QGIS API Documentation 3.38.0-Grenoble (exported)
Loading...
Searching...
No Matches
qgsauthmanager.h
Go to the documentation of this file.
1/***************************************************************************
2 qgsauthmanager.h
3 ---------------------
4 begin : October 5, 2014
5 copyright : (C) 2014 by Boundless Spatial, Inc. USA
6 author : Larry Shaffer
7 email : lshaffer at boundlessgeo dot com
8 ***************************************************************************
9 * *
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
14 * *
15 ***************************************************************************/
16
17#ifndef QGSAUTHMANAGER_H
18#define QGSAUTHMANAGER_H
19
20#include "qgis_core.h"
21#include "qgis_sip.h"
22#include <QObject>
23#include <QRecursiveMutex>
24#include <QNetworkReply>
25#include <QNetworkRequest>
26#include <QSqlDatabase>
27#include <QSqlError>
28#include <QSqlQuery>
29#include <QStringList>
30
31#ifndef QT_NO_SSL
32#include <QSslCertificate>
33#include <QSslKey>
34#include <QtCrypto>
35#include "qgsauthcertutils.h"
36#endif
37
38#include "qgsauthconfig.h"
39#include "qgsauthmethod.h"
40
41#if QT_VERSION >= QT_VERSION_CHECK(6, 0, 0)
42#include <qt6keychain/keychain.h>
43#else
44#include <qt5keychain/keychain.h>
45#endif
46
47#ifndef SIP_RUN
48namespace QCA
49{
50 class Initializer;
51}
52#endif
53class QgsAuthMethod;
55class QgsAuthProvider;
57class QTimer;
58
59
68class CORE_EXPORT QgsAuthManager : public QObject
69{
70 Q_OBJECT
71
72 public:
73
76 {
77 INFO = 0,
78 WARNING = 1,
79 CRITICAL = 2
80 };
81 Q_ENUM( MessageLevel )
82
83
92 Q_DECL_DEPRECATED bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() ) SIP_DEPRECATED;
93
103 void setup( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
104
105 ~QgsAuthManager() override;
106
108 QSqlDatabase authDatabaseConnection() const;
109
111 const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
112
114 const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
115
116
118 bool isDisabled() const;
119
121 const QString disabledMessage() const;
122
127 const QString authenticationDatabasePath() const { return mAuthDbPath; }
128
134 bool setMasterPassword( bool verify = false );
135
142 bool setMasterPassword( const QString &pass, bool verify = false );
143
149 bool verifyMasterPassword( const QString &compare = QString() );
150
152 bool masterPasswordIsSet() const;
153
155 bool masterPasswordHashInDatabase() const;
156
161 void clearMasterPassword() { mMasterPass = QString(); }
162
167 bool masterPasswordSame( const QString &pass ) const;
168
177 bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
178
183 bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
184
197 void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
198
207 void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
208
210 QString authManTag() const { return AUTH_MAN_TAG; }
211
213 bool registerCoreAuthMethods();
214
216 QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
217
219 void updateConfigAuthMethods();
220
225 QgsAuthMethod *configAuthMethod( const QString &authcfg );
226
231 QString configAuthMethodKey( const QString &authcfg ) const;
232
236 QStringList authMethodsKeys( const QString &dataprovider = QString() );
237
242 QgsAuthMethod *authMethod( const QString &authMethodKey );
243
249 const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;
250
256 QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
257
258#ifdef HAVE_GUI
259 SIP_IF_FEATURE( HAVE_GUI )
260
261
266 QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
267 SIP_END
268#endif
269
274 QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
275
277 const QString uniqueConfigId() const;
278
283 bool configIdUnique( const QString &id ) const;
284
289 static bool hasConfigId( const QString &txt );
290
292 QString configIdRegex() const { return AUTH_CFG_REGEX;}
293
295 QStringList configIds() const;
296
303 bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
304
310 bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
311
319 bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
320
326 bool removeAuthenticationConfig( const QString &authcfg );
327
335 bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
336
344 bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
345
350 bool removeAllAuthenticationConfigs();
351
356 bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
357
364 bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
365
366
368
376 bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
377 const QString &dataprovider = QString() );
378
386 bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
387 const QString &dataprovider = QString() );
388
396 bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
397 const QString &dataprovider = QString() );
398
406 bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
407 const QString &dataprovider = QString() );
408
410
412 bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
413
421 QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
422
424 bool existsAuthSetting( const QString &key );
425
427 bool removeAuthSetting( const QString &key );
428
429#ifndef QT_NO_SSL
431
433 bool initSslCaches();
434
436 bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
437
443 const QSslCertificate certIdentity( const QString &id );
444
451 const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
452
458 const QStringList certIdentityBundleToPem( const QString &id );
459
464 const QList<QSslCertificate> certIdentities();
465
467
472 QStringList certIdentityIds() const;
473
475 bool existsCertIdentity( const QString &id );
476
478 bool removeCertIdentity( const QString &id );
479
480
482 bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
483
490 const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
491
497 const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
498
503 const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
504
506 bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
507
509 bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
510
516 QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
517
519 void dumpIgnoredSslErrorsCache_();
520
522 bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
523
525 bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
526
528 bool rebuildIgnoredSslErrorCache();
529
530
532 bool storeCertAuthorities( const QList<QSslCertificate> &certs );
533
535 bool storeCertAuthority( const QSslCertificate &cert );
536
538
544 const QSslCertificate certAuthority( const QString &id );
545
547 bool existsCertAuthority( const QSslCertificate &cert );
548
550 bool removeCertAuthority( const QSslCertificate &cert );
551
556 static const QList<QSslCertificate> systemRootCAs();
557
562 const QList<QSslCertificate> extraFileCAs();
563
568 const QList<QSslCertificate> databaseCAs();
569
574 const QMap<QString, QSslCertificate> mappedDatabaseCAs();
575
581 const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
582 {
583 return mCaCertsCache;
584 }
585
587 bool rebuildCaCertsCache();
588
590 bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
591
597 QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
598
600 bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
601
603 bool removeCertTrustPolicy( const QSslCertificate &cert );
604
610 QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
611
613 bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
614
616 QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
617
622 const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
623
625 bool rebuildCertTrustCache();
626
632 const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
633
638 const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
639
641 bool rebuildTrustedCaCertsCache();
642
647 const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
648
653 const QByteArray trustedCaCertsPemText();
654
655#endif
656
661 const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
662
667 bool passwordHelperDelete() SIP_SKIP;
668
673 static bool passwordHelperEnabled();
674
679 void setPasswordHelperEnabled( bool enabled );
680
685 static bool passwordHelperLoggingEnabled() SIP_SKIP;
686
691 static void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
692
697 bool passwordHelperSync();
698
700 static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
701
703 static const QString AUTH_MAN_TAG;
704
705 signals:
706
711 void passwordHelperFailure();
712
717 void passwordHelperSuccess();
718
726 void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
727
735 void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
736
737
742 void masterPasswordVerified( bool verified );
743
745 void authDatabaseEraseRequested();
746
748 void authDatabaseChanged();
749
750 public slots:
752 void clearAllCachedConfigs();
753
755 void clearCachedConfig( const QString &authcfg );
756
757 private slots:
758 void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
759
769 void tryToStartDbErase();
770
771 protected:
772
777 static QgsAuthManager *instance() SIP_SKIP;
778
779
780#ifdef Q_OS_WIN
781 public:
782 explicit QgsAuthManager() SIP_SKIP;
783#else
784 protected:
785 explicit QgsAuthManager() SIP_SKIP;
786#endif
787
788 private:
789
794 bool ensureInitialized() const;
795
796 bool initPrivate( const QString &pluginPath, const QString &authDatabasePath );
797
799 // Password Helper methods
800
802 QString passwordHelperName() const;
803
805 void passwordHelperLog( const QString &msg ) const;
806
808 QString passwordHelperRead();
809
811 bool passwordHelperWrite( const QString &password );
812
814 void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
815
817 void passwordHelperClearErrors();
818
823 void passwordHelperProcessError();
824
825 bool createConfigTables();
826
827 bool createCertTables();
828
829 bool masterPasswordInput();
830
831 bool masterPasswordRowsInDb( int *rows ) const;
832
833 bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
834
835 bool masterPasswordStoreInDb() const;
836
837 bool masterPasswordClearDb();
838
839 const QString masterPasswordCiv() const;
840
841 bool verifyPasswordCanDecryptConfigs() const;
842
843 bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
844
845 bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
846
847 bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
848
849 bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
850
851 bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
852
853 bool authDbOpen() const;
854
855 bool authDbQuery( QSqlQuery *query ) const;
856
857 bool authDbStartTransaction() const;
858
859 bool authDbCommit() const;
860
861 bool authDbTransactionQuery( QSqlQuery *query ) const;
862
863#ifndef QT_NO_SSL
864 void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
865#endif
866
867 const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
868
869 const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
870
871 const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
872
873 const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
874
875 const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
876
877 QString authPasswordHelperKeyName() const;
878
879 static QgsAuthManager *sInstance;
880 static const QString AUTH_CONFIG_TABLE;
881 static const QString AUTH_PASS_TABLE;
882 static const QString AUTH_SETTINGS_TABLE;
883 static const QString AUTH_IDENTITIES_TABLE;
884 static const QString AUTH_SERVERS_TABLE;
885 static const QString AUTH_AUTHORITIES_TABLE;
886 static const QString AUTH_TRUST_TABLE;
887 static const QString AUTH_CFG_REGEX;
888
889 QString mPluginPath;
890 QString mAuthDatabasePath;
891 mutable bool mLazyInitResult = false;
892
893 bool mAuthInit = false;
894 QString mAuthDbPath;
895
896 std::unique_ptr<QCA::Initializer> mQcaInitializer;
897
898 QHash<QString, QString> mConfigAuthMethods;
899 QHash<QString, QgsAuthMethod *> mAuthMethods;
900
901 QString mMasterPass;
902 int mPassTries = 0;
903 bool mAuthDisabled = false;
904 QString mAuthDisabledMessage;
905 QTimer *mScheduledDbEraseTimer = nullptr;
906 bool mScheduledDbErase = false;
907 int mScheduledDbEraseRequestWait = 3 ; // in seconds
908 bool mScheduledDbEraseRequestEmitted = false;
909 int mScheduledDbEraseRequestCount = 0;
910
911 std::unique_ptr<QRecursiveMutex> mMutex;
912 std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
913#ifndef QT_NO_SSL
914 // mapping of sha1 digest and cert source and cert
915 // appending removes duplicates
916 QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
917 // list of sha1 digests per policy
918 QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
919 // cache of certs ready to be utilized in network connections
920 QList<QSslCertificate> mTrustedCaCertsCache;
921 // cache of SSL errors to be ignored in network connections, per sha-hostport
922 QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
923
924 bool mHasCustomConfigByHost = false;
925 bool mHasCheckedIfCustomConfigByHostExists = false;
926 QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
927#endif
928
930 // Password Helper Variables
931
933 bool mPasswordHelperVerificationError = false;
934
936 QString mPasswordHelperErrorMessage;
937
939 QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
940
942 bool mPasswordHelperLoggingEnabled = false;
943
945 bool mPasswordHelperFailedInit = false;
946
948 static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME_BASE;
949
951 static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
952
953 mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
954
955 friend class QgsApplication;
956
957};
958
959#endif // QGSAUTHMANAGER_H
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
CertTrustPolicy
Type of certificate trust policy.
CaCertSource
Type of CA certificate source.
Configuration container for SSL server connection exceptions or overrides.
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
QString authManTag() const
Simple text tag describing authentication system for message logs.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
void clearMasterPassword()
Clear supplied master password.
const QString passwordHelperErrorMessage()
Error message getter.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Configuration storage class for authentication method configurations.
Abstract base class for the edit widget of authentication method plugins.
Holds data auth method key, description, and associated shared library file information.
Abstract base class for authentication method plugins.
QFlags< Expansion > Expansions
#define SIP_DEPRECATED
Definition qgis_sip.h:106
#define SIP_SKIP
Definition qgis_sip.h:126
#define SIP_IF_FEATURE(feature)
Definition qgis_sip.h:181
#define SIP_INOUT
Definition qgis_sip.h:71
#define SIP_END
Definition qgis_sip.h:208
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap