QGIS API Documentation  3.20.0-Odense (decaadbb31)
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include "qgis_core.h"
21 #include "qgis_sip.h"
22 #include <QObject>
23 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
24 #include <QMutex>
25 #else
26 #include <QRecursiveMutex>
27 #endif
28 #include <QNetworkReply>
29 #include <QNetworkRequest>
30 #include <QSqlDatabase>
31 #include <QSqlError>
32 #include <QSqlQuery>
33 #include <QStringList>
34 
35 #ifndef QT_NO_SSL
36 #include <QSslCertificate>
37 #include <QSslKey>
38 #include <QtCrypto>
39 #include "qgsauthcertutils.h"
40 #endif
41 
42 #include "qgsauthconfig.h"
43 #include "qgsauthmethod.h"
44 
45 // Qt5KeyChain library
46 #include "keychain.h"
47 
48 #ifndef SIP_RUN
49 namespace QCA
50 {
51  class Initializer;
52 }
53 #endif
54 class QgsAuthMethod;
55 class QgsAuthMethodEdit;
56 class QgsAuthProvider;
57 class QTimer;
58 
59 
68 class CORE_EXPORT QgsAuthManager : public QObject
69 {
70  Q_OBJECT
71 
72  public:
73 
75  enum MessageLevel
76  {
77  INFO = 0,
78  WARNING = 1,
79  CRITICAL = 2
80  };
81  Q_ENUM( MessageLevel )
82 
83 
91  bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
92 
93  ~QgsAuthManager() override;
94 
96  QSqlDatabase authDatabaseConnection() const;
97 
99  const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
100 
102  const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
103 
104 
106  bool isDisabled() const;
107 
109  const QString disabledMessage() const;
110 
115  const QString authenticationDatabasePath() const { return mAuthDbPath; }
116 
122  bool setMasterPassword( bool verify = false );
123 
130  bool setMasterPassword( const QString &pass, bool verify = false );
131 
137  bool verifyMasterPassword( const QString &compare = QString() );
138 
140  bool masterPasswordIsSet() const;
141 
143  bool masterPasswordHashInDatabase() const;
144 
149  void clearMasterPassword() { mMasterPass = QString(); }
150 
155  bool masterPasswordSame( const QString &pass ) const;
156 
165  bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
166 
171  bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
172 
185  void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
186 
195  void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
196 
198  QString authManTag() const { return AUTH_MAN_TAG; }
199 
201  bool registerCoreAuthMethods();
202 
204  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
205 
207  void updateConfigAuthMethods();
208 
213  QgsAuthMethod *configAuthMethod( const QString &authcfg );
214 
219  QString configAuthMethodKey( const QString &authcfg ) const;
220 
224  QStringList authMethodsKeys( const QString &dataprovider = QString() );
225 
230  QgsAuthMethod *authMethod( const QString &authMethodKey );
231 
237  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
238 
244  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
245 
250  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
251 
253  const QString uniqueConfigId() const;
254 
259  bool configIdUnique( const QString &id ) const;
260 
265  bool hasConfigId( const QString &txt ) const;
266 
268  QString configIdRegex() const { return AUTH_CFG_REGEX;}
269 
271  QStringList configIds() const;
272 
279  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
280 
286  bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
287 
295  bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
296 
302  bool removeAuthenticationConfig( const QString &authcfg );
303 
311  bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
312 
320  bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
321 
326  bool removeAllAuthenticationConfigs();
327 
332  bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
333 
340  bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
341 
342 
344 
352  bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
353  const QString &dataprovider = QString() );
354 
362  bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
363  const QString &dataprovider = QString() );
364 
372  bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
373  const QString &dataprovider = QString() );
374 
382  bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
383  const QString &dataprovider = QString() );
384 
386 
388  bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
389 
398  QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
399 
401  bool existsAuthSetting( const QString &key );
402 
404  bool removeAuthSetting( const QString &key );
405 
406 #ifndef QT_NO_SSL
408 
410  bool initSslCaches();
411 
413  bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
414 
421  const QSslCertificate certIdentity( const QString &id );
422 
430  const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
431 
438  const QStringList certIdentityBundleToPem( const QString &id );
439 
445  const QList<QSslCertificate> certIdentities();
446 
448 
454  QStringList certIdentityIds() const;
455 
457  bool existsCertIdentity( const QString &id );
458 
460  bool removeCertIdentity( const QString &id );
461 
462 
464  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
465 
473  const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
474 
481  const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
482 
488  const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
489 
491  bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
492 
494  bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
495 
502  QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
503 
505  void dumpIgnoredSslErrorsCache_();
506 
508  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
509 
511  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
512 
514  bool rebuildIgnoredSslErrorCache();
515 
516 
518  bool storeCertAuthorities( const QList<QSslCertificate> &certs );
519 
521  bool storeCertAuthority( const QSslCertificate &cert );
522 
524 
531  const QSslCertificate certAuthority( const QString &id );
532 
534  bool existsCertAuthority( const QSslCertificate &cert );
535 
537  bool removeCertAuthority( const QSslCertificate &cert );
538 
544  const QList<QSslCertificate> systemRootCAs();
545 
551  const QList<QSslCertificate> extraFileCAs();
552 
558  const QList<QSslCertificate> databaseCAs();
559 
565  const QMap<QString, QSslCertificate> mappedDatabaseCAs();
566 
573  const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
574  {
575  return mCaCertsCache;
576  }
577 
579  bool rebuildCaCertsCache();
580 
582  bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
583 
590  QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
591 
593  bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
594 
596  bool removeCertTrustPolicy( const QSslCertificate &cert );
597 
604  QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
605 
607  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
608 
610  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
611 
617  const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
618 
620  bool rebuildCertTrustCache();
621 
628  const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
629 
635  const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
636 
638  bool rebuildTrustedCaCertsCache();
639 
645  const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
646 
652  const QByteArray trustedCaCertsPemText();
653 
654 #endif
655 
660  const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
661 
666  bool passwordHelperDelete() SIP_SKIP;
667 
672  bool passwordHelperEnabled() const;
673 
678  void setPasswordHelperEnabled( bool enabled );
679 
684  bool passwordHelperLoggingEnabled() const SIP_SKIP;
685 
690  void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
691 
696  bool passwordHelperSync();
697 
699  static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
700 
702  static const QString AUTH_MAN_TAG;
703 
704  signals:
705 
710  void passwordHelperFailure();
711 
716  void passwordHelperSuccess();
717 
725  void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
726 
734  void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
735 
736 
741  void masterPasswordVerified( bool verified );
742 
744  void authDatabaseEraseRequested();
745 
747  void authDatabaseChanged();
748 
749  public slots:
751  void clearAllCachedConfigs();
752 
754  void clearCachedConfig( const QString &authcfg );
755 
756  private slots:
757  void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
758 
768  void tryToStartDbErase();
769 
770  protected:
771 
776  static QgsAuthManager *instance() SIP_SKIP;
777 
778 
779 #ifdef Q_OS_WIN
780  public:
781  explicit QgsAuthManager() SIP_SKIP;
782 #else
783  protected:
784  explicit QgsAuthManager() SIP_SKIP;
785 #endif
786 
787  private:
788 
790  // Password Helper methods
791 
793  QString passwordHelperName() const;
794 
796  void passwordHelperLog( const QString &msg ) const;
797 
799  QString passwordHelperRead();
800 
802  bool passwordHelperWrite( const QString &password );
803 
805  void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
806 
808  void passwordHelperClearErrors();
809 
814  void passwordHelperProcessError();
815 
816  bool createConfigTables();
817 
818  bool createCertTables();
819 
820  bool masterPasswordInput();
821 
822  bool masterPasswordRowsInDb( int *rows ) const;
823 
824  bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
825 
826  bool masterPasswordStoreInDb() const;
827 
828  bool masterPasswordClearDb();
829 
830  const QString masterPasswordCiv() const;
831 
832  bool verifyPasswordCanDecryptConfigs() const;
833 
834  bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
835 
836  bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
837 
838  bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
839 
840  bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
841 
842  bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
843 
844  bool authDbOpen() const;
845 
846  bool authDbQuery( QSqlQuery *query ) const;
847 
848  bool authDbStartTransaction() const;
849 
850  bool authDbCommit() const;
851 
852  bool authDbTransactionQuery( QSqlQuery *query ) const;
853 
854 #ifndef QT_NO_SSL
855  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
856 #endif
857 
858  const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
859 
860  const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
861 
862  const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
863 
864  const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
865 
866  const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
867 
868  static QgsAuthManager *sInstance;
869  static const QString AUTH_CONFIG_TABLE;
870  static const QString AUTH_PASS_TABLE;
871  static const QString AUTH_SETTINGS_TABLE;
872  static const QString AUTH_IDENTITIES_TABLE;
873  static const QString AUTH_SERVERS_TABLE;
874  static const QString AUTH_AUTHORITIES_TABLE;
875  static const QString AUTH_TRUST_TABLE;
876  static const QString AUTH_CFG_REGEX;
877 
878  bool mAuthInit = false;
879  QString mAuthDbPath;
880 
881  std::unique_ptr<QCA::Initializer> mQcaInitializer;
882 
883  QHash<QString, QString> mConfigAuthMethods;
884  QHash<QString, QgsAuthMethod *> mAuthMethods;
885 
886  QString mMasterPass;
887  int mPassTries = 0;
888  bool mAuthDisabled = false;
889  QString mAuthDisabledMessage;
890  QTimer *mScheduledDbEraseTimer = nullptr;
891  bool mScheduledDbErase = false;
892  int mScheduledDbEraseRequestWait = 3 ; // in seconds
893  bool mScheduledDbEraseRequestEmitted = false;
894  int mScheduledDbEraseRequestCount = 0;
895 
896 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
897  std::unique_ptr<QMutex> mMutex;
898  std::unique_ptr<QMutex> mMasterPasswordMutex;
899 #else
900  std::unique_ptr<QRecursiveMutex> mMutex;
901  std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
902 #endif
903 #ifndef QT_NO_SSL
904  // mapping of sha1 digest and cert source and cert
905  // appending removes duplicates
906  QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
907  // list of sha1 digests per policy
908  QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
909  // cache of certs ready to be utilized in network connections
910  QList<QSslCertificate> mTrustedCaCertsCache;
911  // cache of SSL errors to be ignored in network connections, per sha-hostport
912  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
913 
914  bool mHasCustomConfigByHost = false;
915  bool mHasCheckedIfCustomConfigByHostExists = false;
916  QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
917 #endif
918 
920  // Password Helper Variables
921 
923  bool mPasswordHelperVerificationError = false;
924 
926  QString mPasswordHelperErrorMessage;
927 
929  QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
930 
932  bool mPasswordHelperLoggingEnabled = false;
933 
935  bool mPasswordHelperFailedInit = false;
936 
938  static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
939 
941  static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
942 
943  mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
944 
945  friend class QgsApplication;
946 
947 };
948 
949 #endif // QGSAUTHMANAGER_H
QgsApplication
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
Definition: qgsapplication.h:87
QgsAuthCertUtils::CertTrustPolicy
CertTrustPolicy
Type of certificate trust policy.
Definition: qgsauthcertutils.h:54
QgsAuthCertUtils::CaCertSource
CaCertSource
Type of CA certificate source.
Definition: qgsauthcertutils.h:45
QgsAuthConfigSslServer
Configuration container for SSL server connection exceptions or overrides.
Definition: qgsauthconfig.h:391
QgsAuthManager
Singleton offering an interface to manage the authentication configuration database and to utilize co...
Definition: qgsauthmanager.h:69
QgsAuthManager::authDatabaseServersTable
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
Definition: qgsauthmanager.h:102
QgsAuthManager::certTrustCache
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
Definition: qgsauthmanager.h:617
QgsAuthManager::MessageLevel
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
Definition: qgsauthmanager.h:76
QgsAuthManager::scheduledAuthDatabaseErase
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
Definition: qgsauthmanager.h:171
QgsAuthManager::ignoredSslErrorCache
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Definition: qgsauthmanager.h:502
QgsAuthManager::authenticationDatabasePath
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
Definition: qgsauthmanager.h:115
QgsAuthManager::authManTag
QString authManTag() const
Simple text tag describing authentication system for message logs.
Definition: qgsauthmanager.h:198
QgsAuthManager::setScheduledAuthDatabaseEraseRequestEmitted
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
Definition: qgsauthmanager.h:195
QgsAuthManager::clearMasterPassword
void clearMasterPassword()
Clear supplied master password.
Definition: qgsauthmanager.h:149
QgsAuthManager::passwordHelperErrorMessage
const QString passwordHelperErrorMessage()
Error message getter.
Definition: qgsauthmanager.h:660
QgsAuthManager::authDatabaseConfigTable
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
Definition: qgsauthmanager.h:99
QgsAuthManager::caCertsCache
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
Definition: qgsauthmanager.h:573
QgsAuthManager::trustedCaCertsCache
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
Definition: qgsauthmanager.h:645
QgsAuthMethodConfig
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:42
QgsAuthMethodEdit
Abstract base class for the edit widget of authentication method plugins.
Definition: qgsauthmethodedit.h:30
QgsAuthMethod
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:42
qgis_sip.h
SIP_SKIP
#define SIP_SKIP
Definition: qgis_sip.h:126
SIP_INOUT
#define SIP_INOUT
Definition: qgis_sip.h:71
QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
Definition: qgsauthconfig.h:198
QgsAuthMethodsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap
Definition: qgsauthmethod.h:204
Generated on Sun Jun 20 2021 10:45:59 for QGIS API Documentation by doxygen 1.9.1