QGIS API Documentation 3.30.0-'s-Hertogenbosch (f186b8efe0)
qgsauthmanager.h
Go to the documentation of this file.
1/***************************************************************************
2 qgsauthmanager.h
3 ---------------------
4 begin : October 5, 2014
5 copyright : (C) 2014 by Boundless Spatial, Inc. USA
6 author : Larry Shaffer
7 email : lshaffer at boundlessgeo dot com
8 ***************************************************************************
9 * *
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
14 * *
15 ***************************************************************************/
16
17#ifndef QGSAUTHMANAGER_H
18#define QGSAUTHMANAGER_H
19
20#include "qgis_core.h"
21#include "qgis_sip.h"
22#include <QObject>
23#include <QRecursiveMutex>
24#include <QNetworkReply>
25#include <QNetworkRequest>
26#include <QSqlDatabase>
27#include <QSqlError>
28#include <QSqlQuery>
29#include <QStringList>
30
31#ifndef QT_NO_SSL
32#include <QSslCertificate>
33#include <QSslKey>
34#include <QtCrypto>
35#include "qgsauthcertutils.h"
36#endif
37
38#include "qgsauthconfig.h"
39#include "qgsauthmethod.h"
40
41// Qt5KeyChain library
42#include "keychain.h"
43
44#ifndef SIP_RUN
45namespace QCA
46{
47 class Initializer;
48}
49#endif
50class QgsAuthMethod;
52class QgsAuthProvider;
54class QTimer;
55
56
65class CORE_EXPORT QgsAuthManager : public QObject
66{
67 Q_OBJECT
68
69 public:
70
73 {
74 INFO = 0,
75 WARNING = 1,
76 CRITICAL = 2
77 };
78 Q_ENUM( MessageLevel )
79
80
88 bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
89
90 ~QgsAuthManager() override;
91
93 QSqlDatabase authDatabaseConnection() const;
94
96 const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
97
99 const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
100
101
103 bool isDisabled() const;
104
106 const QString disabledMessage() const;
107
112 const QString authenticationDatabasePath() const { return mAuthDbPath; }
113
119 bool setMasterPassword( bool verify = false );
120
127 bool setMasterPassword( const QString &pass, bool verify = false );
128
134 bool verifyMasterPassword( const QString &compare = QString() );
135
137 bool masterPasswordIsSet() const;
138
140 bool masterPasswordHashInDatabase() const;
141
146 void clearMasterPassword() { mMasterPass = QString(); }
147
152 bool masterPasswordSame( const QString &pass ) const;
153
162 bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
163
168 bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
169
182 void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
183
192 void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
193
195 QString authManTag() const { return AUTH_MAN_TAG; }
196
198 bool registerCoreAuthMethods();
199
201 QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
202
204 void updateConfigAuthMethods();
205
210 QgsAuthMethod *configAuthMethod( const QString &authcfg );
211
216 QString configAuthMethodKey( const QString &authcfg ) const;
217
221 QStringList authMethodsKeys( const QString &dataprovider = QString() );
222
227 QgsAuthMethod *authMethod( const QString &authMethodKey );
228
234 const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;
235
241 QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
242
243#ifdef HAVE_GUI
244 SIP_IF_FEATURE( HAVE_GUI )
245
246
251 QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
252 SIP_END
253#endif
254
259 QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
260
262 const QString uniqueConfigId() const;
263
268 bool configIdUnique( const QString &id ) const;
269
274 bool hasConfigId( const QString &txt ) const;
275
277 QString configIdRegex() const { return AUTH_CFG_REGEX;}
278
280 QStringList configIds() const;
281
288 bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
289
295 bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
296
304 bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
305
311 bool removeAuthenticationConfig( const QString &authcfg );
312
320 bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
321
329 bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
330
335 bool removeAllAuthenticationConfigs();
336
341 bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
342
349 bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
350
351
353
361 bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
362 const QString &dataprovider = QString() );
363
371 bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
372 const QString &dataprovider = QString() );
373
381 bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
382 const QString &dataprovider = QString() );
383
391 bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
392 const QString &dataprovider = QString() );
393
395
397 bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
398
407 QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
408
410 bool existsAuthSetting( const QString &key );
411
413 bool removeAuthSetting( const QString &key );
414
415#ifndef QT_NO_SSL
417
419 bool initSslCaches();
420
422 bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
423
430 const QSslCertificate certIdentity( const QString &id );
431
439 const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
440
447 const QStringList certIdentityBundleToPem( const QString &id );
448
454 const QList<QSslCertificate> certIdentities();
455
457
463 QStringList certIdentityIds() const;
464
466 bool existsCertIdentity( const QString &id );
467
469 bool removeCertIdentity( const QString &id );
470
471
473 bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
474
482 const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
483
490 const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
491
497 const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
498
500 bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
501
503 bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
504
511 QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
512
514 void dumpIgnoredSslErrorsCache_();
515
517 bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
518
520 bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
521
523 bool rebuildIgnoredSslErrorCache();
524
525
527 bool storeCertAuthorities( const QList<QSslCertificate> &certs );
528
530 bool storeCertAuthority( const QSslCertificate &cert );
531
533
540 const QSslCertificate certAuthority( const QString &id );
541
543 bool existsCertAuthority( const QSslCertificate &cert );
544
546 bool removeCertAuthority( const QSslCertificate &cert );
547
553 const QList<QSslCertificate> systemRootCAs();
554
560 const QList<QSslCertificate> extraFileCAs();
561
567 const QList<QSslCertificate> databaseCAs();
568
574 const QMap<QString, QSslCertificate> mappedDatabaseCAs();
575
582 const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
583 {
584 return mCaCertsCache;
585 }
586
588 bool rebuildCaCertsCache();
589
591 bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
592
599 QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
600
602 bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
603
605 bool removeCertTrustPolicy( const QSslCertificate &cert );
606
613 QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
614
616 bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
617
619 QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
620
626 const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
627
629 bool rebuildCertTrustCache();
630
637 const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
638
644 const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
645
647 bool rebuildTrustedCaCertsCache();
648
654 const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
655
661 const QByteArray trustedCaCertsPemText();
662
663#endif
664
669 const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
670
675 bool passwordHelperDelete() SIP_SKIP;
676
681 bool passwordHelperEnabled() const;
682
687 void setPasswordHelperEnabled( bool enabled );
688
693 bool passwordHelperLoggingEnabled() const SIP_SKIP;
694
699 void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
700
705 bool passwordHelperSync();
706
708 static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
709
711 static const QString AUTH_MAN_TAG;
712
713 signals:
714
719 void passwordHelperFailure();
720
725 void passwordHelperSuccess();
726
734 void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
735
743 void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
744
745
750 void masterPasswordVerified( bool verified );
751
753 void authDatabaseEraseRequested();
754
756 void authDatabaseChanged();
757
758 public slots:
760 void clearAllCachedConfigs();
761
763 void clearCachedConfig( const QString &authcfg );
764
765 private slots:
766 void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
767
777 void tryToStartDbErase();
778
779 protected:
780
785 static QgsAuthManager *instance() SIP_SKIP;
786
787
788#ifdef Q_OS_WIN
789 public:
790 explicit QgsAuthManager() SIP_SKIP;
791#else
792 protected:
793 explicit QgsAuthManager() SIP_SKIP;
794#endif
795
796 private:
797
799 // Password Helper methods
800
802 QString passwordHelperName() const;
803
805 void passwordHelperLog( const QString &msg ) const;
806
808 QString passwordHelperRead();
809
811 bool passwordHelperWrite( const QString &password );
812
814 void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
815
817 void passwordHelperClearErrors();
818
823 void passwordHelperProcessError();
824
825 bool createConfigTables();
826
827 bool createCertTables();
828
829 bool masterPasswordInput();
830
831 bool masterPasswordRowsInDb( int *rows ) const;
832
833 bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
834
835 bool masterPasswordStoreInDb() const;
836
837 bool masterPasswordClearDb();
838
839 const QString masterPasswordCiv() const;
840
841 bool verifyPasswordCanDecryptConfigs() const;
842
843 bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
844
845 bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
846
847 bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
848
849 bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
850
851 bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
852
853 bool authDbOpen() const;
854
855 bool authDbQuery( QSqlQuery *query ) const;
856
857 bool authDbStartTransaction() const;
858
859 bool authDbCommit() const;
860
861 bool authDbTransactionQuery( QSqlQuery *query ) const;
862
863#ifndef QT_NO_SSL
864 void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
865#endif
866
867 const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
868
869 const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
870
871 const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
872
873 const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
874
875 const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
876
877 static QgsAuthManager *sInstance;
878 static const QString AUTH_CONFIG_TABLE;
879 static const QString AUTH_PASS_TABLE;
880 static const QString AUTH_SETTINGS_TABLE;
881 static const QString AUTH_IDENTITIES_TABLE;
882 static const QString AUTH_SERVERS_TABLE;
883 static const QString AUTH_AUTHORITIES_TABLE;
884 static const QString AUTH_TRUST_TABLE;
885 static const QString AUTH_CFG_REGEX;
886
887 bool mAuthInit = false;
888 QString mAuthDbPath;
889
890 std::unique_ptr<QCA::Initializer> mQcaInitializer;
891
892 QHash<QString, QString> mConfigAuthMethods;
893 QHash<QString, QgsAuthMethod *> mAuthMethods;
894
895 QString mMasterPass;
896 int mPassTries = 0;
897 bool mAuthDisabled = false;
898 QString mAuthDisabledMessage;
899 QTimer *mScheduledDbEraseTimer = nullptr;
900 bool mScheduledDbErase = false;
901 int mScheduledDbEraseRequestWait = 3 ; // in seconds
902 bool mScheduledDbEraseRequestEmitted = false;
903 int mScheduledDbEraseRequestCount = 0;
904
905 std::unique_ptr<QRecursiveMutex> mMutex;
906 std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
907#ifndef QT_NO_SSL
908 // mapping of sha1 digest and cert source and cert
909 // appending removes duplicates
910 QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
911 // list of sha1 digests per policy
912 QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
913 // cache of certs ready to be utilized in network connections
914 QList<QSslCertificate> mTrustedCaCertsCache;
915 // cache of SSL errors to be ignored in network connections, per sha-hostport
916 QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
917
918 bool mHasCustomConfigByHost = false;
919 bool mHasCheckedIfCustomConfigByHostExists = false;
920 QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
921#endif
922
924 // Password Helper Variables
925
927 bool mPasswordHelperVerificationError = false;
928
930 QString mPasswordHelperErrorMessage;
931
933 QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
934
936 bool mPasswordHelperLoggingEnabled = false;
937
939 bool mPasswordHelperFailedInit = false;
940
942 static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
943
945 static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
946
947 mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
948
949 friend class QgsApplication;
950
951};
952
953#endif // QGSAUTHMANAGER_H
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
CertTrustPolicy
Type of certificate trust policy.
CaCertSource
Type of CA certificate source.
Configuration container for SSL server connection exceptions or overrides.
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
QString authManTag() const
Simple text tag describing authentication system for message logs.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
void clearMasterPassword()
Clear supplied master password.
const QString passwordHelperErrorMessage()
Error message getter.
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:42
Abstract base class for the edit widget of authentication method plugins.
Holds data auth method key, description, and associated shared library file information.
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:39
#define SIP_SKIP
Definition: qgis_sip.h:126
#define SIP_IF_FEATURE(feature)
Definition: qgis_sip.h:176
#define SIP_INOUT
Definition: qgis_sip.h:71
#define SIP_END
Definition: qgis_sip.h:203
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap