QGIS API Documentation  3.16.0-Hannover (43b64b13f3)
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include "qgis_core.h"
21 #include "qgis_sip.h"
22 #include <QObject>
23 #include <QMutex>
24 #include <QNetworkReply>
25 #include <QNetworkRequest>
26 #include <QSqlDatabase>
27 #include <QSqlError>
28 #include <QSqlQuery>
29 #include <QStringList>
30 
31 #ifndef QT_NO_SSL
32 #include <QSslCertificate>
33 #include <QSslKey>
34 #include <QtCrypto>
35 #include "qgsauthcertutils.h"
36 #endif
37 
38 #include "qgsauthconfig.h"
39 #include "qgsauthmethod.h"
40 
41 // Qt5KeyChain library
42 #include "keychain.h"
43 
44 #ifndef SIP_RUN
45 namespace QCA
46 {
47  class Initializer;
48 }
49 #endif
50 class QgsAuthMethod;
51 class QgsAuthMethodEdit;
52 class QgsAuthProvider;
53 class QTimer;
54 
55 
64 class CORE_EXPORT QgsAuthManager : public QObject
65 {
66  Q_OBJECT
67 
68  public:
69 
71  enum MessageLevel
72  {
73  INFO = 0,
74  WARNING = 1,
75  CRITICAL = 2
76  };
77  Q_ENUM( MessageLevel )
78 
79 
87  bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
88 
89  ~QgsAuthManager() override;
90 
92  QSqlDatabase authDatabaseConnection() const;
93 
95  const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
96 
98  const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
99 
100 
102  bool isDisabled() const;
103 
105  const QString disabledMessage() const;
106 
111  const QString authenticationDatabasePath() const { return mAuthDbPath; }
112 
118  bool setMasterPassword( bool verify = false );
119 
126  bool setMasterPassword( const QString &pass, bool verify = false );
127 
133  bool verifyMasterPassword( const QString &compare = QString() );
134 
136  bool masterPasswordIsSet() const;
137 
139  bool masterPasswordHashInDatabase() const;
140 
145  void clearMasterPassword() { mMasterPass = QString(); }
146 
151  bool masterPasswordSame( const QString &pass ) const;
152 
161  bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
162 
167  bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
168 
181  void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
182 
191  void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
192 
194  QString authManTag() const { return AUTH_MAN_TAG; }
195 
197  bool registerCoreAuthMethods();
198 
200  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
201 
203  void updateConfigAuthMethods();
204 
209  QgsAuthMethod *configAuthMethod( const QString &authcfg );
210 
215  QString configAuthMethodKey( const QString &authcfg ) const;
216 
220  QStringList authMethodsKeys( const QString &dataprovider = QString() );
221 
226  QgsAuthMethod *authMethod( const QString &authMethodKey );
227 
233  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
234 
240  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
241 
246  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
247 
249  const QString uniqueConfigId() const;
250 
255  bool configIdUnique( const QString &id ) const;
256 
261  bool hasConfigId( const QString &txt ) const;
262 
264  QString configIdRegex() const { return AUTH_CFG_REGEX;}
265 
267  QStringList configIds() const;
268 
274  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT );
275 
281  bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
282 
290  bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
291 
297  bool removeAuthenticationConfig( const QString &authcfg );
298 
303  bool removeAllAuthenticationConfigs();
304 
309  bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
310 
317  bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
318 
319 
321 
329  bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
330  const QString &dataprovider = QString() );
331 
339  bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
340  const QString &dataprovider = QString() );
341 
349  bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
350  const QString &dataprovider = QString() );
351 
359  bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
360  const QString &dataprovider = QString() );
361 
363 
365  bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
366 
375  QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
376 
378  bool existsAuthSetting( const QString &key );
379 
381  bool removeAuthSetting( const QString &key );
382 
383 #ifndef QT_NO_SSL
384 
387  bool initSslCaches();
388 
390  bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
391 
398  const QSslCertificate certIdentity( const QString &id );
399 
407  const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
408 
415  const QStringList certIdentityBundleToPem( const QString &id );
416 
422  const QList<QSslCertificate> certIdentities();
423 
425 
431  QStringList certIdentityIds() const;
432 
434  bool existsCertIdentity( const QString &id );
435 
437  bool removeCertIdentity( const QString &id );
438 
439 
441  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
442 
450  const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
451 
458  const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
459 
465  const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
466 
468  bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
469 
471  bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
472 
479  QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
480 
482  void dumpIgnoredSslErrorsCache_();
483 
485  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
486 
488  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
489 
491  bool rebuildIgnoredSslErrorCache();
492 
493 
495  bool storeCertAuthorities( const QList<QSslCertificate> &certs );
496 
498  bool storeCertAuthority( const QSslCertificate &cert );
499 
501 
508  const QSslCertificate certAuthority( const QString &id );
509 
511  bool existsCertAuthority( const QSslCertificate &cert );
512 
514  bool removeCertAuthority( const QSslCertificate &cert );
515 
521  const QList<QSslCertificate> systemRootCAs();
522 
528  const QList<QSslCertificate> extraFileCAs();
529 
535  const QList<QSslCertificate> databaseCAs();
536 
542  const QMap<QString, QSslCertificate> mappedDatabaseCAs();
543 
550  const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
551  {
552  return mCaCertsCache;
553  }
554 
556  bool rebuildCaCertsCache();
557 
559  bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
560 
567  QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
568 
570  bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
571 
573  bool removeCertTrustPolicy( const QSslCertificate &cert );
574 
581  QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
582 
584  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
585 
587  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
588 
594  const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
595 
597  bool rebuildCertTrustCache();
598 
605  const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
606 
612  const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
613 
615  bool rebuildTrustedCaCertsCache();
616 
622  const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
623 
629  const QByteArray trustedCaCertsPemText();
630 
631 #endif
632 
637  const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
638 
643  bool passwordHelperDelete() SIP_SKIP;
644 
649  bool passwordHelperEnabled() const;
650 
655  void setPasswordHelperEnabled( bool enabled );
656 
661  bool passwordHelperLoggingEnabled() const SIP_SKIP;
662 
667  void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
668 
673  bool passwordHelperSync();
674 
676  static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
677 
679  static const QString AUTH_MAN_TAG;
680 
681  signals:
682 
687  void passwordHelperFailure();
688 
693  void passwordHelperSuccess();
694 
702  void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
703 
711  void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
712 
713 
718  void masterPasswordVerified( bool verified );
719 
721  void authDatabaseEraseRequested();
722 
724  void authDatabaseChanged();
725 
726  public slots:
728  void clearAllCachedConfigs();
729 
731  void clearCachedConfig( const QString &authcfg );
732 
733  private slots:
734  void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
735 
745  void tryToStartDbErase();
746 
747  protected:
748 
753  static QgsAuthManager *instance() SIP_SKIP;
754 
755  explicit QgsAuthManager() SIP_SKIP;
756 
757  private:
758 
760  // Password Helper methods
761 
763  QString passwordHelperName() const;
764 
766  void passwordHelperLog( const QString &msg ) const;
767 
769  QString passwordHelperRead();
770 
772  bool passwordHelperWrite( const QString &password );
773 
775  void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
776 
778  void passwordHelperClearErrors();
779 
784  void passwordHelperProcessError();
785 
786  bool createConfigTables();
787 
788  bool createCertTables();
789 
790  bool masterPasswordInput();
791 
792  bool masterPasswordRowsInDb( int *rows ) const;
793 
794  bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
795 
796  bool masterPasswordStoreInDb() const;
797 
798  bool masterPasswordClearDb();
799 
800  const QString masterPasswordCiv() const;
801 
802  bool verifyPasswordCanDecryptConfigs() const;
803 
804  bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
805 
806  bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
807 
808  bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
809 
810  bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
811 
812  bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
813 
814  bool authDbOpen() const;
815 
816  bool authDbQuery( QSqlQuery *query ) const;
817 
818  bool authDbStartTransaction() const;
819 
820  bool authDbCommit() const;
821 
822  bool authDbTransactionQuery( QSqlQuery *query ) const;
823 
824 #ifndef QT_NO_SSL
825  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
826 #endif
827 
828  const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
829 
830  const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
831 
832  const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
833 
834  const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
835 
836  const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
837 
838  static QgsAuthManager *sInstance;
839  static const QString AUTH_CONFIG_TABLE;
840  static const QString AUTH_PASS_TABLE;
841  static const QString AUTH_SETTINGS_TABLE;
842  static const QString AUTH_IDENTITIES_TABLE;
843  static const QString AUTH_SERVERS_TABLE;
844  static const QString AUTH_AUTHORITIES_TABLE;
845  static const QString AUTH_TRUST_TABLE;
846  static const QString AUTH_CFG_REGEX;
847 
848  bool mAuthInit = false;
849  QString mAuthDbPath;
850 
851  std::unique_ptr<QCA::Initializer> mQcaInitializer;
852 
853  QHash<QString, QString> mConfigAuthMethods;
854  QHash<QString, QgsAuthMethod *> mAuthMethods;
855 
856  QString mMasterPass;
857  int mPassTries = 0;
858  bool mAuthDisabled = false;
859  QString mAuthDisabledMessage;
860  QTimer *mScheduledDbEraseTimer = nullptr;
861  bool mScheduledDbErase = false;
862  int mScheduledDbEraseRequestWait = 3 ; // in seconds
863  bool mScheduledDbEraseRequestEmitted = false;
864  int mScheduledDbEraseRequestCount = 0;
865 
866  std::unique_ptr<QMutex> mMutex;
867  std::unique_ptr<QMutex> mMasterPasswordMutex;
868 
869 #ifndef QT_NO_SSL
870  // mapping of sha1 digest and cert source and cert
871  // appending removes duplicates
872  QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
873  // list of sha1 digests per policy
874  QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
875  // cache of certs ready to be utilized in network connections
876  QList<QSslCertificate> mTrustedCaCertsCache;
877  // cache of SSL errors to be ignored in network connections, per sha-hostport
878  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
879 
880  bool mHasCustomConfigByHost = false;
881  bool mHasCheckedIfCustomConfigByHostExists = false;
882  QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
883 #endif
884 
886  // Password Helper Variables
887 
889  bool mPasswordHelperVerificationError = false;
890 
892  QString mPasswordHelperErrorMessage;
893 
895  QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
896 
898  bool mPasswordHelperLoggingEnabled = false;
899 
901  bool mPasswordHelperFailedInit = false;
902 
904  static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
905 
907  static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
908 
909  mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
910 
911  friend class QgsApplication;
912 
913 };
914 
915 #endif // QGSAUTHMANAGER_H
qgsauthconfig.h
QgsAuthCertUtils::CaCertSource
CaCertSource
Type of CA certificate source.
Definition: qgsauthcertutils.h:45
qgsauthcertutils.h
QgsAuthMethod
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:37
QgsAuthMethodsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap
Definition: qgsauthmethod.h:199
QgsAuthManager::authenticationDatabasePath
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
Definition: qgsauthmanager.h:111
QgsAuthCertUtils::CertTrustPolicy
CertTrustPolicy
Type of certificate trust policy.
Definition: qgsauthcertutils.h:54
QCA
Definition: qgsauthmanager.h:46
QgsAuthManager::authDatabaseConfigTable
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
Definition: qgsauthmanager.h:95
qgsauthmethod.h
QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
Definition: qgsauthconfig.h:179
SIP_SKIP
#define SIP_SKIP
Definition: qgis_sip.h:126
QgsAuthManager
Singleton offering an interface to manage the authentication configuration database and to utilize co...
Definition: qgsauthmanager.h:65
QgsAuthManager::MessageLevel
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
Definition: qgsauthmanager.h:72
qgis_sip.h
QgsAuthManager::authManTag
QString authManTag() const
Simple text tag describing authentication system for message logs.
Definition: qgsauthmanager.h:194
QgsAuthManager::trustedCaCertsCache
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
Definition: qgsauthmanager.h:622
QgsApplication
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
Definition: qgsapplication.h:83
QgsAuthManager::caCertsCache
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
Definition: qgsauthmanager.h:550
SIP_INOUT
#define SIP_INOUT
Definition: qgis_sip.h:71
QgsAuthManager::scheduledAuthDatabaseErase
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
Definition: qgsauthmanager.h:167
QgsAuthMethodEdit
Abstract base class for the edit widget of authentication method plugins.
Definition: qgsauthmethodedit.h:30
QgsAuthConfigSslServer
Configuration container for SSL server connection exceptions or overrides.
Definition: qgsauthconfig.h:372
QgsAuthManager::setScheduledAuthDatabaseEraseRequestEmitted
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
Definition: qgsauthmanager.h:191
QgsAuthManager::certTrustCache
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
Definition: qgsauthmanager.h:594
QgsAuthManager::authDatabaseServersTable
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
Definition: qgsauthmanager.h:98
QgsAuthManager::ignoredSslErrorCache
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Definition: qgsauthmanager.h:479
QgsAuthManager::clearMasterPassword
void clearMasterPassword()
Clear supplied master password.
Definition: qgsauthmanager.h:145
QgsAuthManager::passwordHelperErrorMessage
const QString passwordHelperErrorMessage()
Error message getter.
Definition: qgsauthmanager.h:637
QgsAuthMethodConfig
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:39
Generated on Sat Oct 24 2020 17:43:09 for QGIS API Documentation by doxygen 1.8.20