QGIS API Documentation  3.26.3-Buenos Aires (65e4edfdad)
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include "qgis_core.h"
21 #include "qgis_sip.h"
22 #include <QObject>
23 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
24 #include <QMutex>
25 #else
26 #include <QRecursiveMutex>
27 #endif
28 #include <QNetworkReply>
29 #include <QNetworkRequest>
30 #include <QSqlDatabase>
31 #include <QSqlError>
32 #include <QSqlQuery>
33 #include <QStringList>
34 
35 #ifndef QT_NO_SSL
36 #include <QSslCertificate>
37 #include <QSslKey>
38 #include <QtCrypto>
39 #include "qgsauthcertutils.h"
40 #endif
41 
42 #include "qgsauthconfig.h"
43 #include "qgsauthmethod.h"
44 
45 // Qt5KeyChain library
46 #include "keychain.h"
47 
48 #ifndef SIP_RUN
49 namespace QCA
50 {
51  class Initializer;
52 }
53 #endif
54 class QgsAuthMethod;
55 class QgsAuthMethodEdit;
56 class QgsAuthProvider;
57 class QgsAuthMethodMetadata;
58 class QTimer;
59 
60 
69 class CORE_EXPORT QgsAuthManager : public QObject
70 {
71  Q_OBJECT
72 
73  public:
74 
76  enum MessageLevel
77  {
78  INFO = 0,
79  WARNING = 1,
80  CRITICAL = 2
81  };
82  Q_ENUM( MessageLevel )
83 
84 
92  bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
93 
94  ~QgsAuthManager() override;
95 
97  QSqlDatabase authDatabaseConnection() const;
98 
100  const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
101 
103  const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
104 
105 
107  bool isDisabled() const;
108 
110  const QString disabledMessage() const;
111 
116  const QString authenticationDatabasePath() const { return mAuthDbPath; }
117 
123  bool setMasterPassword( bool verify = false );
124 
131  bool setMasterPassword( const QString &pass, bool verify = false );
132 
138  bool verifyMasterPassword( const QString &compare = QString() );
139 
141  bool masterPasswordIsSet() const;
142 
144  bool masterPasswordHashInDatabase() const;
145 
150  void clearMasterPassword() { mMasterPass = QString(); }
151 
156  bool masterPasswordSame( const QString &pass ) const;
157 
166  bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
167 
172  bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
173 
186  void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
187 
196  void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
197 
199  QString authManTag() const { return AUTH_MAN_TAG; }
200 
202  bool registerCoreAuthMethods();
203 
205  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
206 
208  void updateConfigAuthMethods();
209 
214  QgsAuthMethod *configAuthMethod( const QString &authcfg );
215 
220  QString configAuthMethodKey( const QString &authcfg ) const;
221 
225  QStringList authMethodsKeys( const QString &dataprovider = QString() );
226 
231  QgsAuthMethod *authMethod( const QString &authMethodKey );
232 
238  const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;
239 
245  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
246 
247 #ifdef HAVE_GUI
248  SIP_IF_FEATURE( HAVE_GUI )
249 
250 
255  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
256  SIP_END
257 #endif
258 
263  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
264 
266  const QString uniqueConfigId() const;
267 
272  bool configIdUnique( const QString &id ) const;
273 
278  bool hasConfigId( const QString &txt ) const;
279 
281  QString configIdRegex() const { return AUTH_CFG_REGEX;}
282 
284  QStringList configIds() const;
285 
292  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
293 
299  bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
300 
308  bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
309 
315  bool removeAuthenticationConfig( const QString &authcfg );
316 
324  bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
325 
333  bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
334 
339  bool removeAllAuthenticationConfigs();
340 
345  bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
346 
353  bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
354 
355 
357 
365  bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
366  const QString &dataprovider = QString() );
367 
375  bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
376  const QString &dataprovider = QString() );
377 
385  bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
386  const QString &dataprovider = QString() );
387 
395  bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
396  const QString &dataprovider = QString() );
397 
399 
401  bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
402 
411  QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
412 
414  bool existsAuthSetting( const QString &key );
415 
417  bool removeAuthSetting( const QString &key );
418 
419 #ifndef QT_NO_SSL
420 
423  bool initSslCaches();
424 
426  bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
427 
434  const QSslCertificate certIdentity( const QString &id );
435 
443  const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
444 
451  const QStringList certIdentityBundleToPem( const QString &id );
452 
458  const QList<QSslCertificate> certIdentities();
459 
461 
467  QStringList certIdentityIds() const;
468 
470  bool existsCertIdentity( const QString &id );
471 
473  bool removeCertIdentity( const QString &id );
474 
475 
477  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
478 
486  const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
487 
494  const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
495 
501  const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
502 
504  bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
505 
507  bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
508 
515  QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
516 
518  void dumpIgnoredSslErrorsCache_();
519 
521  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
522 
524  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
525 
527  bool rebuildIgnoredSslErrorCache();
528 
529 
531  bool storeCertAuthorities( const QList<QSslCertificate> &certs );
532 
534  bool storeCertAuthority( const QSslCertificate &cert );
535 
537 
544  const QSslCertificate certAuthority( const QString &id );
545 
547  bool existsCertAuthority( const QSslCertificate &cert );
548 
550  bool removeCertAuthority( const QSslCertificate &cert );
551 
557  const QList<QSslCertificate> systemRootCAs();
558 
564  const QList<QSslCertificate> extraFileCAs();
565 
571  const QList<QSslCertificate> databaseCAs();
572 
578  const QMap<QString, QSslCertificate> mappedDatabaseCAs();
579 
586  const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
587  {
588  return mCaCertsCache;
589  }
590 
592  bool rebuildCaCertsCache();
593 
595  bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
596 
603  QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
604 
606  bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
607 
609  bool removeCertTrustPolicy( const QSslCertificate &cert );
610 
617  QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
618 
620  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
621 
623  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
624 
630  const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
631 
633  bool rebuildCertTrustCache();
634 
641  const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
642 
648  const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
649 
651  bool rebuildTrustedCaCertsCache();
652 
658  const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
659 
665  const QByteArray trustedCaCertsPemText();
666 
667 #endif
668 
673  const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
674 
679  bool passwordHelperDelete() SIP_SKIP;
680 
685  bool passwordHelperEnabled() const;
686 
691  void setPasswordHelperEnabled( bool enabled );
692 
697  bool passwordHelperLoggingEnabled() const SIP_SKIP;
698 
703  void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
704 
709  bool passwordHelperSync();
710 
712  static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
713 
715  static const QString AUTH_MAN_TAG;
716 
717  signals:
718 
723  void passwordHelperFailure();
724 
729  void passwordHelperSuccess();
730 
738  void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
739 
747  void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
748 
749 
754  void masterPasswordVerified( bool verified );
755 
757  void authDatabaseEraseRequested();
758 
760  void authDatabaseChanged();
761 
762  public slots:
764  void clearAllCachedConfigs();
765 
767  void clearCachedConfig( const QString &authcfg );
768 
769  private slots:
770  void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
771 
781  void tryToStartDbErase();
782 
783  protected:
784 
789  static QgsAuthManager *instance() SIP_SKIP;
790 
791 
792 #ifdef Q_OS_WIN
793  public:
794  explicit QgsAuthManager() SIP_SKIP;
795 #else
796  protected:
797  explicit QgsAuthManager() SIP_SKIP;
798 #endif
799 
800  private:
801 
803  // Password Helper methods
804 
806  QString passwordHelperName() const;
807 
809  void passwordHelperLog( const QString &msg ) const;
810 
812  QString passwordHelperRead();
813 
815  bool passwordHelperWrite( const QString &password );
816 
818  void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
819 
821  void passwordHelperClearErrors();
822 
827  void passwordHelperProcessError();
828 
829  bool createConfigTables();
830 
831  bool createCertTables();
832 
833  bool masterPasswordInput();
834 
835  bool masterPasswordRowsInDb( int *rows ) const;
836 
837  bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
838 
839  bool masterPasswordStoreInDb() const;
840 
841  bool masterPasswordClearDb();
842 
843  const QString masterPasswordCiv() const;
844 
845  bool verifyPasswordCanDecryptConfigs() const;
846 
847  bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
848 
849  bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
850 
851  bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
852 
853  bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
854 
855  bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
856 
857  bool authDbOpen() const;
858 
859  bool authDbQuery( QSqlQuery *query ) const;
860 
861  bool authDbStartTransaction() const;
862 
863  bool authDbCommit() const;
864 
865  bool authDbTransactionQuery( QSqlQuery *query ) const;
866 
867 #ifndef QT_NO_SSL
868  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
869 #endif
870 
871  const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
872 
873  const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
874 
875  const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
876 
877  const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
878 
879  const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
880 
881  static QgsAuthManager *sInstance;
882  static const QString AUTH_CONFIG_TABLE;
883  static const QString AUTH_PASS_TABLE;
884  static const QString AUTH_SETTINGS_TABLE;
885  static const QString AUTH_IDENTITIES_TABLE;
886  static const QString AUTH_SERVERS_TABLE;
887  static const QString AUTH_AUTHORITIES_TABLE;
888  static const QString AUTH_TRUST_TABLE;
889  static const QString AUTH_CFG_REGEX;
890 
891  bool mAuthInit = false;
892  QString mAuthDbPath;
893 
894  std::unique_ptr<QCA::Initializer> mQcaInitializer;
895 
896  QHash<QString, QString> mConfigAuthMethods;
897  QHash<QString, QgsAuthMethod *> mAuthMethods;
898 
899  QString mMasterPass;
900  int mPassTries = 0;
901  bool mAuthDisabled = false;
902  QString mAuthDisabledMessage;
903  QTimer *mScheduledDbEraseTimer = nullptr;
904  bool mScheduledDbErase = false;
905  int mScheduledDbEraseRequestWait = 3 ; // in seconds
906  bool mScheduledDbEraseRequestEmitted = false;
907  int mScheduledDbEraseRequestCount = 0;
908 
909 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
910  std::unique_ptr<QMutex> mMutex;
911  std::unique_ptr<QMutex> mMasterPasswordMutex;
912 #else
913  std::unique_ptr<QRecursiveMutex> mMutex;
914  std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
915 #endif
916 #ifndef QT_NO_SSL
917  // mapping of sha1 digest and cert source and cert
918  // appending removes duplicates
919  QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
920  // list of sha1 digests per policy
921  QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
922  // cache of certs ready to be utilized in network connections
923  QList<QSslCertificate> mTrustedCaCertsCache;
924  // cache of SSL errors to be ignored in network connections, per sha-hostport
925  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
926 
927  bool mHasCustomConfigByHost = false;
928  bool mHasCheckedIfCustomConfigByHostExists = false;
929  QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
930 #endif
931 
933  // Password Helper Variables
934 
936  bool mPasswordHelperVerificationError = false;
937 
939  QString mPasswordHelperErrorMessage;
940 
942  QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
943 
945  bool mPasswordHelperLoggingEnabled = false;
946 
948  bool mPasswordHelperFailedInit = false;
949 
951  static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
952 
954  static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
955 
956  mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
957 
958  friend class QgsApplication;
959 
960 };
961 
962 #endif // QGSAUTHMANAGER_H
qgsauthconfig.h
QgsAuthMethodMetadata
Holds data auth method key, description, and associated shared library file information.
Definition: qgsauthmethodmetadata.h:43
QgsAuthCertUtils::CaCertSource
CaCertSource
Type of CA certificate source.
Definition: qgsauthcertutils.h:44
qgsauthcertutils.h
QgsAuthMethod
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:42
QgsAuthManager::configIdRegex
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
Definition: qgsauthmanager.h:281
QgsAuthMethodsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap
Definition: qgsauthmethod.h:217
QgsAuthManager::authenticationDatabasePath
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
Definition: qgsauthmanager.h:116
QgsAuthCertUtils::CertTrustPolicy
CertTrustPolicy
Type of certificate trust policy.
Definition: qgsauthcertutils.h:53
QCA
Definition: qgsauthmanager.h:49
QgsAuthManager::authDatabaseConfigTable
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
Definition: qgsauthmanager.h:100
qgsauthmethod.h
QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
Definition: qgsauthconfig.h:200
SIP_SKIP
#define SIP_SKIP
Definition: qgis_sip.h:126
QgsAuthManager
Singleton offering an interface to manage the authentication configuration database and to utilize co...
Definition: qgsauthmanager.h:69
QgsAuthManager::MessageLevel
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
Definition: qgsauthmanager.h:76
qgis_sip.h
QgsAuthManager::authManTag
QString authManTag() const
Simple text tag describing authentication system for message logs.
Definition: qgsauthmanager.h:199
QgsAuthManager::trustedCaCertsCache
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
Definition: qgsauthmanager.h:658
QgsApplication
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
Definition: qgsapplication.h:91
QgsAuthManager::caCertsCache
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
Definition: qgsauthmanager.h:586
SIP_INOUT
#define SIP_INOUT
Definition: qgis_sip.h:71
QgsAuthManager::scheduledAuthDatabaseErase
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
Definition: qgsauthmanager.h:172
SIP_IF_FEATURE
#define SIP_IF_FEATURE(feature)
Definition: qgis_sip.h:176
QgsAuthMethodEdit
Abstract base class for the edit widget of authentication method plugins.
Definition: qgsauthmethodedit.h:29
QgsAuthConfigSslServer
Configuration container for SSL server connection exceptions or overrides.
Definition: qgsauthconfig.h:392
QgsAuthManager::setScheduledAuthDatabaseEraseRequestEmitted
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
Definition: qgsauthmanager.h:196
QgsAuthManager::certTrustCache
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
Definition: qgsauthmanager.h:630
SIP_END
#define SIP_END
Definition: qgis_sip.h:203
QgsAuthManager::authDatabaseServersTable
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
Definition: qgsauthmanager.h:103
QgsAuthManager::ignoredSslErrorCache
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Definition: qgsauthmanager.h:515
QgsAuthManager::clearMasterPassword
void clearMasterPassword()
Clear supplied master password.
Definition: qgsauthmanager.h:150
QgsAuthManager::passwordHelperErrorMessage
const QString passwordHelperErrorMessage()
Error message getter.
Definition: qgsauthmanager.h:673
QgsAuthMethodConfig
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:41
Generated on Sun Sep 11 2022 00:03:17 for QGIS API Documentation by   doxygen 1.8.17