     bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );

     const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );

     const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );

     const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();

     bool existsSslCertCustomConfig( const QString &id, const QString &hostport );

     bool removeSslCertCustomConfig( const QString &id, const QString &hostport );

     QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP

     void dumpIgnoredSslErrorsCache_();

     bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );

     bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );

     bool rebuildIgnoredSslErrorCache();


     bool storeCertAuthorities( const QList<QSslCertificate> &certs );

     bool storeCertAuthority( const QSslCertificate &cert );


     const QSslCertificate certAuthority( const QString &id );

     bool existsCertAuthority( const QSslCertificate &cert );

     bool removeCertAuthority( const QSslCertificate &cert );

     const QList<QSslCertificate> systemRootCAs();

     const QList<QSslCertificate> extraFileCAs();

     const QList<QSslCertificate> databaseCAs();

     const QMap<QString, QSslCertificate> mappedDatabaseCAs();

     const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
     {
       return mCaCertsCache;
     }

     bool rebuildCaCertsCache();

     bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );

     QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );

     bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );

     bool removeCertTrustPolicy( const QSslCertificate &cert );

     QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );

     bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );

     QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();

     const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }

     bool rebuildCertTrustCache();

     const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );

     const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );

     bool rebuildTrustedCaCertsCache();

     const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }

     const QByteArray trustedCaCertsPemText();

 #endif

     const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP

     bool passwordHelperDelete() SIP_SKIP;

     bool passwordHelperEnabled() const SIP_SKIP;

     void setPasswordHelperEnabled( const bool enabled ) SIP_SKIP;

     bool passwordHelperLoggingEnabled() const SIP_SKIP;

     void setPasswordHelperLoggingEnabled( const bool enabled ) SIP_SKIP;

     bool passwordHelperSync() SIP_SKIP;

     static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;

     static const QString AUTH_MAN_TAG;

   signals:

     void passwordHelperFailure();

     void passwordHelperSuccess();

     void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;

     void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );


     void masterPasswordVerified( bool verified );

     void authDatabaseEraseRequested();

     void authDatabaseChanged();

   public slots:
     void clearAllCachedConfigs();

     void clearCachedConfig( const QString &authcfg );

   private slots:
     void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );

     void tryToStartDbErase();

   protected:

     static QgsAuthManager *instance() SIP_SKIP;

     explicit QgsAuthManager() SIP_SKIP;

   private:

     // Password Helper methods

     QString passwordHelperName() const;

     void passwordHelperLog( const QString &msg ) const;

     QString passwordHelperRead();

     bool passwordHelperWrite( const QString &password );

     void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }

     void passwordHelperClearErrors();

     void passwordHelperProcessError();

     bool createConfigTables();

     bool createCertTables();

     bool masterPasswordInput();

     bool masterPasswordRowsInDb( int *rows ) const;

     bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;

     bool masterPasswordStoreInDb() const;

     bool masterPasswordClearDb();

     const QString masterPasswordCiv() const;

     bool verifyPasswordCanDecryptConfigs() const;

     bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );

     bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );

     bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );

     bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );

     bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );

     bool authDbOpen() const;

     bool authDbQuery( QSqlQuery *query ) const;

     bool authDbStartTransaction() const;

     bool authDbCommit() const;

     bool authDbTransactionQuery( QSqlQuery *query ) const;

 #ifndef QT_NO_SSL
     void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
 #endif

     const QString authDbPassTable() const { return AUTH_PASS_TABLE; }

     const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }

     const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }

     const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }

     const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }

     static QgsAuthManager *sInstance;
     static const QString AUTH_CONFIG_TABLE;
     static const QString AUTH_PASS_TABLE;
     static const QString AUTH_SETTINGS_TABLE;
     static const QString AUTH_IDENTITIES_TABLE;
     static const QString AUTH_SERVERS_TABLE;
     static const QString AUTH_AUTHORITIES_TABLE;
     static const QString AUTH_TRUST_TABLE;
     static const QString AUTH_CFG_REGEX;

     bool mAuthInit = false;
     QString mAuthDbPath;

     QCA::Initializer *mQcaInitializer = nullptr;

     QHash<QString, QString> mConfigAuthMethods;
     QHash<QString, QgsAuthMethod *> mAuthMethods;

     QString mMasterPass;
     int mPassTries = 0;
     bool mAuthDisabled = false;
     QString mAuthDisabledMessage;
     QTimer *mScheduledDbEraseTimer = nullptr;
     bool mScheduledDbErase = false;
     int mScheduledDbEraseRequestWait = 3 ; // in seconds
     bool mScheduledDbEraseRequestEmitted = false;
     int mScheduledDbEraseRequestCount = 0;
     QMutex *mMutex = nullptr;

 #ifndef QT_NO_SSL
     // mapping of sha1 digest and cert source and cert
     // appending removes duplicates
     QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
     // list of sha1 digests per policy
     QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
     // cache of certs ready to be utilized in network connections
     QList<QSslCertificate> mTrustedCaCertsCache;
     // cache of SSL errors to be ignored in network connections, per sha-hostport
     QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
 #endif

     // Password Helper Variables

     bool mPasswordHelperVerificationError = false;

     QString mPasswordHelperErrorMessage;

     QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;

     bool mPasswordHelperLoggingEnabled = false;

     bool mPasswordHelperFailedInit = false;

     static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;

     static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;

     friend class QgsApplication;

 };

 #endif // QGSAUTHMANAGER_H
QgsAuthManager
Singleton offering an interface to manage the authentication configuration database and to utilize co...
Definition: qgsauthmanager.h:61

QgsAuthManager::authDatabaseConfigTable
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
Definition: qgsauthmanager.h:92

QgsApplication
Extends QApplication to provide access to QGIS specific resources such as theme paths, database paths etc.
Definition: qgsapplication.h:64

qgsauthmethod.h

QgsAuthConfigSslServer
Configuration container for SSL server connection exceptions or overrides.
Definition: qgsauthconfig.h:371

QgsAuthMethodEdit
Abstract base class for the edit widget of authentication method plugins.
Definition: qgsauthmethodedit.h:29

SIP_INOUT
#define SIP_INOUT
Definition: qgis_sip.h:64

qgsauthcertutils.h

QgsAuthManager::MessageLevel
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
Definition: qgsauthmanager.h:68

QgsAuthManager::AUTH_PASSWORD_HELPER_DISPLAY_NAME
static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME
The display name of the password helper (platform dependent)
Definition: qgsauthmanager.h:673

QgsAuthManager::caCertsCache
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
Definition: qgsauthmanager.h:547

QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
Definition: qgsauthconfig.h:179

QgsAuthManager::authManTag
QString authManTag() const
Simple text tag describing authentication system for message logs.
Definition: qgsauthmanager.h:191

SIP_SKIP
#define SIP_SKIP
Definition: qgis_sip.h:119

QgsAuthMethodConfig
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:38

qgis_sip.h

QgsAuthManager::authenticationDatabasePath
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
Definition: qgsauthmanager.h:108

QCA
Definition: qgsauthmanager.h:45

qgsauthconfig.h

QgsAuthMethod
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:36

QgsAuthCertUtils::CaCertSource
CaCertSource
Type of CA certificate source.
Definition: qgsauthcertutils.h:44

QgsAuthManager::clearMasterPassword
void clearMasterPassword()
Clear supplied master password.
Definition: qgsauthmanager.h:142

QgsAuthManager::INFO
Definition: qgsauthmanager.h:70

QgsAuthManager::trustedCaCertsCache
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections ...
Definition: qgsauthmanager.h:619

QgsAuthManager::configIdRegex
QString configIdRegex() const
Return regular expression for authcfg=.{7} key/value token for authentication ids.
Definition: qgsauthmanager.h:261

QgsAuthManager::certTrustCache
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
Definition: qgsauthmanager.h:591

QgsAuthManager::AUTH_MAN_TAG
static const QString AUTH_MAN_TAG
The display name of the Authentication Manager.
Definition: qgsauthmanager.h:676

QgsAuthCertUtils::CertTrustPolicy
CertTrustPolicy
Type of certificate trust policy.
Definition: qgsauthcertutils.h:53

QgsAuthManager::scheduledAuthDatabaseErase
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
Definition: qgsauthmanager.h:164

QgsAuthManager::passwordHelperErrorMessage
const QString passwordHelperErrorMessage()
Error message getter.
Definition: qgsauthmanager.h:634

QgsAuthManager::authDatabaseServersTable
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
Definition: qgsauthmanager.h:95

QgsAuthManager::ignoredSslErrorCache
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection&#39;s sha:host:port.
Definition: qgsauthmanager.h:476

QgsAuthManager::setScheduledAuthDatabaseEraseRequestEmitted
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
Definition: qgsauthmanager.h:188

QgsAuthMethodsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap
Definition: qgsauthmethod.h:201