QGIS API Documentation  3.8.0-Zanzibar (11aff65)
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include "qgis_core.h"
21 #include "qgis_sip.h"
22 #include <QObject>
23 #include <QMutex>
24 #include <QNetworkReply>
25 #include <QNetworkRequest>
26 #include <QSqlDatabase>
27 #include <QSqlError>
28 #include <QSqlQuery>
29 #include <QStringList>
30 
31 #ifndef QT_NO_SSL
32 #include <QSslCertificate>
33 #include <QSslKey>
34 #include <QtCrypto>
35 #include "qgsauthcertutils.h"
36 #endif
37 
38 #include "qgsauthconfig.h"
39 #include "qgsauthmethod.h"
40 
41 // Qt5KeyChain library
42 #include "keychain.h"
43 
44 #ifndef SIP_RUN
45 namespace QCA
46 {
47  class Initializer;
48 }
49 #endif
50 class QgsAuthMethod;
51 class QgsAuthMethodEdit;
52 class QgsAuthProvider;
53 class QTimer;
54 
55 
64 class CORE_EXPORT QgsAuthManager : public QObject
65 {
66  Q_OBJECT
67 
68  public:
69 
72  {
73  INFO = 0,
74  WARNING = 1,
75  CRITICAL = 2
76  };
77  Q_ENUM( MessageLevel )
78 
79 
87  bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
88 
89  ~QgsAuthManager() override;
90 
92  QSqlDatabase authDatabaseConnection() const;
93 
95  const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
96 
98  const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
99 
100 
102  bool isDisabled() const;
103 
105  const QString disabledMessage() const;
106 
111  const QString authenticationDatabasePath() const { return mAuthDbPath; }
112 
118  bool setMasterPassword( bool verify = false );
119 
126  bool setMasterPassword( const QString &pass, bool verify = false );
127 
133  bool verifyMasterPassword( const QString &compare = QString() );
134 
136  bool masterPasswordIsSet() const;
137 
139  bool masterPasswordHashInDatabase() const;
140 
145  void clearMasterPassword() { mMasterPass = QString(); }
146 
151  bool masterPasswordSame( const QString &pass ) const;
152 
161  bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
162 
167  bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
168 
181  void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
182 
191  void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
192 
194  QString authManTag() const { return AUTH_MAN_TAG; }
195 
197  bool registerCoreAuthMethods();
198 
200  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
201 
203  void updateConfigAuthMethods();
204 
209  QgsAuthMethod *configAuthMethod( const QString &authcfg );
210 
215  QString configAuthMethodKey( const QString &authcfg ) const;
216 
220  QStringList authMethodsKeys( const QString &dataprovider = QString() );
221 
226  QgsAuthMethod *authMethod( const QString &authMethodKey );
227 
233  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
234 
240  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
241 
246  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
247 
249  const QString uniqueConfigId() const;
250 
255  bool configIdUnique( const QString &id ) const;
256 
261  bool hasConfigId( const QString &txt ) const;
262 
264  QString configIdRegex() const { return AUTH_CFG_REGEX;}
265 
267  QStringList configIds() const;
268 
274  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT );
275 
281  bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
282 
290  bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
291 
297  bool removeAuthenticationConfig( const QString &authcfg );
298 
303  bool removeAllAuthenticationConfigs();
304 
309  bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
310 
317  bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
318 
319 
321 
329  bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
330  const QString &dataprovider = QString() );
331 
339  bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
340  const QString &dataprovider = QString() );
341 
349  bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
350  const QString &dataprovider = QString() );
351 
359  bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
360  const QString &dataprovider = QString() );
361 
363 
365  bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
366 
375  QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
376 
378  bool existsAuthSetting( const QString &key );
379 
381  bool removeAuthSetting( const QString &key );
382 
383 #ifndef QT_NO_SSL
384 
387  bool initSslCaches();
388 
390  bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
391 
398  const QSslCertificate certIdentity( const QString &id );
399 
407  const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
408 
415  const QStringList certIdentityBundleToPem( const QString &id );
416 
422  const QList<QSslCertificate> certIdentities();
423 
425 
431  QStringList certIdentityIds() const;
432 
434  bool existsCertIdentity( const QString &id );
435 
437  bool removeCertIdentity( const QString &id );
438 
439 
441  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
442 
450  const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
451 
458  const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
459 
465  const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
466 
468  bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
469 
471  bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
472 
479  QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
480 
482  void dumpIgnoredSslErrorsCache_();
483 
485  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
486 
488  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
489 
491  bool rebuildIgnoredSslErrorCache();
492 
493 
495  bool storeCertAuthorities( const QList<QSslCertificate> &certs );
496 
498  bool storeCertAuthority( const QSslCertificate &cert );
499 
501 
508  const QSslCertificate certAuthority( const QString &id );
509 
511  bool existsCertAuthority( const QSslCertificate &cert );
512 
514  bool removeCertAuthority( const QSslCertificate &cert );
515 
521  const QList<QSslCertificate> systemRootCAs();
522 
528  const QList<QSslCertificate> extraFileCAs();
529 
535  const QList<QSslCertificate> databaseCAs();
536 
542  const QMap<QString, QSslCertificate> mappedDatabaseCAs();
543 
550  const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
551  {
552  return mCaCertsCache;
553  }
554 
556  bool rebuildCaCertsCache();
557 
559  bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
560 
567  QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
568 
570  bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
571 
573  bool removeCertTrustPolicy( const QSslCertificate &cert );
574 
581  QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
582 
584  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
585 
587  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
588 
594  const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
595 
597  bool rebuildCertTrustCache();
598 
605  const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
606 
612  const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
613 
615  bool rebuildTrustedCaCertsCache();
616 
622  const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
623 
629  const QByteArray trustedCaCertsPemText();
630 
631 #endif
632 
637  const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
638 
643  bool passwordHelperDelete() SIP_SKIP;
644 
649  bool passwordHelperEnabled() const;
650 
655  void setPasswordHelperEnabled( bool enabled );
656 
661  bool passwordHelperLoggingEnabled() const SIP_SKIP;
662 
667  void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
668 
673  bool passwordHelperSync();
674 
676  static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
677 
679  static const QString AUTH_MAN_TAG;
680 
681  signals:
682 
687  void passwordHelperFailure();
688 
693  void passwordHelperSuccess();
694 
702  void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
703 
711  void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
712 
713 
718  void masterPasswordVerified( bool verified );
719 
721  void authDatabaseEraseRequested();
722 
724  void authDatabaseChanged();
725 
726  public slots:
728  void clearAllCachedConfigs();
729 
731  void clearCachedConfig( const QString &authcfg );
732 
733  private slots:
734  void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
735 
745  void tryToStartDbErase();
746 
747  protected:
748 
753  static QgsAuthManager *instance() SIP_SKIP;
754 
755  explicit QgsAuthManager() SIP_SKIP;
756 
757  private:
758 
760  // Password Helper methods
761 
763  QString passwordHelperName() const;
764 
766  void passwordHelperLog( const QString &msg ) const;
767 
769  QString passwordHelperRead();
770 
772  bool passwordHelperWrite( const QString &password );
773 
775  void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
776 
778  void passwordHelperClearErrors();
779 
784  void passwordHelperProcessError();
785 
786  bool createConfigTables();
787 
788  bool createCertTables();
789 
790  bool masterPasswordInput();
791 
792  bool masterPasswordRowsInDb( int *rows ) const;
793 
794  bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
795 
796  bool masterPasswordStoreInDb() const;
797 
798  bool masterPasswordClearDb();
799 
800  const QString masterPasswordCiv() const;
801 
802  bool verifyPasswordCanDecryptConfigs() const;
803 
804  bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
805 
806  bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
807 
808  bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
809 
810  bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
811 
812  bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
813 
814  bool authDbOpen() const;
815 
816  bool authDbQuery( QSqlQuery *query ) const;
817 
818  bool authDbStartTransaction() const;
819 
820  bool authDbCommit() const;
821 
822  bool authDbTransactionQuery( QSqlQuery *query ) const;
823 
824 #ifndef QT_NO_SSL
825  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
826 #endif
827 
828  const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
829 
830  const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
831 
832  const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
833 
834  const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
835 
836  const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
837 
838  static QgsAuthManager *sInstance;
839  static const QString AUTH_CONFIG_TABLE;
840  static const QString AUTH_PASS_TABLE;
841  static const QString AUTH_SETTINGS_TABLE;
842  static const QString AUTH_IDENTITIES_TABLE;
843  static const QString AUTH_SERVERS_TABLE;
844  static const QString AUTH_AUTHORITIES_TABLE;
845  static const QString AUTH_TRUST_TABLE;
846  static const QString AUTH_CFG_REGEX;
847 
848  bool mAuthInit = false;
849  QString mAuthDbPath;
850 
851  std::unique_ptr<QCA::Initializer> mQcaInitializer;
852 
853  QHash<QString, QString> mConfigAuthMethods;
854  QHash<QString, QgsAuthMethod *> mAuthMethods;
855 
856  QString mMasterPass;
857  int mPassTries = 0;
858  bool mAuthDisabled = false;
859  QString mAuthDisabledMessage;
860  QTimer *mScheduledDbEraseTimer = nullptr;
861  bool mScheduledDbErase = false;
862  int mScheduledDbEraseRequestWait = 3 ; // in seconds
863  bool mScheduledDbEraseRequestEmitted = false;
864  int mScheduledDbEraseRequestCount = 0;
865  QMutex *mMutex = nullptr;
866 
867 #ifndef QT_NO_SSL
868  // mapping of sha1 digest and cert source and cert
869  // appending removes duplicates
870  QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
871  // list of sha1 digests per policy
872  QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
873  // cache of certs ready to be utilized in network connections
874  QList<QSslCertificate> mTrustedCaCertsCache;
875  // cache of SSL errors to be ignored in network connections, per sha-hostport
876  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
877 
878  bool mHasCustomConfigByHost = false;
879  bool mHasCheckedIfCustomConfigByHostExists = false;
880  QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
881 #endif
882 
884  // Password Helper Variables
885 
887  bool mPasswordHelperVerificationError = false;
888 
890  QString mPasswordHelperErrorMessage;
891 
893  QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
894 
896  bool mPasswordHelperLoggingEnabled = false;
897 
899  bool mPasswordHelperFailedInit = false;
900 
902  static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
903 
905  static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
906 
907  mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
908 
909  friend class QgsApplication;
910 
911 };
912 
913 #endif // QGSAUTHMANAGER_H
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
Extends QApplication to provide access to QGIS specific resources such as theme paths, database paths etc.
Configuration container for SSL server connection exceptions or overrides.
Abstract base class for the edit widget of authentication method plugins.
#define SIP_INOUT
Definition: qgis_sip.h:64
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME
The display name of the password helper (platform dependent)
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QString authManTag() const
Simple text tag describing authentication system for message logs.
#define SIP_SKIP
Definition: qgis_sip.h:119
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:38
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:36
CaCertSource
Type of CA certificate source.
void clearMasterPassword()
Clear supplied master password.
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections ...
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids...
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
static const QString AUTH_MAN_TAG
The display name of the Authentication Manager.
CertTrustPolicy
Type of certificate trust policy.
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
const QString passwordHelperErrorMessage()
Error message getter.
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection&#39;s sha:host:port.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap