qgsauthmanager.cpp

Go to the documentation of this file.

/***************************************************************************
    qgsauthmanager.cpp
    ---------------------
    begin                : October 5, 2014
    copyright            : (C) 2014 by Boundless Spatial, Inc. USA
    author               : Larry Shaffer
    email                : lshaffer at boundlessgeo dot com
 ***************************************************************************
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 ***************************************************************************/
 
#include <QCoreApplication>
#include <QDir>
#include <QDomDocument>
#include <QDomElement>
#include <QEventLoop>
#include <QFile>
#include <QFileInfo>
#include <QMutexLocker>
#include <QObject>
#include <QRandomGenerator>
#include <QRegularExpression>
#include <QSet>
#include <QSqlDatabase>
#include <QSqlDriver>
#include <QSqlError>
#include <QSqlQuery>
#include <QString>
#include <QTextStream>
#include <QTime>
#include <QTimer>
#include <QVariant>
 
using namespace Qt::StringLiterals;
 
#ifdef HAVE_AUTH
#include <QtCrypto>
#endif
 
#ifndef QT_NO_SSL
#include <QSslConfiguration>
#endif
 
// QGIS includes
#ifdef HAVE_AUTH
#include "qgsauthcertutils.h"
#endif
#include "qgsauthcrypto.h"
#include "qgsauthmethod.h"
#include "qgsauthmethodmetadata.h"
#include "qgsauthmethodregistry.h"
#include "qgscredentials.h"
#include "qgslogger.h"
#include "qgsmessagelog.h"
#include "qgsauthmanager.h"
#include "moc_qgsauthmanager.cpp"
#include "qgsauthconfigurationstorageregistry.h"
#include "qgsauthconfigurationstoragesqlite.h"
#include "qgsvariantutils.h"
#include "qgssettings.h"
#include "qgsruntimeprofiler.h"
#include "qgssettingsentryimpl.h"
#include "qgssettingstree.h"
 
QgsAuthManager *QgsAuthManager::sInstance = nullptr;
 
const QString QgsAuthManager::AUTH_CONFIG_TABLE = u"auth_configs"_s;
const QString QgsAuthManager::AUTH_SERVERS_TABLE = u"auth_servers"_s;
const QString QgsAuthManager::AUTH_MAN_TAG = QObject::tr( "Authentication Manager" );
const QString QgsAuthManager::AUTH_CFG_REGEX = u"authcfg=([a-z]|[A-Z]|[0-9]){7}"_s;
 
 
const QLatin1String QgsAuthManager::AUTH_PASSWORD_HELPER_KEY_NAME_BASE( "QGIS-Master-Password" );
const QLatin1String QgsAuthManager::AUTH_PASSWORD_HELPER_FOLDER_NAME( "QGIS" );
 
const QgsSettingsEntryBool *QgsAuthManager::settingsGenerateRandomPasswordForPasswordHelper = new QgsSettingsEntryBool( u"generate-random-password-for-keychain"_s, QgsSettingsTree::sTreeAuthentication, true, u"Whether a random password should be automatically generated for the authentication database and stored in the system keychain."_s );
const QgsSettingsEntryBool *QgsAuthManager::settingsUsingGeneratedRandomPassword = new QgsSettingsEntryBool( u"using-generated-random-password"_s, QgsSettingsTree::sTreeAuthentication, false, u"True if the user is using an autogenerated random password stored in the system keychain."_s );
 
Q_NOWARN_DEPRECATED_PUSH
#if defined(Q_OS_MAC)
const QString QgsAuthManager::AUTH_PASSWORD_HELPER_DISPLAY_NAME( "Keychain" );
#elif defined(Q_OS_WIN)
const QString QgsAuthManager::AUTH_PASSWORD_HELPER_DISPLAY_NAME( "Password Manager" );
#elif defined(Q_OS_LINUX)
const QString QgsAuthManager::AUTH_PASSWORD_HELPER_DISPLAY_NAME( u"Wallet/KeyRing"_s );
#else
const QString QgsAuthManager::AUTH_PASSWORD_HELPER_DISPLAY_NAME( "Password Manager" );
#endif
Q_NOWARN_DEPRECATED_POP
 
QgsAuthManager *QgsAuthManager::instance()
{
#ifdef HAVE_AUTH
  static QMutex sMutex;
  QMutexLocker locker( &sMutex );
  if ( !sInstance )
  {
    sInstance = new QgsAuthManager( );
  }
  return sInstance;
#else
  return new QgsAuthManager();
#endif
}
 
 
QgsAuthManager::QgsAuthManager()
{
#ifdef HAVE_AUTH
  mMutex = std::make_unique<QRecursiveMutex>();
  mMasterPasswordMutex = std::make_unique<QRecursiveMutex>();
  connect( this, &QgsAuthManager::messageLog,
           this, &QgsAuthManager::writeToConsole );
#endif
}
 
QSqlDatabase QgsAuthManager::authDatabaseConnection() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QSqlDatabase authdb;
 
  if ( isDisabled() )
    return authdb;
 
  // while everything we use from QSqlDatabase here is thread safe, we need to ensure
  // that the connection cleanup on thread finalization happens in a predictable order
  QMutexLocker locker( mMutex.get() );
 
  // Get the first enabled DB storage from the registry
  if ( QgsAuthConfigurationStorageDb *storage = defaultDbStorage() )
  {
    return storage->authDatabaseConnection();
  }
 
  return authdb;
#else
  return QSqlDatabase();
#endif
}
 
const QString QgsAuthManager::methodConfigTableName() const
{
#ifdef HAVE_AUTH
  if ( ! isDisabled() )
  {
    ensureInitialized();
 
    // Returns the first enabled and ready "DB" storage
    QgsAuthConfigurationStorageRegistry *storageRegistry = authConfigurationStorageRegistry();
    const QList<QgsAuthConfigurationStorage *> storages { storageRegistry->readyStorages() };
    for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
    {
      if ( auto dbStorage = qobject_cast<QgsAuthConfigurationStorageDb *>( storage ) )
      {
        if ( dbStorage->capabilities() & Qgis::AuthConfigurationStorageCapability::ReadConfiguration )
        {
          return dbStorage->quotedQualifiedIdentifier( dbStorage->methodConfigTableName() );
        }
      }
    }
  }
 
  return QString();
#else
  return QString();
#endif
}
 
bool QgsAuthManager::isFilesystemBasedDatabase( const QString &uri )
{
#ifdef HAVE_AUTH
  // Loop through all registered SQL drivers and return false if
  // the URI starts with one of them except the SQLite based drivers
  const auto drivers { QSqlDatabase::drivers() };
  for ( const QString &driver : std::as_const( drivers ) )
  {
    if ( driver != ( u"QSQLITE"_s ) && driver != ( u"QSPATIALITE"_s ) && uri.startsWith( driver ) )
    {
      return false;
    }
  }
  return true;
#else
  Q_UNUSED( uri )
  return false;
#endif
}
 
const QString QgsAuthManager::authenticationDatabaseUri() const
{
#ifdef HAVE_AUTH
  return mAuthDatabaseConnectionUri;
#else
  return QString();
#endif
}
 
const QString QgsAuthManager::authenticationDatabaseUriStripped() const
{
#ifdef HAVE_AUTH
  QRegularExpression re( u"password=(.*)"_s );
  QString uri = mAuthDatabaseConnectionUri;
  return uri.replace( re, u"password=*****"_s );
#else
  return QString();
#endif
}
 
 
bool QgsAuthManager::init( const QString &pluginPath, const QString &authDatabasePath )
{
#ifdef HAVE_AUTH
  mAuthDatabaseConnectionUri = authDatabasePath.startsWith( "QSQLITE://"_L1 ) ? authDatabasePath : u"QSQLITE://"_s + authDatabasePath;
  return initPrivate( pluginPath );
#else
  Q_UNUSED( pluginPath )
  Q_UNUSED( authDatabasePath )
  return false;
#endif
}
 
bool QgsAuthManager::ensureInitialized() const
{
#ifdef HAVE_AUTH
  static QRecursiveMutex sInitializationMutex;
  static bool sInitialized = false;
 
  sInitializationMutex.lock();
  if ( sInitialized )
  {
    sInitializationMutex.unlock();
    return mLazyInitResult;
  }
 
  mLazyInitResult = const_cast< QgsAuthManager * >( this )->initPrivate( mPluginPath );
  sInitialized = true;
  sInitializationMutex.unlock();
 
  return mLazyInitResult;
#else
  return false;
#endif
}
 
static char *sPassFileEnv = nullptr;
 
bool QgsAuthManager::initPrivate( const QString &pluginPath )
{
#ifdef HAVE_AUTH
  if ( mAuthInit )
    return true;
 
  mAuthInit = true;
  QgsScopedRuntimeProfile profile( tr( "Initializing authentication manager" ) );
 
  QgsDebugMsgLevel( u"Initializing QCA..."_s, 2 );
  mQcaInitializer = std::make_unique<QCA::Initializer>( QCA::Practical, 256 );
 
  QgsDebugMsgLevel( u"QCA initialized."_s, 2 );
  QCA::scanForPlugins();
 
  QgsDebugMsgLevel( u"QCA Plugin Diagnostics Context: %1"_s.arg( QCA::pluginDiagnosticText() ), 2 );
  QStringList capabilities;
 
  capabilities = QCA::supportedFeatures();
  QgsDebugMsgLevel( u"QCA supports: %1"_s.arg( capabilities.join( "," ) ), 2 );
 
  // do run-time check for qca-ossl plugin
  if ( !QCA::isSupported( "cert", u"qca-ossl"_s ) )
  {
    mAuthDisabled = true;
    mAuthDisabledMessage = tr( "QCA's OpenSSL plugin (qca-ossl) is missing" );
    return isDisabled();
  }
 
  QgsDebugMsgLevel( u"Prioritizing qca-ossl over all other QCA providers..."_s, 2 );
  const QCA::ProviderList provds = QCA::providers();
  QStringList prlist;
  for ( QCA::Provider *p : provds )
  {
    QString pn = p->name();
    int pr = 0;
    if ( pn != "qca-ossl"_L1 )
    {
      pr = QCA::providerPriority( pn ) + 1;
    }
    QCA::setProviderPriority( pn, pr );
    prlist << u"%1:%2"_s.arg( pn ).arg( QCA::providerPriority( pn ) );
  }
  QgsDebugMsgLevel( u"QCA provider priorities: %1"_s.arg( prlist.join( ", " ) ), 2 );
 
  QgsDebugMsgLevel( u"Populating auth method registry"_s, 3 );
  QgsAuthMethodRegistry *authreg = QgsAuthMethodRegistry::instance( pluginPath );
 
  QStringList methods = authreg->authMethodList();
 
  QgsDebugMsgLevel( u"Authentication methods found: %1"_s.arg( methods.join( ", " ) ), 2 );
 
  if ( methods.isEmpty() )
  {
    mAuthDisabled = true;
    mAuthDisabledMessage = tr( "No authentication method plugins found" );
    return isDisabled();
  }
 
  if ( !registerCoreAuthMethods() )
  {
    mAuthDisabled = true;
    mAuthDisabledMessage = tr( "No authentication method plugins could be loaded" );
    return isDisabled();
  }
 
  QgsDebugMsgLevel( u"Auth database URI: %1"_s.arg( mAuthDatabaseConnectionUri ), 2 );
 
  // Add the default configuration storage
  const QString sqliteDbPath { sqliteDatabasePath() };
  if ( ! sqliteDbPath.isEmpty() )
  {
    authConfigurationStorageRegistry()->addStorage( new QgsAuthConfigurationStorageSqlite( sqliteDbPath ) );
  }
  else if ( ! mAuthDatabaseConnectionUri.isEmpty() )
  {
    // For safety reasons we don't allow writing on potentially shared storages by default, plugins may override
    // this behavior by registering their own storage subclass or by explicitly setting read-only to false.
    QgsAuthConfigurationStorageDb *storage = new QgsAuthConfigurationStorageDb( mAuthDatabaseConnectionUri );
    if ( !QgsAuthManager::isFilesystemBasedDatabase( mAuthDatabaseConnectionUri ) )
    {
      storage->setReadOnly( true );
    }
    authConfigurationStorageRegistry()->addStorage( storage );
  }
 
  // Loop through all registered storages and call initialize
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->storages() };
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( ! storage->isEnabled() )
    {
      QgsDebugMsgLevel( u"Storage %1 is disabled"_s.arg( storage->name() ), 2 );
      continue;
    }
    if ( !storage->initialize() )
    {
      const QString err = tr( "Failed to initialize storage %1: %2" ).arg( storage->name(), storage->lastError() );
      QgsDebugError( err );
      emit messageLog( err, authManTag(), Qgis::MessageLevel::Warning );
    }
    else
    {
      QgsDebugMsgLevel( u"Storage %1 initialized"_s.arg( storage->name() ), 2 );
    }
    connect( storage, &QgsAuthConfigurationStorage::methodConfigChanged, this, [this] { updateConfigAuthMethods(); } );
    connect( storage, &QgsAuthConfigurationStorage::messageLog, this, &QgsAuthManager::messageLog );
  }
 
  updateConfigAuthMethods();
 
#ifndef QT_NO_SSL
  initSslCaches();
#endif
  // set the master password from first line of file defined by QGIS_AUTH_PASSWORD_FILE env variable
  if ( sPassFileEnv && masterPasswordHashInDatabase() )
  {
    QString passpath( sPassFileEnv );
    free( sPassFileEnv );
    sPassFileEnv = nullptr;
 
    QString masterpass;
    QFile passfile( passpath );
    if ( passfile.exists() && passfile.open( QIODevice::ReadOnly | QIODevice::Text ) )
    {
      QTextStream passin( &passfile );
      while ( !passin.atEnd() )
      {
        masterpass = passin.readLine();
        break;
      }
      passfile.close();
    }
    if ( !masterpass.isEmpty() )
    {
      if ( setMasterPassword( masterpass, true ) )
      {
        QgsDebugMsgLevel( u"Authentication master password set from QGIS_AUTH_PASSWORD_FILE"_s, 2 );
      }
      else
      {
        QgsDebugError( "QGIS_AUTH_PASSWORD_FILE set, but FAILED to set password using: " + passpath );
        return false;
      }
    }
    else
    {
      QgsDebugError( "QGIS_AUTH_PASSWORD_FILE set, but FAILED to read password from: " + passpath );
      return false;
    }
  }
 
#ifndef QT_NO_SSL
  initSslCaches();
#endif
 
  return true;
#else
  Q_UNUSED( pluginPath )
  return false;
#endif
}
 
void QgsAuthManager::setup( const QString &pluginPath, const QString &authDatabasePath )
{
#ifdef HAVE_AUTH
  mPluginPath = pluginPath;
  mAuthDatabaseConnectionUri = authDatabasePath;
 
  const char *p = getenv( "QGIS_AUTH_PASSWORD_FILE" );
  if ( p )
  {
    sPassFileEnv = qstrdup( p );
 
    // clear the env variable, so it can not be accessed from plugins, etc.
    // (note: stored QgsApplication::systemEnvVars() skips this env variable as well)
#ifdef Q_OS_WIN
    putenv( "QGIS_AUTH_PASSWORD_FILE" );
#else
    unsetenv( "QGIS_AUTH_PASSWORD_FILE" );
#endif
  }
#else
  Q_UNUSED( pluginPath )
  Q_UNUSED( authDatabasePath )
#endif
}
 
QString QgsAuthManager::generatePassword()
{
#ifdef HAVE_AUTH
  QRandomGenerator generator = QRandomGenerator::securelySeeded();
  QString pw;
  pw.resize( 32 );
  static const QString sPwChars = u"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_-{}[]"_s;
  for ( int i = 0; i < pw.size(); ++i )
  {
    pw[i] = sPwChars.at( generator.bounded( 0, sPwChars.length() ) );
  }
  return pw;
#else
  return QString();
#endif
}
 
bool QgsAuthManager::isDisabled() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( mAuthDisabled )
  {
    QgsDebugError( u"Authentication system DISABLED: QCA's qca-ossl (OpenSSL) plugin is missing"_s );
  }
  return mAuthDisabled;
#else
  return false;
#endif
}
 
const QString QgsAuthManager::disabledMessage() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  return tr( "Authentication system is DISABLED:\n%1" ).arg( mAuthDisabledMessage );
#else
  return QString();
#endif
}
 
bool QgsAuthManager::createAndStoreRandomMasterPasswordInKeyChain()
{
#ifdef HAVE_AUTH
  QMutexLocker locker( mMasterPasswordMutex.get() );
  if ( isDisabled() )
    return false;
 
  if ( mScheduledDbErase )
    return false;
 
  if ( !passwordHelperEnabled() )
    return false;
 
  if ( !mMasterPass.isEmpty() )
  {
    QgsDebugError( u"Master password is already set!"_s );
    return false;
  }
 
  const QString newPassword = generatePassword();
  if ( passwordHelperWrite( newPassword ) )
  {
    mMasterPass = newPassword;
  }
  else
  {
    emit passwordHelperMessageLog( tr( "Master password could not be written to the %1" ).arg( passwordHelperDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  if ( !verifyMasterPassword() )
  {
    emit passwordHelperMessageLog( tr( "Master password was written to the %1 but could not be verified" ).arg( passwordHelperDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  QgsDebugMsgLevel( u"Master password is set and verified"_s, 2 );
  settingsUsingGeneratedRandomPassword->setValue( true );
  return true;
#else
  return false;
#endif
}
 
 
QString QgsAuthManager::sqliteDatabasePath() const
{
#ifdef HAVE_AUTH
  if ( !QgsAuthManager::isFilesystemBasedDatabase( mAuthDatabaseConnectionUri ) )
  {
    return QString();
  }
 
  // Remove the driver:// prefix if present
  QString path = mAuthDatabaseConnectionUri;
  if ( path.startsWith( u"QSQLITE://"_s, Qt::CaseSensitivity::CaseInsensitive ) )
  {
    path = path.mid( 10 );
  }
  else if ( path.startsWith( u"QSPATIALITE://"_s, Qt::CaseSensitivity::CaseInsensitive ) )
  {
    path = path.mid( 14 );
  }
 
  return QDir::cleanPath( path );
#else
  return QString();
#endif
}
 
const QString QgsAuthManager::authenticationDatabasePath() const
{
#ifdef HAVE_AUTH
  return sqliteDatabasePath();
#else
  return QString();
#endif
}
 
bool QgsAuthManager::setMasterPassword( bool verify )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMasterPasswordMutex.get() );
  if ( isDisabled() )
    return false;
 
  if ( mScheduledDbErase )
    return false;
 
  if ( mMasterPass.isEmpty() )
  {
    QgsDebugMsgLevel( u"Master password is not yet set by user"_s, 2 );
    if ( !masterPasswordInput() )
    {
      QgsDebugMsgLevel( u"Master password input canceled by user"_s, 2 );
      return false;
    }
  }
  else
  {
    QgsDebugMsgLevel( u"Master password is set"_s, 2 );
    if ( !verify )
      return true;
  }
 
  if ( !verifyMasterPassword() )
    return false;
 
  QgsDebugMsgLevel( u"Master password is set and verified"_s, 2 );
  return true;
#else
  Q_UNUSED( verify )
  return false;
#endif
}
 
bool QgsAuthManager::setMasterPassword( const QString &pass, bool verify )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( isDisabled() )
    return false;
 
  if ( mScheduledDbErase )
    return false;
 
  // since this is generally for automation, we don't care if passed-in is same as existing
  QString prevpass = QString( mMasterPass );
  mMasterPass = pass;
  if ( verify && !verifyMasterPassword() )
  {
    mMasterPass = prevpass;
    const char *err = QT_TR_NOOP( "Master password set: FAILED to verify, reset to previous" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  QgsDebugMsgLevel( u"Master password set: SUCCESS%1"_s.arg( verify ? " and verified" : "" ), 2 );
  return true;
#else
  Q_UNUSED( pass )
  Q_UNUSED( verify )
  return false;
#endif
}
 
bool QgsAuthManager::verifyMasterPassword( const QString &compare )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  int rows = 0;
  if ( !masterPasswordRowsInDb( rows ) )
  {
    const char *err = QT_TR_NOOP( "Master password: FAILED to access database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Critical );
 
    clearMasterPassword();
    return false;
  }
 
  QgsDebugMsgLevel( u"Master password: %1 rows in database"_s.arg( rows ), 2 );
 
  if ( rows > 1 )
  {
    const char *err = QT_TR_NOOP( "Master password: FAILED to find just one master password record in database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
 
    clearMasterPassword();
    return false;
  }
  else if ( rows == 1 )
  {
    if ( !masterPasswordCheckAgainstDb( compare ) )
    {
      if ( compare.isNull() ) // don't complain when comparing, since it could be an incomplete comparison string
      {
        const char *err = QT_TR_NOOP( "Master password: FAILED to verify against hash in database" );
        QgsDebugError( err );
        emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
 
        clearMasterPassword();
 
        emit masterPasswordVerified( false );
      }
      ++mPassTries;
      if ( mPassTries >= 5 )
      {
        mAuthDisabled = true;
        const char *err = QT_TR_NOOP( "Master password: failed 5 times authentication system DISABLED" );
        QgsDebugError( err );
        emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
      }
      return false;
    }
    else
    {
      QgsDebugMsgLevel( u"Master password: verified against hash in database"_s, 2 );
      if ( compare.isNull() )
        emit masterPasswordVerified( true );
    }
  }
  else if ( compare.isNull() ) // compares should never be stored
  {
    if ( !masterPasswordStoreInDb() )
    {
      const char *err = QT_TR_NOOP( "Master password: hash FAILED to be stored in database" );
      QgsDebugError( err );
      emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Critical );
 
      clearMasterPassword();
      return false;
    }
    else
    {
      QgsDebugMsgLevel( u"Master password: hash stored in database"_s, 2 );
    }
    // double-check storing
    if ( !masterPasswordCheckAgainstDb() )
    {
      const char *err = QT_TR_NOOP( "Master password: FAILED to verify against hash in database" );
      QgsDebugError( err );
      emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
 
      clearMasterPassword();
      emit masterPasswordVerified( false );
      return false;
    }
    else
    {
      QgsDebugMsgLevel( u"Master password: verified against hash in database"_s, 2 );
      emit masterPasswordVerified( true );
    }
  }
 
  return true;
#else
  Q_UNUSED( compare )
  return false;
#endif
}
 
bool QgsAuthManager::masterPasswordIsSet() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  return !mMasterPass.isEmpty();
#else
  return false;
#endif
}
 
bool QgsAuthManager::masterPasswordSame( const QString &pass ) const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  return mMasterPass == pass;
#else
  Q_UNUSED( pass )
  return false;
#endif
}
 
bool QgsAuthManager::resetMasterPassword( const QString &newpass, const QString &oldpass,
    bool keepbackup, QString *backuppath )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  // verify caller knows the current master password
  // this means that the user will have had to already set the master password as well
  if ( !masterPasswordSame( oldpass ) )
    return false;
 
  QString dbbackup;
  if ( !backupAuthenticationDatabase( &dbbackup ) )
    return false;
 
  QgsDebugMsgLevel( u"Master password reset: backed up current database"_s, 2 );
 
  // store current password and civ
  QString prevpass = QString( mMasterPass );
  QString prevciv = QString( masterPasswordCiv() );
 
  // on ANY FAILURE from this point, reinstate previous password and database
  bool ok = true;
 
  // clear password hash table (also clears mMasterPass)
  if ( ok && !masterPasswordClearDb() )
  {
    ok = false;
    const char *err = QT_TR_NOOP( "Master password reset FAILED: could not clear current password from database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
  }
  if ( ok )
  {
    QgsDebugMsgLevel( u"Master password reset: cleared current password from database"_s, 2 );
  }
 
  // mMasterPass empty, set new password (don't verify, since not stored yet)
  setMasterPassword( newpass, false );
 
  // store new password hash
  if ( ok && !masterPasswordStoreInDb() )
  {
    ok = false;
    const char *err = QT_TR_NOOP( "Master password reset FAILED: could not store new password in database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
  }
  if ( ok )
  {
    QgsDebugMsgLevel( u"Master password reset: stored new password in database"_s, 2 );
  }
 
  // verify it stored password properly
  if ( ok && !verifyMasterPassword() )
  {
    ok = false;
    const char *err = QT_TR_NOOP( "Master password reset FAILED: could not verify new password in database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
  }
 
  // re-encrypt everything with new password
  if ( ok && !reencryptAllAuthenticationConfigs( prevpass, prevciv ) )
  {
    ok = false;
    const char *err = QT_TR_NOOP( "Master password reset FAILED: could not re-encrypt configs in database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
  }
  if ( ok )
  {
    QgsDebugMsgLevel( u"Master password reset: re-encrypted configs in database"_s, 2 );
  }
 
  // verify it all worked
  if ( ok && !verifyPasswordCanDecryptConfigs() )
  {
    ok = false;
    const char *err = QT_TR_NOOP( "Master password reset FAILED: could not verify password can decrypt re-encrypted configs" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
  }
 
  if ( ok && !reencryptAllAuthenticationSettings( prevpass, prevciv ) )
  {
    ok = false;
    const char *err = QT_TR_NOOP( "Master password reset FAILED: could not re-encrypt settings in database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
  }
 
  if ( ok && !reencryptAllAuthenticationIdentities( prevpass, prevciv ) )
  {
    ok = false;
    const char *err = QT_TR_NOOP( "Master password reset FAILED: could not re-encrypt identities in database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
  }
 
  if ( qgetenv( "QGIS_CONTINUOUS_INTEGRATION_RUN" ) != u"true"_s && passwordHelperEnabled() && !passwordHelperSync() )
  {
    ok = false;
    const QString err = tr( "Master password reset FAILED: could not sync password helper: %1" ).arg( passwordHelperErrorMessage() );
    QgsDebugError( err );
    emit messageLog( err, authManTag(), Qgis::MessageLevel::Warning );
  }
 
  // something went wrong, reinstate previous password and database
  if ( !ok )
  {
    // backup database of failed attempt, for inspection
    QString errdbbackup( dbbackup );
    errdbbackup.replace( ".db"_L1, "_ERROR.db"_L1 );
    QFile::rename( sqliteDatabasePath(), errdbbackup );
    QgsDebugError( u"Master password reset FAILED: backed up failed db at %1"_s.arg( errdbbackup ) );
    // reinstate previous database and password
    QFile::rename( dbbackup, sqliteDatabasePath() );
    mMasterPass = prevpass;
    QgsDebugError( u"Master password reset FAILED: reinstated previous password and database"_s );
 
    // assign error db backup
    if ( backuppath )
      *backuppath = errdbbackup;
 
    return false;
  }
 
  if ( !keepbackup && !QFile::remove( dbbackup ) )
  {
    const char *err = QT_TR_NOOP( "Master password reset: could not remove old database backup" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    // a non-blocking error, continue
  }
 
  if ( keepbackup )
  {
    QgsDebugMsgLevel( u"Master password reset: backed up previous db at %1"_s.arg( dbbackup ), 2 );
    if ( backuppath )
      *backuppath = dbbackup;
  }
 
  settingsUsingGeneratedRandomPassword->setValue( false );
 
  QgsDebugMsgLevel( u"Master password reset: SUCCESS"_s, 2 );
  emit authDatabaseChanged();
  return true;
#else
  Q_UNUSED( newpass )
  Q_UNUSED( oldpass )
  Q_UNUSED( keepbackup )
  Q_UNUSED( backuppath )
  return false;
#endif
}
 
bool QgsAuthManager::resetMasterPasswordUsingStoredPasswordHelper( const QString &newPassword, bool keepBackup, QString *backupPath )
{
#ifdef HAVE_AUTH
  if ( !verifyStoredPasswordHelperPassword() )
  {
    emit passwordHelperMessageLog( tr( "Master password stored in your %1 is not valid" ).arg( passwordHelperDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  bool readOk = false;
  const QString existingPassword = passwordHelperRead( readOk );
  if ( !readOk )
  {
    emit passwordHelperMessageLog( tr( "Master password could not be read from the %1" ).arg( passwordHelperDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  return resetMasterPassword( newPassword, existingPassword, keepBackup, backupPath );
#else
  Q_UNUSED( newPassword )
  Q_UNUSED( keepBackup )
  Q_UNUSED( backupPath )
  return false;
#endif
}
 
void QgsAuthManager::setScheduledAuthDatabaseErase( bool scheduleErase )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  mScheduledDbErase = scheduleErase;
  // any call (start or stop) should reset these
  mScheduledDbEraseRequestEmitted = false;
  mScheduledDbEraseRequestCount = 0;
 
  if ( scheduleErase )
  {
    if ( !mScheduledDbEraseTimer )
    {
      mScheduledDbEraseTimer = std::make_unique<QTimer>( this );
      connect( mScheduledDbEraseTimer.get(), &QTimer::timeout, this, &QgsAuthManager::tryToStartDbErase );
      mScheduledDbEraseTimer->start( mScheduledDbEraseRequestWait * 1000 );
    }
    else if ( !mScheduledDbEraseTimer->isActive() )
    {
      mScheduledDbEraseTimer->start();
    }
  }
  else
  {
    if ( mScheduledDbEraseTimer && mScheduledDbEraseTimer->isActive() )
      mScheduledDbEraseTimer->stop();
  }
#else
  Q_UNUSED( scheduleErase )
#endif
}
 
bool QgsAuthManager::registerCoreAuthMethods()
{
#ifdef HAVE_AUTH
  if ( isDisabled() )
    return false;
 
  qDeleteAll( mAuthMethods );
  mAuthMethods.clear();
  const QStringList methods = QgsAuthMethodRegistry::instance()->authMethodList();
  for ( const auto &authMethodKey : methods )
  {
    mAuthMethods.insert( authMethodKey, QgsAuthMethodRegistry::instance()->createAuthMethod( authMethodKey ) );
  }
 
  return !mAuthMethods.isEmpty();
#else
  return false;
#endif
}
 
const QString QgsAuthManager::uniqueConfigId() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QStringList configids = configIds();
  QString id;
  int len = 7;
 
  // Suppress warning: Potential leak of memory in qtimer.h [clang-analyzer-cplusplus.NewDeleteLeaks]
#ifndef __clang_analyzer__
  // sleep just a bit to make sure the current time has changed
  QEventLoop loop;
  QTimer::singleShot( 3, &loop, &QEventLoop::quit );
  loop.exec();
#endif
 
  while ( true )
  {
    id.clear();
    for ( int i = 0; i < len; i++ )
    {
      switch ( QRandomGenerator::system()->generate() % 2 )
      {
        case 0:
          id += static_cast<char>( '0' + QRandomGenerator::system()->generate() % 10 );
          break;
        case 1:
          id += static_cast<char>( 'a' + QRandomGenerator::system()->generate() % 26 );
          break;
      }
    }
    if ( !configids.contains( id ) )
    {
      break;
    }
  }
  QgsDebugMsgLevel( u"Generated unique ID: %1"_s.arg( id ), 2 );
  return id;
#else
  return QString();
#endif
}
 
bool QgsAuthManager::configIdUnique( const QString &id ) const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  if ( id.isEmpty() )
  {
    const char *err = QT_TR_NOOP( "Config ID is empty" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
  QStringList configids = configIds();
  return !configids.contains( id );
#else
  Q_UNUSED( id )
  return false;
#endif
}
 
bool QgsAuthManager::hasConfigId( const QString &txt )
{
#ifdef HAVE_AUTH
  const thread_local QRegularExpression authCfgRegExp( AUTH_CFG_REGEX );
  return txt.indexOf( authCfgRegExp ) != -1;
#else
  Q_UNUSED( txt )
  return false;
#endif
}
 
QgsAuthMethodConfigsMap QgsAuthManager::availableAuthMethodConfigs( const QString &dataprovider )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QStringList providerAuthMethodsKeys;
  if ( !dataprovider.isEmpty() )
  {
    providerAuthMethodsKeys = authMethodsKeys( dataprovider.toLower() );
  }
 
  QgsAuthMethodConfigsMap baseConfigs;
 
  if ( isDisabled() )
    return baseConfigs;
 
  // Loop through all storages with capability ReadConfiguration and get the auth methods
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadConfiguration ) };
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    QgsAuthMethodConfigsMap configs = storage->authMethodConfigs();
    for ( const QgsAuthMethodConfig &config : std::as_const( configs ) )
    {
      if ( providerAuthMethodsKeys.isEmpty() || providerAuthMethodsKeys.contains( config.method() ) )
      {
        // Check if the config with that id is already in the list and warn if it is
        if ( baseConfigs.contains( config.id() ) )
        {
          // This may not be an error, since the same config may be stored in multiple storages.
          emit messageLog( tr( "A config with same id %1 was already added, skipping from %2" ).arg( config.id(), storage->name() ), authManTag(), Qgis::MessageLevel::Warning );
        }
        else
        {
          baseConfigs.insert( config.id(), config );
        }
      }
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
    QgsDebugError( u"No credentials storages found"_s );
  }
 
  return baseConfigs;
 
#else
  Q_UNUSED( dataprovider )
  return QgsAuthMethodConfigsMap();
#endif
}
 
void QgsAuthManager::updateConfigAuthMethods()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  // Loop through all registered storages and get the auth methods
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadConfiguration ) };
  QStringList configIds;
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    const QgsAuthMethodConfigsMap configs = storage->authMethodConfigs();
    for ( const QgsAuthMethodConfig &config : std::as_const( configs ) )
    {
      if ( ! configIds.contains( config.id() ) )
      {
        mConfigAuthMethods.insert( config.id(), config.method() );
        QgsDebugMsgLevel( u"Stored auth config/methods:\n%1 %2"_s.arg( config.id(), config.method() ), 2 );
      }
      else
      {
        // This may not be an error, since the same config may be stored in multiple storages.
        // A warning is issued when creating the list initially from availableAuthMethodConfigs()
        QgsDebugMsgLevel( u"A config with same id %1 was already added, skipping from %2"_s.arg( config.id(), storage->name() ), 2 );
      }
    }
  }
#endif
}
 
QgsAuthMethod *QgsAuthManager::configAuthMethod( const QString &authcfg )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return nullptr;
 
  if ( !mConfigAuthMethods.contains( authcfg ) )
  {
    QgsDebugError( u"No config auth method found in database for authcfg: %1"_s.arg( authcfg ) );
    return nullptr;
  }
 
  QString authMethodKey = mConfigAuthMethods.value( authcfg );
 
  return authMethod( authMethodKey );
#else
  Q_UNUSED( authcfg )
  return nullptr;
#endif
}
 
QString QgsAuthManager::configAuthMethodKey( const QString &authcfg ) const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return QString();
 
  return mConfigAuthMethods.value( authcfg, QString() );
#else
  Q_UNUSED( authcfg )
  return QString();
#endif
}
 
 
QStringList QgsAuthManager::authMethodsKeys( const QString &dataprovider )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  return authMethodsMap( dataprovider.toLower() ).keys();
#else
  Q_UNUSED( dataprovider )
  return QStringList();
#endif
}
 
QgsAuthMethod *QgsAuthManager::authMethod( const QString &authMethodKey )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( !mAuthMethods.contains( authMethodKey ) )
  {
    QgsDebugError( u"No auth method registered for auth method key: %1"_s.arg( authMethodKey ) );
    return nullptr;
  }
 
  return mAuthMethods.value( authMethodKey );
#else
  Q_UNUSED( authMethodKey )
  return nullptr;
#endif
}
 
const QgsAuthMethodMetadata *QgsAuthManager::authMethodMetadata( const QString &authMethodKey )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( !mAuthMethods.contains( authMethodKey ) )
  {
    QgsDebugError( u"No auth method registered for auth method key: %1"_s.arg( authMethodKey ) );
    return nullptr;
  }
 
  return QgsAuthMethodRegistry::instance()->authMethodMetadata( authMethodKey );
#else
  Q_UNUSED( authMethodKey )
  return nullptr;
#endif
}
 
 
QgsAuthMethodsMap QgsAuthManager::authMethodsMap( const QString &dataprovider )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( dataprovider.isEmpty() )
  {
    return mAuthMethods;
  }
 
  QgsAuthMethodsMap filteredmap;
  QgsAuthMethodsMap::const_iterator i = mAuthMethods.constBegin();
  while ( i != mAuthMethods.constEnd() )
  {
    if ( i.value()
         && ( i.value()->supportedDataProviders().contains( u"all"_s )
              || i.value()->supportedDataProviders().contains( dataprovider ) ) )
    {
      filteredmap.insert( i.key(), i.value() );
    }
    ++i;
  }
  return filteredmap;
#else
  Q_UNUSED( dataprovider )
  return QgsAuthMethodsMap();
#endif
}
 
#ifdef HAVE_GUI
QWidget *QgsAuthManager::authMethodEditWidget( const QString &authMethodKey, QWidget *parent )
{
  ensureInitialized();
 
  QgsAuthMethod *method = authMethod( authMethodKey );
  if ( method )
    return method->editWidget( parent );
  else
    return nullptr;
}
#endif
 
QgsAuthMethod::Expansions QgsAuthManager::supportedAuthMethodExpansions( const QString &authcfg )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return QgsAuthMethod::Expansions();
 
  QgsAuthMethod *authmethod = configAuthMethod( authcfg );
  if ( authmethod )
  {
    return authmethod->supportedExpansions();
  }
  return QgsAuthMethod::Expansions();
#else
  Q_UNUSED( authcfg )
 
  return QgsAuthMethod::Expansions();
#endif
}
 
bool QgsAuthManager::storeAuthenticationConfig( QgsAuthMethodConfig &config, bool overwrite )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( !setMasterPassword( true ) )
    return false;
 
  // don't need to validate id, since it has not be defined yet
  if ( !config.isValid() )
  {
    const char *err = QT_TR_NOOP( "Store config: FAILED because config is invalid" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  QString uid = config.id();
  bool passedinID = !uid.isEmpty();
  if ( uid.isEmpty() )
  {
    uid = uniqueConfigId();
  }
  else if ( configIds().contains( uid ) )
  {
    if ( !overwrite )
    {
      const char *err = QT_TR_NOOP( "Store config: FAILED because pre-defined config ID %1 is not unique" );
      QgsDebugError( err );
      emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
      return false;
    }
    locker.unlock();
    if ( ! removeAuthenticationConfig( uid ) )
    {
      const char *err = QT_TR_NOOP( "Store config: FAILED because pre-defined config ID %1 could not be removed" );
      QgsDebugError( err );
      emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
      return false;
    }
    locker.relock();
  }
 
  QString configstring = config.configString();
  if ( configstring.isEmpty() )
  {
    const char *err = QT_TR_NOOP( "Store config: FAILED because config string is empty" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::CreateConfiguration ) )
  {
    if ( defaultStorage->isEncrypted() )
    {
      configstring = QgsAuthCrypto::encrypt( mMasterPass, masterPasswordCiv(), configstring );
    }
 
    // Make a copy to not alter the original config
    QgsAuthMethodConfig configCopy { config };
    configCopy.setId( uid );
    if ( !defaultStorage->storeMethodConfig( configCopy, configstring ) )
    {
      emit messageLog( tr( "Store config: FAILED to store config in default storage: %1" ).arg( defaultStorage->lastError() ), authManTag(), Qgis::MessageLevel::Warning );
      return false;
    }
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
 
  // passed-in config should now be like as if it was just loaded from db
  if ( !passedinID )
    config.setId( uid );
 
  updateConfigAuthMethods();
 
  QgsDebugMsgLevel( u"Store config SUCCESS for authcfg: %1"_s.arg( uid ), 2 );
  return true;
#else
  Q_UNUSED( config )
  Q_UNUSED( overwrite )
  return false;
#endif
}
 
bool QgsAuthManager::updateAuthenticationConfig( const QgsAuthMethodConfig &config )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( !setMasterPassword( true ) )
    return false;
 
  // validate id
  if ( !config.isValid( true ) )
  {
    const char *err = QT_TR_NOOP( "Update config: FAILED because config is invalid" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  QString configstring = config.configString();
  if ( configstring.isEmpty() )
  {
    const char *err = QT_TR_NOOP( "Update config: FAILED because config is empty" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  // Loop through all storages with capability ReadConfiguration and update the first one that has the config
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadConfiguration ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->methodConfigExists( config.id() ) )
    {
      if ( !storage->capabilities().testFlag( Qgis::AuthConfigurationStorageCapability::UpdateConfiguration ) )
      {
        emit messageLog( tr( "Update config: FAILED because storage %1 does not support updating" ).arg( storage->name( ) ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
      if ( storage->isEncrypted() )
      {
        configstring = QgsAuthCrypto::encrypt( mMasterPass, masterPasswordCiv(), configstring );
      }
      if ( !storage->storeMethodConfig( config, configstring ) )
      {
        emit messageLog( tr( "Store config: FAILED to store config in the storage: %1" ).arg( storage->lastError() ), authManTag(), Qgis::MessageLevel::Critical );
        return false;
      }
      break;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
 
  // should come before updating auth methods, in case user switched auth methods in config
  clearCachedConfig( config.id() );
 
  updateConfigAuthMethods();
 
  QgsDebugMsgLevel( u"Update config SUCCESS for authcfg: %1"_s.arg( config.id() ), 2 );
 
  return true;
#else
  Q_UNUSED( config )
  return false;
#endif
}
 
bool QgsAuthManager::loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &config, bool full )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  if ( full && !setMasterPassword( true ) )
    return false;
 
  QMutexLocker locker( mMutex.get() );
 
  // Loop through all storages with capability ReadConfiguration and get the config from the first one that has the config
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadConfiguration ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->methodConfigExists( authcfg ) )
    {
      QString payload;
      config = storage->loadMethodConfig( authcfg, payload, full );
 
      if ( ! config.isValid( true ) || ( full && payload.isEmpty() ) )
      {
        emit messageLog( tr( "Load config: FAILED to load config %1 from default storage: %2" ).arg( authcfg, storage->lastError() ), authManTag(), Qgis::MessageLevel::Critical );
        return false;
      }
 
      if ( full )
      {
        if ( storage->isEncrypted() )
        {
          payload = QgsAuthCrypto::decrypt( mMasterPass, masterPasswordCiv(), payload );
        }
        config.loadConfigString( payload );
      }
 
      QString authMethodKey = configAuthMethodKey( authcfg );
      QgsAuthMethod *authmethod = authMethod( authMethodKey );
      if ( authmethod )
      {
        authmethod->updateMethodConfig( config );
      }
      else
      {
        QgsDebugError( u"Update of authcfg %1 FAILED for auth method %2"_s.arg( authcfg, authMethodKey ) );
      }
 
      QgsDebugMsgLevel( u"Load %1 config SUCCESS for authcfg: %2"_s.arg( full ? "full" : "base", authcfg ), 2 );
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
  else
  {
    emit messageLog( tr( "Load config: FAILED to load config %1 from any storage" ).arg( authcfg ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( authcfg )
  Q_UNUSED( config )
  Q_UNUSED( full )
  return false;
#endif
}
 
bool QgsAuthManager::removeAuthenticationConfig( const QString &authcfg )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( isDisabled() )
    return false;
 
  if ( authcfg.isEmpty() )
    return false;
 
  // Loop through all storages with capability DeleteConfiguration and delete the first one that has the config
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::DeleteConfiguration ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->methodConfigExists( authcfg ) )
    {
      if ( !storage->removeMethodConfig( authcfg ) )
      {
        emit messageLog( tr( "Remove config: FAILED to remove config from the storage: %1" ).arg( storage->lastError() ), authManTag(), Qgis::MessageLevel::Critical );
        return false;
      }
      else
      {
        clearCachedConfig( authcfg );
        updateConfigAuthMethods();
        QgsDebugMsgLevel( u"REMOVED config for authcfg: %1"_s.arg( authcfg ), 2 );
        return true;
      }
      break;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
  else
  {
    emit messageLog( tr( "Remove config: FAILED to remove config %1 from any storage" ).arg( authcfg ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
 
#else
  Q_UNUSED( authcfg )
  return false;
#endif
}
 
bool QgsAuthManager::exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( filename.isEmpty() )
    return false;
 
  QDomDocument document( u"qgis_authentication"_s );
  QDomElement root = document.createElement( u"qgis_authentication"_s );
  document.appendChild( root );
 
  QString civ;
  if ( !password.isEmpty() )
  {
    QString salt;
    QString hash;
    QgsAuthCrypto::passwordKeyHash( password, &salt, &hash, &civ );
    root.setAttribute( u"salt"_s, salt );
    root.setAttribute( u"hash"_s, hash );
    root.setAttribute( u"civ"_s, civ );
  }
 
  QDomElement configurations = document.createElement( u"configurations"_s );
  for ( const QString &authcfg : authcfgs )
  {
    QgsAuthMethodConfig authMethodConfig;
 
    bool ok = loadAuthenticationConfig( authcfg, authMethodConfig, true );
    if ( ok )
    {
      authMethodConfig.writeXml( configurations, document );
    }
  }
  if ( !password.isEmpty() )
  {
    QString configurationsString;
    QTextStream ts( &configurationsString );
    configurations.save( ts, 2 );
    root.appendChild( document.createTextNode( QgsAuthCrypto::encrypt( password, civ, configurationsString ) ) );
  }
  else
  {
    root.appendChild( configurations );
  }
 
  QFile file( filename );
  if ( !file.open( QFile::WriteOnly | QIODevice::Truncate ) )
    return false;
 
  QTextStream ts( &file );
#if QT_VERSION < QT_VERSION_CHECK(6, 0, 0)
  ts.setCodec( "UTF-8" );
#endif
  document.save( ts, 2 );
  file.close();
  return true;
#else
  Q_UNUSED( filename )
  Q_UNUSED( authcfgs )
  Q_UNUSED( password )
  return false;
#endif
}
 
bool QgsAuthManager::importAuthenticationConfigsFromXml( const QString &filename, const QString &password, bool overwrite )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QFile file( filename );
  if ( !file.open( QFile::ReadOnly ) )
  {
    return false;
  }
 
  QDomDocument document( u"qgis_authentication"_s );
  if ( !document.setContent( &file ) )
  {
    file.close();
    return false;
  }
  file.close();
 
  QDomElement root = document.documentElement();
  if ( root.tagName() != "qgis_authentication"_L1 )
  {
    return false;
  }
 
  QDomElement configurations;
  if ( root.hasAttribute( u"salt"_s ) )
  {
    QString salt = root.attribute( u"salt"_s );
    QString hash = root.attribute( u"hash"_s );
    QString civ = root.attribute( u"civ"_s );
    if ( !QgsAuthCrypto::verifyPasswordKeyHash( password, salt, hash ) )
      return false;
 
    document.setContent( QgsAuthCrypto::decrypt( password, civ, root.text() ) );
    configurations = document.firstChild().toElement();
  }
  else
  {
    configurations = root.firstChildElement( u"configurations"_s );
  }
 
  QDomElement configuration = configurations.firstChildElement();
  while ( !configuration.isNull() )
  {
    QgsAuthMethodConfig authMethodConfig;
    ( void )authMethodConfig.readXml( configuration );
    storeAuthenticationConfig( authMethodConfig, overwrite );
 
    configuration = configuration.nextSiblingElement();
  }
  return true;
#else
  Q_UNUSED( filename )
  Q_UNUSED( password )
  Q_UNUSED( overwrite )
  return false;
#endif
}
 
bool QgsAuthManager::removeAllAuthenticationConfigs()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( isDisabled() )
    return false;
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::DeleteConfiguration ) )
  {
    if ( defaultStorage->clearMethodConfigs() )
    {
      clearAllCachedConfigs();
      updateConfigAuthMethods();
      QgsDebugMsgLevel( u"REMOVED all configs from the default storage"_s, 2 );
      return true;
    }
    else
    {
      QgsDebugMsgLevel( u"FAILED to remove all configs from the default storage"_s, 2 );
      return false;
    }
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  return false;
#endif
}
 
 
bool QgsAuthManager::backupAuthenticationDatabase( QString *backuppath )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
 
  if ( sqliteDatabasePath().isEmpty() )
  {
    const char *err = QT_TR_NOOP( "The authentication storage is not filesystem-based" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  if ( !QFile::exists( sqliteDatabasePath() ) )
  {
    const char *err = QT_TR_NOOP( "No authentication database file found" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  // close any connection to current db
  Q_NOWARN_DEPRECATED_PUSH
  QSqlDatabase authConn = authDatabaseConnection();
  Q_NOWARN_DEPRECATED_POP
  if ( authConn.isValid() && authConn.isOpen() )
    authConn.close();
 
  // duplicate current db file to 'qgis-auth_YYYY-MM-DD-HHMMSS.db' backup
  QString datestamp( QDateTime::currentDateTime().toString( u"yyyy-MM-dd-hhmmss"_s ) );
  QString dbbackup( sqliteDatabasePath() );
  dbbackup.replace( ".db"_L1, u"_%1.db"_s.arg( datestamp ) );
 
  if ( !QFile::copy( sqliteDatabasePath(), dbbackup ) )
  {
    const char *err = QT_TR_NOOP( "Could not back up authentication database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  if ( backuppath )
    *backuppath = dbbackup;
 
  QgsDebugMsgLevel( u"Backed up auth database at %1"_s.arg( dbbackup ), 2 );
  return true;
#else
  Q_UNUSED( backuppath )
  return false;
#endif
}
 
bool QgsAuthManager::eraseAuthenticationDatabase( bool backup, QString *backuppath )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( isDisabled() )
    return false;
 
  QString dbbackup;
  if ( backup && !backupAuthenticationDatabase( &dbbackup ) )
  {
    emit messageLog( tr( "Failed to backup authentication database" ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  if ( backuppath && !dbbackup.isEmpty() )
    *backuppath = dbbackup;
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::ClearStorage ) )
  {
    if ( defaultStorage->erase() )
    {
      mMasterPass = QString();
      clearAllCachedConfigs();
      updateConfigAuthMethods();
      QgsDebugMsgLevel( u"ERASED all configs"_s, 2 );
      return true;
    }
    else
    {
      QgsDebugMsgLevel( u"FAILED to erase all configs"_s, 2 );
      return false;
    }
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
 
#ifndef QT_NO_SSL
  initSslCaches();
#endif
 
  emit authDatabaseChanged();
 
  return true;
#else
  Q_UNUSED( backup )
  Q_UNUSED( backuppath )
  return false;
#endif
}
 
bool QgsAuthManager::updateNetworkRequest( QNetworkRequest &request, const QString &authcfg,
    const QString &dataprovider )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  QgsAuthMethod *authmethod = configAuthMethod( authcfg );
  if ( authmethod )
  {
    if ( !( authmethod->supportedExpansions() & QgsAuthMethod::NetworkRequest ) )
    {
      QgsDebugError( u"Network request updating not supported by authcfg: %1"_s.arg( authcfg ) );
      return true;
    }
 
    if ( !authmethod->updateNetworkRequest( request, authcfg, dataprovider.toLower() ) )
    {
      authmethod->clearCachedConfig( authcfg );
      return false;
    }
    return true;
  }
  return false;
#else
  Q_UNUSED( request )
  Q_UNUSED( authcfg )
  Q_UNUSED( dataprovider )
  return false;
#endif
}
 
bool QgsAuthManager::updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
    const QString &dataprovider )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  QgsAuthMethod *authmethod = configAuthMethod( authcfg );
  if ( authmethod )
  {
    if ( !( authmethod->supportedExpansions() & QgsAuthMethod::NetworkReply ) )
    {
      QgsDebugMsgLevel( u"Network reply updating not supported by authcfg: %1"_s.arg( authcfg ), 3 );
      return true;
    }
 
    if ( !authmethod->updateNetworkReply( reply, authcfg, dataprovider.toLower() ) )
    {
      authmethod->clearCachedConfig( authcfg );
      return false;
    }
    return true;
  }
 
  return false;
#else
  Q_UNUSED( reply )
  Q_UNUSED( authcfg )
  Q_UNUSED( dataprovider )
  return false;
#endif
}
 
bool QgsAuthManager::updateDataSourceUriItems( QStringList &connectionItems, const QString &authcfg,
    const QString &dataprovider )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  QgsAuthMethod *authmethod = configAuthMethod( authcfg );
  if ( authmethod )
  {
    if ( !( authmethod->supportedExpansions() & QgsAuthMethod::DataSourceUri ) )
    {
      QgsDebugError( u"Data source URI updating not supported by authcfg: %1"_s.arg( authcfg ) );
      return true;
    }
 
    if ( !authmethod->updateDataSourceUriItems( connectionItems, authcfg, dataprovider.toLower() ) )
    {
      authmethod->clearCachedConfig( authcfg );
      return false;
    }
    return true;
  }
 
  return false;
#else
  Q_UNUSED( connectionItems )
  Q_UNUSED( authcfg )
  Q_UNUSED( dataprovider )
  return false;
#endif
}
 
bool QgsAuthManager::updateNetworkProxy( QNetworkProxy &proxy, const QString &authcfg, const QString &dataprovider )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  QgsAuthMethod *authmethod = configAuthMethod( authcfg );
  if ( authmethod )
  {
    if ( !( authmethod->supportedExpansions() & QgsAuthMethod::NetworkProxy ) )
    {
      QgsDebugError( u"Proxy updating not supported by authcfg: %1"_s.arg( authcfg ) );
      return true;
    }
 
    if ( !authmethod->updateNetworkProxy( proxy, authcfg, dataprovider.toLower() ) )
    {
      authmethod->clearCachedConfig( authcfg );
      return false;
    }
    QgsDebugMsgLevel( u"Proxy updated successfully from authcfg: %1"_s.arg( authcfg ), 2 );
    return true;
  }
 
  return false;
#else
  Q_UNUSED( proxy )
  Q_UNUSED( authcfg )
  Q_UNUSED( dataprovider )
  return false;
#endif
}
 
bool QgsAuthManager::storeAuthSetting( const QString &key, const QVariant &value, bool encrypt )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( key.isEmpty() )
    return false;
 
  QString storeval( value.toString() );
  if ( encrypt )
  {
    if ( !setMasterPassword( true ) )
    {
      return false;
    }
    else
    {
      storeval = QgsAuthCrypto::encrypt( mMasterPass, masterPasswordCiv(), value.toString() );
    }
  }
 
  if ( existsAuthSetting( key ) && ! removeAuthSetting( key ) )
  {
    emit messageLog( tr( "Store setting: FAILED to remove pre-existing setting %1" ).arg( key ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  // Set the setting in the first storage that has the capability to store it
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::CreateSetting ) )
  {
    if ( !defaultStorage->storeAuthSetting( key, storeval ) )
    {
      emit messageLog( tr( "Store setting: FAILED to store setting in default storage" ), authManTag(), Qgis::MessageLevel::Warning );
      return false;
    }
    return true;
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  Q_UNUSED( key )
  Q_UNUSED( value )
  Q_UNUSED( encrypt )
  return false;
#endif
}
 
QVariant QgsAuthManager::authSetting( const QString &key, const QVariant &defaultValue, bool decrypt )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( key.isEmpty() )
    return QVariant();
 
  if ( decrypt && !setMasterPassword( true ) )
    return QVariant();
 
  QVariant value = defaultValue;
 
  // Loop through all storages with capability ReadSetting and get the setting from the first one that has the setting
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSetting ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    QString storeval = storage->loadAuthSetting( key );
    if ( !storeval.isEmpty() )
    {
      if ( decrypt )
      {
        storeval = QgsAuthCrypto::decrypt( mMasterPass, masterPasswordCiv(), storeval );
      }
      value = storeval;
      break;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return value;
#else
  Q_UNUSED( key )
  Q_UNUSED( defaultValue )
  Q_UNUSED( decrypt )
  return QVariant();
#endif
}
 
bool QgsAuthManager::existsAuthSetting( const QString &key )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( key.isEmpty() )
    return false;
 
  // Loop through all storages with capability ReadSetting and get the setting from the first one that has the setting
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSetting ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
 
    if ( storage->authSettingExists( key ) )
    { return true; }
 
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( key )
  return false;
#endif
}
 
bool QgsAuthManager::removeAuthSetting( const QString &key )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( key.isEmpty() )
    return false;
 
  // Loop through all storages with capability ReadSetting and delete from the first one that has the setting, fail if it has no capability
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSetting ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->authSettingExists( key ) )
    {
      if ( storage->capabilities().testFlag( Qgis::AuthConfigurationStorageCapability::DeleteSetting ) )
      {
        if ( !storage->removeAuthSetting( key ) )
        {
          emit messageLog( tr( "Remove setting: FAILED to remove setting from storage: %1" ).arg( storage->lastError() ), authManTag(), Qgis::MessageLevel::Warning );
          return false;
        }
        return true;
      }
      else
      {
        emit messageLog( tr( "Remove setting: FAILED to remove setting from storage %1: storage is read only" ).arg( storage->name() ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
  return false;
#else
  Q_UNUSED( key )
  return false;
#endif
}
 
#ifndef QT_NO_SSL

 
bool QgsAuthManager::initSslCaches()
{
#ifdef HAVE_AUTH
  QgsScopedRuntimeProfile profile( "Initialize SSL cache" );
 
  QMutexLocker locker( mMutex.get() );
  bool res = true;
  res = res && rebuildCaCertsCache();
  res = res && rebuildCertTrustCache();
  res = res && rebuildTrustedCaCertsCache();
  res = res && rebuildIgnoredSslErrorCache();
  mCustomConfigByHostCache.clear();
  mHasCheckedIfCustomConfigByHostExists = false;
 
  if ( !res )
    QgsDebugError( u"Init of SSL caches FAILED"_s );
  return res;
#else
  return false;
#endif
}
 
bool QgsAuthManager::storeCertIdentity( const QSslCertificate &cert, const QSslKey &key )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( cert.isNull() )
  {
    QgsDebugError( u"Passed certificate is null"_s );
    return false;
  }
  if ( key.isNull() )
  {
    QgsDebugError( u"Passed private key is null"_s );
    return false;
  }
 
  if ( !setMasterPassword( true ) )
    return false;
 
  QString id( QgsAuthCertUtils::shaHexForCert( cert ) );
 
 
  if ( existsCertIdentity( id ) && ! removeCertIdentity( id ) )
  {
    QgsDebugError( u"Store certificate identity: FAILED to remove pre-existing certificate identity %1"_s.arg( id ) );
    return false;
  }
 
  QString keypem( QgsAuthCrypto::encrypt( mMasterPass, masterPasswordCiv(), key.toPem() ) );
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::CreateCertificateIdentity ) )
  {
    if ( !defaultStorage->storeCertIdentity( cert, keypem ) )
    {
      emit messageLog( tr( "Store certificate identity: FAILED to store certificate identity in default storage" ), authManTag(), Qgis::MessageLevel::Warning );
      return false;
    }
    return true;
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  Q_UNUSED( cert )
  Q_UNUSED( key )
  return false;
#endif
}
 
const QSslCertificate QgsAuthManager::certIdentity( const QString &id )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
 
  QSslCertificate cert;
 
  if ( id.isEmpty() )
    return cert;
 
  // Loop through all storages with capability ReadCertificateIdentity and get the certificate from the first one that has the certificate
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateIdentity ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    cert = storage->loadCertIdentity( id );
    if ( !cert.isNull() )
    {
      return cert;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return cert;
#else
  Q_UNUSED( id )
  return QSslCertificate();
#endif
}
 
const QPair<QSslCertificate, QSslKey> QgsAuthManager::certIdentityBundle( const QString &id )
{
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QPair<QSslCertificate, QSslKey> bundle;
  if ( id.isEmpty() )
    return bundle;
 
  if ( !setMasterPassword( true ) )
    return bundle;
 
  // Loop through all storages with capability ReadCertificateIdentity and get the certificate from the first one that has the certificate
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateIdentity ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->certIdentityExists( id ) )
    {
      QPair<QSslCertificate, QString> encryptedBundle { storage->loadCertIdentityBundle( id ) };
      if ( encryptedBundle.first.isNull() )
      {
        QgsDebugError( u"Certificate identity bundle is null for id: %1"_s.arg( id ) );
        return bundle;
      }
      QSslKey key( QgsAuthCrypto::decrypt( mMasterPass, masterPasswordCiv(), encryptedBundle.second ).toLatin1(),
                   QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey );
      if ( key.isNull() )
      {
        QgsDebugError( u"Certificate identity bundle: FAILED to create private key"_s );
        return bundle;
      }
      bundle = qMakePair( encryptedBundle.first, key );
      break;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return bundle;
  }
 
  return bundle;
}
 
const QStringList QgsAuthManager::certIdentityBundleToPem( const QString &id )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QPair<QSslCertificate, QSslKey> bundle( certIdentityBundle( id ) );
  if ( QgsAuthCertUtils::certIsViable( bundle.first ) && !bundle.second.isNull() )
  {
    return QStringList() << QString( bundle.first.toPem() ) << QString( bundle.second.toPem() );
  }
  return QStringList();
#else
  Q_UNUSED( id )
  return QStringList();
#endif
}
 
const QList<QSslCertificate> QgsAuthManager::certIdentities()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QList<QSslCertificate> certs;
 
  // Loop through all storages with capability ReadCertificateIdentity and collect the certificates from all storages
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateIdentity ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    const QList<QSslCertificate> storageCerts = storage->certIdentities();
    // Add if not already in the list, warn otherwise
    for ( const QSslCertificate &cert : std::as_const( storageCerts ) )
    {
      if ( !certs.contains( cert ) )
      {
        certs.append( cert );
      }
      else
      {
        emit messageLog( tr( "Certificate already in the list: %1" ).arg( cert.issuerDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return certs;
#else
  return QList<QSslCertificate>();
#endif
}
 
QStringList QgsAuthManager::certIdentityIds() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
 
  if ( isDisabled() )
    return {};
 
  // Loop through all storages with capability ReadCertificateIdentity and collect the certificate ids from all storages
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateIdentity ) };
 
  QStringList ids;
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    const QStringList storageIds = storage->certIdentityIds();
    // Add if not already in the list, warn otherwise
    for ( const QString &id : std::as_const( storageIds ) )
    {
      if ( !ids.contains( id ) )
      {
        ids.append( id );
      }
      else
      {
        emit messageLog( tr( "Certificate identity id already in the list: %1" ).arg( id ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
  }
 
  return ids;
#else
  return QStringList();
#endif
}
 
bool QgsAuthManager::existsCertIdentity( const QString &id )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( id.isEmpty() )
    return false;
 
  // Loop through all storages with capability ReadCertificateIdentity and check if the certificate exists in any storage
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateIdentity ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->certIdentityExists( id ) )
    {
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( id )
  return false;
#endif
}
 
bool QgsAuthManager::removeCertIdentity( const QString &id )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( id.isEmpty() )
  {
    QgsDebugError( u"Passed bundle ID is empty"_s );
    return false;
  }
 
  // Loop through all storages with capability ReadCertificateIdentity and delete from the first one that has the bundle, fail if it has no capability
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateIdentity ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->certIdentityExists( id ) )
    {
      if ( !storage->removeCertIdentity( id ) )
      {
        emit messageLog( tr( "Remove certificate identity: FAILED to remove certificate identity from storage: %1" ).arg( storage->lastError() ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
 
#else
  Q_UNUSED( id )
  return false;
#endif
}
 
bool QgsAuthManager::storeSslCertCustomConfig( const QgsAuthConfigSslServer &config )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( config.isNull() )
  {
    QgsDebugError( u"Passed config is null"_s );
    return false;
  }
 
  const QSslCertificate cert( config.sslCertificate() );
  const QString id( QgsAuthCertUtils::shaHexForCert( cert ) );
 
  if ( existsSslCertCustomConfig( id, config.sslHostPort() ) && !removeSslCertCustomConfig( id, config.sslHostPort() ) )
  {
    QgsDebugError( u"Store SSL certificate custom config: FAILED to remove pre-existing config %1"_s.arg( id ) );
    return false;
  }
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::CreateSslCertificateCustomConfig ) )
  {
    if ( !defaultStorage->storeSslCertCustomConfig( config ) )
    {
      emit messageLog( tr( "Store SSL certificate custom config: FAILED to store config in default storage" ), authManTag(), Qgis::MessageLevel::Warning );
      return false;
    }
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
 
  updateIgnoredSslErrorsCacheFromConfig( config );
  mCustomConfigByHostCache.clear();
 
  return true;
#else
  Q_UNUSED( config )
  return false;
#endif
}
 
const QgsAuthConfigSslServer QgsAuthManager::sslCertCustomConfig( const QString &id, const QString &hostport )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QgsAuthConfigSslServer config;
 
  if ( id.isEmpty() || hostport.isEmpty() )
  {
    QgsDebugError( u"Passed config ID or host:port is empty"_s );
    return config;
  }
 
  // Loop through all storages with capability ReadSslCertificateCustomConfig and get the config from the first one that has the config
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSslCertificateCustomConfig ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->sslCertCustomConfigExists( id, hostport ) )
    {
      config = storage->loadSslCertCustomConfig( id, hostport );
      if ( !config.isNull() )
      {
        return config;
      }
      else
      {
        emit messageLog( tr( "Could not load SSL custom config %1 %2 from the storage." ).arg( id, hostport ), authManTag(), Qgis::MessageLevel::Critical );
        return config;
      }
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return config;
 
#else
  Q_UNUSED( id )
  Q_UNUSED( hostport )
  return QgsAuthConfigSslServer();
#endif
}
 
const QgsAuthConfigSslServer QgsAuthManager::sslCertCustomConfigByHost( const QString &hostport )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QgsAuthConfigSslServer config;
  if ( hostport.isEmpty() )
  {
    return config;
  }
 
  QMutexLocker locker( mMutex.get() );
 
  if ( mCustomConfigByHostCache.contains( hostport ) )
    return mCustomConfigByHostCache.value( hostport );
 
  // Loop through all storages with capability ReadSslCertificateCustomConfig and get the config from the first one that has the config
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSslCertificateCustomConfig ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    config = storage->loadSslCertCustomConfigByHost( hostport );
    if ( !config.isNull() )
    {
      mCustomConfigByHostCache.insert( hostport, config );
    }
 
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return config;
#else
  Q_UNUSED( hostport )
  return QgsAuthConfigSslServer();
#endif
}
 
const QList<QgsAuthConfigSslServer> QgsAuthManager::sslCertCustomConfigs()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QList<QgsAuthConfigSslServer> configs;
 
  // Loop through all storages with capability ReadSslCertificateCustomConfig
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSslCertificateCustomConfig ) };
 
  QStringList ids;
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    const QList<QgsAuthConfigSslServer> storageConfigs = storage->sslCertCustomConfigs();
    // Check if id + hostPort is not already in the list, warn otherwise
    for ( const auto &config : std::as_const( storageConfigs ) )
    {
      const QString id( QgsAuthCertUtils::shaHexForCert( config.sslCertificate() ) );
      const QString hostPort = config.sslHostPort();
      const QString shaHostPort( u"%1:%2"_s.arg( id, hostPort ) );
      if ( ! ids.contains( shaHostPort ) )
      {
        ids.append( shaHostPort );
        configs.append( config );
      }
      else
      {
        emit messageLog( tr( "SSL custom config already in the list: %1" ).arg( hostPort ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return configs;
#else
  return QList<QgsAuthConfigSslServer>();
#endif
}
 
bool QgsAuthManager::existsSslCertCustomConfig( const QString &id, const QString &hostPort )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( id.isEmpty() || hostPort.isEmpty() )
  {
    QgsDebugError( u"Passed config ID or host:port is empty"_s );
    return false;
  }
 
  // Loop through all storages with capability ReadSslCertificateCustomConfig
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSslCertificateCustomConfig ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->sslCertCustomConfigExists( id, hostPort ) )
    {
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( id )
  Q_UNUSED( hostPort )
  return false;
#endif
}
 
bool QgsAuthManager::removeSslCertCustomConfig( const QString &id, const QString &hostport )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( id.isEmpty() || hostport.isEmpty() )
  {
    QgsDebugError( u"Passed config ID or host:port is empty"_s );
    return false;
  }
 
  mCustomConfigByHostCache.clear();
 
  // Loop through all storages with capability DeleteSslCertificateCustomConfig
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::DeleteSslCertificateCustomConfig ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->sslCertCustomConfigExists( id, hostport ) )
    {
      if ( !storage->removeSslCertCustomConfig( id, hostport ) )
      {
        emit messageLog( tr( "FAILED to remove SSL cert custom config for host:port, id: %1, %2: %3" ).arg( hostport, id, storage->lastError() ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
      const QString shaHostPort( u"%1:%2"_s.arg( id, hostport ) );
      if ( mIgnoredSslErrorsCache.contains( shaHostPort ) )
      {
        mIgnoredSslErrorsCache.remove( shaHostPort );
      }
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( id )
  Q_UNUSED( hostport )
  return false;
#endif
}
 
 
void QgsAuthManager::dumpIgnoredSslErrorsCache_()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( !mIgnoredSslErrorsCache.isEmpty() )
  {
    QgsDebugMsgLevel( u"Ignored SSL errors cache items:"_s, 1 );
    QHash<QString, QSet<QSslError::SslError> >::const_iterator i = mIgnoredSslErrorsCache.constBegin();
    while ( i != mIgnoredSslErrorsCache.constEnd() )
    {
      QStringList errs;
      for ( auto err : i.value() )
      {
        errs << QgsAuthCertUtils::sslErrorEnumString( err );
      }
      QgsDebugMsgLevel( u"%1 = %2"_s.arg( i.key(), errs.join( ", " ) ), 1 );
      ++i;
    }
  }
  else
  {
    QgsDebugMsgLevel( u"Ignored SSL errors cache EMPTY"_s, 2 );
  }
#endif
}
 
bool QgsAuthManager::updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( config.isNull() )
  {
    QgsDebugError( u"Passed config is null"_s );
    return false;
  }
 
  QString shahostport( u"%1:%2"_s
                       .arg( QgsAuthCertUtils::shaHexForCert( config.sslCertificate() ).trimmed(),
                             config.sslHostPort().trimmed() ) );
  if ( mIgnoredSslErrorsCache.contains( shahostport ) )
  {
    mIgnoredSslErrorsCache.remove( shahostport );
  }
  const QList<QSslError::SslError> errenums( config.sslIgnoredErrorEnums() );
  if ( !errenums.isEmpty() )
  {
    mIgnoredSslErrorsCache.insert( shahostport, QSet<QSslError::SslError>( errenums.begin(), errenums.end() ) );
    QgsDebugMsgLevel( u"Update of ignored SSL errors cache SUCCEEDED for sha:host:port = %1"_s.arg( shahostport ), 2 );
    dumpIgnoredSslErrorsCache_();
    return true;
  }
 
  QgsDebugMsgLevel( u"No ignored SSL errors to cache for sha:host:port = %1"_s.arg( shahostport ), 2 );
  return true;
#else
  Q_UNUSED( config )
  return false;
#endif
}
 
bool QgsAuthManager::updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  const thread_local QRegularExpression rx( QRegularExpression::anchoredPattern( "\\S+:\\S+:\\d+" ) );
  if ( !rx.match( shahostport ).hasMatch() )
  {
    QgsDebugError( "Passed shahostport does not match \\S+:\\S+:\\d+, "
                   "e.g. 74a4ef5ea94512a43769b744cda0ca5049a72491:www.example.com:443" );
    return false;
  }
 
  if ( mIgnoredSslErrorsCache.contains( shahostport ) )
  {
    mIgnoredSslErrorsCache.remove( shahostport );
  }
 
  if ( errors.isEmpty() )
  {
    QgsDebugError( u"Passed errors list empty"_s );
    return false;
  }
 
  QSet<QSslError::SslError> errs;
  for ( const auto &error : errors )
  {
    if ( error.error() == QSslError::NoError )
      continue;
 
    errs.insert( error.error() );
  }
 
  if ( errs.isEmpty() )
  {
    QgsDebugError( u"Passed errors list does not contain errors"_s );
    return false;
  }
 
  mIgnoredSslErrorsCache.insert( shahostport, errs );
 
  QgsDebugMsgLevel( u"Update of ignored SSL errors cache SUCCEEDED for sha:host:port = %1"_s.arg( shahostport ), 2 );
  dumpIgnoredSslErrorsCache_();
  return true;
#else
  Q_UNUSED( shahostport )
  Q_UNUSED( errors )
  return false;
#endif
}
 
bool QgsAuthManager::rebuildIgnoredSslErrorCache()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QHash<QString, QSet<QSslError::SslError> > prevcache( mIgnoredSslErrorsCache );
  QHash<QString, QSet<QSslError::SslError> > nextcache;
 
  // Loop through all storages with capability ReadSslCertificateCustomConfig
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadSslCertificateCustomConfig ) };
 
  QStringList ids;
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    const auto customConfigs { storage->sslCertCustomConfigs() };
    for ( const auto &config : std::as_const( customConfigs ) )
    {
      const QString shaHostPort( u"%1:%2"_s.arg( QgsAuthCertUtils::shaHexForCert( config.sslCertificate() ), config.sslHostPort() ) );
      if ( ! ids.contains( shaHostPort ) )
      {
        ids.append( shaHostPort );
        if ( !config.sslIgnoredErrorEnums().isEmpty() )
        {
          nextcache.insert( shaHostPort, QSet<QSslError::SslError>( config.sslIgnoredErrorEnums().cbegin(), config.sslIgnoredErrorEnums().cend() ) );
        }
        if ( prevcache.contains( shaHostPort ) )
        {
          prevcache.remove( shaHostPort );
        }
      }
      else
      {
        emit messageLog( tr( "SSL custom config already in the list: %1" ).arg( config.sslHostPort() ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
  }
 
  if ( !prevcache.isEmpty() )
  {
    // preserve any existing per-session ignored errors for hosts
    QHash<QString, QSet<QSslError::SslError> >::const_iterator i = prevcache.constBegin();
    while ( i != prevcache.constEnd() )
    {
      nextcache.insert( i.key(), i.value() );
      ++i;
    }
  }
 
  if ( nextcache != mIgnoredSslErrorsCache )
  {
    mIgnoredSslErrorsCache.clear();
    mIgnoredSslErrorsCache = nextcache;
    QgsDebugMsgLevel( u"Rebuild of ignored SSL errors cache SUCCEEDED"_s, 2 );
    dumpIgnoredSslErrorsCache_();
    return true;
  }
 
  QgsDebugMsgLevel( u"Rebuild of ignored SSL errors cache SAME AS BEFORE"_s, 2 );
  dumpIgnoredSslErrorsCache_();
  return true;
#else
  return false;
#endif
}
 
bool QgsAuthManager::storeCertAuthorities( const QList<QSslCertificate> &certs )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( certs.isEmpty() )
  {
    QgsDebugError( u"Passed certificate list has no certs"_s );
    return false;
  }
 
  for ( const auto &cert : certs )
  {
    if ( !storeCertAuthority( cert ) )
      return false;
  }
  return true;
#else
  Q_UNUSED( certs )
  return false;
#endif
}
 
bool QgsAuthManager::storeCertAuthority( const QSslCertificate &cert )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  // don't refuse !cert.isValid() (actually just expired) CAs,
  // as user may want to ignore that SSL connection error
  if ( cert.isNull() )
  {
    QgsDebugError( u"Passed certificate is null"_s );
    return false;
  }
 
  if ( existsCertAuthority( cert ) && !removeCertAuthority( cert ) )
  {
    QgsDebugError( u"Store certificate authority: FAILED to remove pre-existing certificate authority"_s );
    return false;
  }
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::CreateCertificateAuthority ) )
  {
    return defaultStorage->storeCertAuthority( cert );
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
 
  return false;
#else
  Q_UNUSED( cert )
  return false;
#endif
}
 
const QSslCertificate QgsAuthManager::certAuthority( const QString &id )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QSslCertificate emptycert;
  QSslCertificate cert;
  if ( id.isEmpty() )
    return emptycert;
 
  // Loop through all storages with capability ReadCertificateAuthority and get the certificate from the first one that has the certificate
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateAuthority ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    cert = storage->loadCertAuthority( id );
    if ( !cert.isNull() )
    {
      return cert;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return emptycert;
  }
 
  return cert;
#else
  Q_UNUSED( id )
  return QSslCertificate();
#endif
}
 
bool QgsAuthManager::existsCertAuthority( const QSslCertificate &cert )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( cert.isNull() )
  {
    QgsDebugError( u"Passed certificate is null"_s );
    return false;
  }
 
  // Loop through all storages with capability ReadCertificateAuthority and get the certificate from the first one that has the certificate
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateAuthority ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->certAuthorityExists( cert ) )
    {
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  return false;
#endif
}
 
bool QgsAuthManager::removeCertAuthority( const QSslCertificate &cert )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( cert.isNull() )
  {
    QgsDebugError( u"Passed certificate is null"_s );
    return false;
  }
 
  // Loop through all storages with capability ReadCertificateAuthority and delete from the first one that has the certificate, fail if it has no capability
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateAuthority ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->certAuthorityExists( cert ) )
    {
 
      if ( !storage->capabilities().testFlag( Qgis::AuthConfigurationStorageCapability::DeleteCertificateAuthority ) )
      {
        emit messageLog( tr( "Remove certificate: FAILED to remove setting from storage %1: storage is read only" ).arg( storage->name() ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
 
      if ( !storage->removeCertAuthority( cert ) )
      {
        emit messageLog( tr( "Remove certificate authority: FAILED to remove certificate authority from storage: %1" ).arg( storage->lastError() ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( cert )
  return false;
#endif
}
 
const QList<QSslCertificate> QgsAuthManager::systemRootCAs()
{
#ifdef HAVE_AUTH
  return QSslConfiguration::systemCaCertificates();
#else
  return QList<QSslCertificate>();
#endif
}
 
const QList<QSslCertificate> QgsAuthManager::extraFileCAs()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QList<QSslCertificate> certs;
  QList<QSslCertificate> filecerts;
  QVariant cafileval = QgsAuthManager::instance()->authSetting( u"cafile"_s );
  if ( QgsVariantUtils::isNull( cafileval ) )
    return certs;
 
  QVariant allowinvalid = QgsAuthManager::instance()->authSetting( u"cafileallowinvalid"_s, QVariant( false ) );
  if ( QgsVariantUtils::isNull( allowinvalid ) )
    return certs;
 
  QString cafile( cafileval.toString() );
  if ( !cafile.isEmpty() && QFile::exists( cafile ) )
  {
    filecerts = QgsAuthCertUtils::certsFromFile( cafile );
  }
  // only CAs or certs capable of signing other certs are allowed
  for ( const auto &cert : std::as_const( filecerts ) )
  {
    if ( !allowinvalid.toBool() && ( cert.isBlacklisted()
                                     || cert.isNull()
                                     || cert.expiryDate() <= QDateTime::currentDateTime()
                                     || cert.effectiveDate() > QDateTime::currentDateTime() ) )
    {
      continue;
    }
 
    if ( QgsAuthCertUtils::certificateIsAuthorityOrIssuer( cert ) )
    {
      certs << cert;
    }
  }
  return certs;
#else
  return QList<QSslCertificate>();
#endif
}
 
const QList<QSslCertificate> QgsAuthManager::databaseCAs()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
 
  // Loop through all storages with capability ReadCertificateAuthority and collect the certificates from all storages
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateAuthority ) };
 
  QList<QSslCertificate> certs;
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    const QList<QSslCertificate> storageCerts = storage->caCerts();
    // Add if not already in the list, warn otherwise
    for ( const QSslCertificate &cert : std::as_const( storageCerts ) )
    {
      if ( !certs.contains( cert ) )
      {
        certs.append( cert );
      }
      else
      {
        emit messageLog( tr( "Certificate already in the list: %1" ).arg( cert.issuerDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return certs;
#else
  return QList<QSslCertificate>();
#endif
}
 
const QMap<QString, QSslCertificate> QgsAuthManager::mappedDatabaseCAs()
{
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  return QgsAuthCertUtils::mapDigestToCerts( databaseCAs() );
}
 
bool QgsAuthManager::rebuildCaCertsCache()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  mCaCertsCache.clear();
  // in reverse order of precedence, with regards to duplicates, so QMap inserts overwrite
  insertCaCertInCache( QgsAuthCertUtils::SystemRoot, systemRootCAs() );
  insertCaCertInCache( QgsAuthCertUtils::FromFile, extraFileCAs() );
  insertCaCertInCache( QgsAuthCertUtils::InDatabase, databaseCAs() );
 
  bool res = !mCaCertsCache.isEmpty(); // should at least contain system root CAs
  if ( !res )
    QgsDebugError( u"Rebuild of CA certs cache FAILED"_s );
  return res;
#else
  return false;
#endif
}
 
bool QgsAuthManager::storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( cert.isNull() )
  {
    QgsDebugError( u"Passed certificate is null."_s );
    return false;
  }
 
  if ( certTrustPolicy( cert ) == policy )
  {
    return true;
  }
 
  if ( certificateTrustPolicy( cert ) != QgsAuthCertUtils::DefaultTrust && ! removeCertTrustPolicy( cert ) )
  {
    emit messageLog( tr( "Could not delete pre-existing certificate trust policy." ), authManTag(), Qgis::MessageLevel::Warning );
    return false;
  }
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::CreateCertificateTrustPolicy ) )
  {
    return defaultStorage->storeCertTrustPolicy( cert, policy );
  }
  else
  {
    emit messageLog( tr( "Could not connect to any authentication configuration storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  Q_UNUSED( cert )
  Q_UNUSED( policy )
  return false;
#endif
}
 
QgsAuthCertUtils::CertTrustPolicy QgsAuthManager::certTrustPolicy( const QSslCertificate &cert )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( cert.isNull() )
  {
    QgsDebugError( u"Passed certificate is null"_s );
    return QgsAuthCertUtils::DefaultTrust;
  }
 
  // Loop through all storages with capability ReadCertificateTrustPolicy and get the policy from the first one that has the policy
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateTrustPolicy ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    QgsAuthCertUtils::CertTrustPolicy policy = storage->loadCertTrustPolicy( cert );
    if ( policy != QgsAuthCertUtils::DefaultTrust )
    {
      return policy;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any credentials storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return QgsAuthCertUtils::DefaultTrust;
#else
  Q_UNUSED( cert )
  return QgsAuthCertUtils::DefaultTrust;
#endif
}
 
bool QgsAuthManager::removeCertTrustPolicies( const QList<QSslCertificate> &certs )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( certs.empty() )
  {
    QgsDebugError( u"Passed certificate list has no certs"_s );
    return false;
  }
 
  for ( const auto &cert : certs )
  {
    if ( !removeCertTrustPolicy( cert ) )
      return false;
  }
  return true;
#else
  Q_UNUSED( certs )
  return false;
#endif
}
 
bool QgsAuthManager::removeCertTrustPolicy( const QSslCertificate &cert )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( cert.isNull() )
  {
    QgsDebugError( u"Passed certificate is null"_s );
    return false;
  }
 
  // Loop through all storages with capability ReadCertificateTrustPolicy and delete from the first one that has the policy, fail if it has no capability
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateTrustPolicy ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( storage->certTrustPolicyExists( cert ) )
    {
      if ( !storage->capabilities().testFlag( Qgis::AuthConfigurationStorageCapability::DeleteCertificateTrustPolicy ) )
      {
        emit messageLog( tr( "Remove certificate trust policy: FAILED to remove setting from storage %1: storage is read only" ).arg( storage->name() ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
 
      if ( !storage->removeCertTrustPolicy( cert ) )
      {
        emit messageLog( tr( "Remove certificate trust policy: FAILED to remove certificate trust policy from storage: %1" ).arg( storage->lastError() ), authManTag(), Qgis::MessageLevel::Warning );
        return false;
      }
      return true;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any authentication configuration storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( cert )
  return false;
#endif
}
 
QgsAuthCertUtils::CertTrustPolicy QgsAuthManager::certificateTrustPolicy( const QSslCertificate &cert )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( cert.isNull() )
  {
    return QgsAuthCertUtils::NoPolicy;
  }
 
  QString id( QgsAuthCertUtils::shaHexForCert( cert ) );
  const QStringList &trustedids = mCertTrustCache.value( QgsAuthCertUtils::Trusted );
  const QStringList &untrustedids = mCertTrustCache.value( QgsAuthCertUtils::Untrusted );
 
  QgsAuthCertUtils::CertTrustPolicy policy( QgsAuthCertUtils::DefaultTrust );
  if ( trustedids.contains( id ) )
  {
    policy = QgsAuthCertUtils::Trusted;
  }
  else if ( untrustedids.contains( id ) )
  {
    policy = QgsAuthCertUtils::Untrusted;
  }
  return policy;
#else
  Q_UNUSED( cert )
  return QgsAuthCertUtils::DefaultTrust;
#endif
}
 
bool QgsAuthManager::setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( policy == QgsAuthCertUtils::DefaultTrust )
  {
    // set default trust policy to Trusted by removing setting
    return removeAuthSetting( u"certdefaulttrust"_s );
  }
  return storeAuthSetting( u"certdefaulttrust"_s, static_cast< int >( policy ) );
#else
  Q_UNUSED( policy )
  return false;
#endif
}
 
QgsAuthCertUtils::CertTrustPolicy QgsAuthManager::defaultCertTrustPolicy()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QVariant policy( authSetting( u"certdefaulttrust"_s ) );
  if ( QgsVariantUtils::isNull( policy ) )
  {
    return QgsAuthCertUtils::Trusted;
  }
  return static_cast< QgsAuthCertUtils::CertTrustPolicy >( policy.toInt() );
#else
  return QgsAuthCertUtils::DefaultTrust;
#endif
}
 
bool QgsAuthManager::rebuildCertTrustCache()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  mCertTrustCache.clear();
 
  // Loop through all storages with capability ReadCertificateTrustPolicy
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateTrustPolicy ) };
 
  QStringList ids;
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
 
    const auto trustedCerts { storage->caCertsPolicy() };
    for ( auto it = trustedCerts.cbegin(); it != trustedCerts.cend(); ++it )
    {
      const QString id { it.key( )};
      if ( ! ids.contains( id ) )
      {
        ids.append( id );
        const QgsAuthCertUtils::CertTrustPolicy policy( it.value() );
        if ( policy == QgsAuthCertUtils::CertTrustPolicy::Trusted )
        {
          QStringList ids;
          if ( mCertTrustCache.contains( QgsAuthCertUtils::Trusted ) )
          {
            ids = mCertTrustCache.value( QgsAuthCertUtils::Trusted );
          }
          mCertTrustCache.insert( QgsAuthCertUtils::Trusted, ids << it.key() );
        }
      }
      else
      {
        emit messageLog( tr( "Certificate already in the list: %1" ).arg( it.key() ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
  }
 
  if ( ! storages.empty() )
  {
    QgsDebugMsgLevel( u"Rebuild of cert trust policy cache SUCCEEDED"_s, 2 );
    return true;
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  return false;
#endif
}
 
const QList<QSslCertificate> QgsAuthManager::trustedCaCerts( bool includeinvalid )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  QgsAuthCertUtils::CertTrustPolicy defaultpolicy( defaultCertTrustPolicy() );
  QStringList trustedids = mCertTrustCache.value( QgsAuthCertUtils::Trusted );
  QStringList untrustedids = mCertTrustCache.value( QgsAuthCertUtils::Untrusted );
  const QList<QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > &certpairs( mCaCertsCache.values() );
 
  QList<QSslCertificate> trustedcerts;
  for ( int i = 0; i < certpairs.size(); ++i )
  {
    QSslCertificate cert( certpairs.at( i ).second );
    QString certid( QgsAuthCertUtils::shaHexForCert( cert ) );
    if ( trustedids.contains( certid ) )
    {
      // trusted certs are always added regardless of their validity
      trustedcerts.append( cert );
    }
    else if ( defaultpolicy == QgsAuthCertUtils::Trusted && !untrustedids.contains( certid ) )
    {
      if ( !includeinvalid && !QgsAuthCertUtils::certIsViable( cert ) )
        continue;
      trustedcerts.append( cert );
    }
  }
 
  // update application default SSL config for new requests
  QSslConfiguration sslconfig( QSslConfiguration::defaultConfiguration() );
  sslconfig.setCaCertificates( trustedcerts );
  QSslConfiguration::setDefaultConfiguration( sslconfig );
 
  return trustedcerts;
#else
  Q_UNUSED( includeinvalid )
  return QList<QSslCertificate>();
#endif
}
 
const QList<QSslCertificate> QgsAuthManager::untrustedCaCerts( QList<QSslCertificate> trustedCAs )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( trustedCAs.isEmpty() )
  {
    if ( mTrustedCaCertsCache.isEmpty() )
    {
      rebuildTrustedCaCertsCache();
    }
    trustedCAs = trustedCaCertsCache();
  }
 
  const QList<QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > &certpairs( mCaCertsCache.values() );
 
  QList<QSslCertificate> untrustedCAs;
  for ( int i = 0; i < certpairs.size(); ++i )
  {
    QSslCertificate cert( certpairs.at( i ).second );
    if ( !trustedCAs.contains( cert ) )
    {
      untrustedCAs.append( cert );
    }
  }
  return untrustedCAs;
#else
  Q_UNUSED( trustedCAs )
  return QList<QSslCertificate>();
#endif
}
 
bool QgsAuthManager::rebuildTrustedCaCertsCache()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  mTrustedCaCertsCache = trustedCaCerts();
  QgsDebugMsgLevel( u"Rebuilt trusted cert authorities cache"_s, 2 );
  // TODO: add some error trapping for the operation
  return true;
#else
  return false;
#endif
}
 
const QByteArray QgsAuthManager::trustedCaCertsPemText()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  return QgsAuthCertUtils::certsToPemText( trustedCaCertsCache() );
#else
  return QByteArray();
#endif
}
 
bool QgsAuthManager::passwordHelperSync()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QMutexLocker locker( mMutex.get() );
  if ( masterPasswordIsSet() )
  {
    return passwordHelperWrite( mMasterPass );
  }
  return false;
#else
  return false;
#endif
}
 
bool QgsAuthManager::verifyStoredPasswordHelperPassword()
{
#ifdef HAVE_AUTH
  if ( !passwordHelperEnabled() )
    return false;
 
  bool readOk = false;
  const QString currentPass = passwordHelperRead( readOk );
  if ( !readOk )
    return false;
 
  if ( !currentPass.isEmpty() && ( mPasswordHelperErrorCode == QKeychain::NoError ) )
  {
    return verifyMasterPassword( currentPass );
  }
  return false;
#else
  return false;
#endif
}
 
QString QgsAuthManager::passwordHelperDisplayName( bool titleCase )
{
#ifdef HAVE_AUTH
#if defined(Q_OS_MAC)
  return titleCase ? QObject::tr( "Keychain" ) : QObject::tr( "keychain" );
#elif defined(Q_OS_WIN)
  return titleCase ? QObject::tr( "Password Manager" ) : QObject::tr( "password manager" );
#elif defined(Q_OS_LINUX)
 
  const QString desktopSession = qgetenv( "DESKTOP_SESSION" );
  const QString currentDesktop = qgetenv( "XDG_CURRENT_DESKTOP" );
  const QString gdmSession = qgetenv( "GDMSESSION" );
  // lets use a more precise string if we're running on KDE!
  if ( desktopSession.contains( "kde"_L1, Qt::CaseInsensitive ) || currentDesktop.contains( "kde"_L1, Qt::CaseInsensitive ) || gdmSession.contains( "kde"_L1, Qt::CaseInsensitive ) )
  {
    return titleCase ? QObject::tr( "Wallet" ) : QObject::tr( "wallet" );
  }
 
  return titleCase ? QObject::tr( "Wallet/Key Ring" ) : QObject::tr( "wallet/key ring" );
#else
  return titleCase ? QObject::tr( "Password Manager" ) : QObject::tr( "password manager" );
#endif
#else
  Q_UNUSED( titleCase )
  return QString();
#endif
}
 

 
#endif
 
void QgsAuthManager::clearAllCachedConfigs()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return;
 
  const QStringList ids = configIds();
  for ( const auto &authcfg : ids )
  {
    clearCachedConfig( authcfg );
  }
#endif
}
 
void QgsAuthManager::clearCachedConfig( const QString &authcfg )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return;
 
  QgsAuthMethod *authmethod = configAuthMethod( authcfg );
  if ( authmethod )
  {
    authmethod->clearCachedConfig( authcfg );
  }
#else
  Q_UNUSED( authcfg )
#endif
}
 
void QgsAuthManager::writeToConsole( const QString &message,
                                     const QString &tag,
                                     Qgis::MessageLevel level )
{
#ifdef HAVE_AUTH
  Q_UNUSED( tag )
 
  ensureInitialized();
 
  // only output WARNING and CRITICAL messages
  if ( level == Qgis::MessageLevel::Info )
    return;
 
  QString msg;
  switch ( level )
  {
    case Qgis::MessageLevel::Warning:
      msg += "WARNING: "_L1;
      break;
    case Qgis::MessageLevel::Critical:
      msg += "ERROR: "_L1;
      break;
    default:
      break;
  }
  msg += message;
 
  QTextStream out( stdout, QIODevice::WriteOnly );
  out << msg << Qt::endl;
#else
  Q_UNUSED( message )
  Q_UNUSED( tag )
  Q_UNUSED( level )
#endif
}
 
void QgsAuthManager::tryToStartDbErase()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  ++mScheduledDbEraseRequestCount;
  // wait a total of 90 seconds for GUI availiability or user interaction, then cancel schedule
  int trycutoff = 90 / ( mScheduledDbEraseRequestWait ? mScheduledDbEraseRequestWait : 3 );
  if ( mScheduledDbEraseRequestCount >= trycutoff )
  {
    setScheduledAuthDatabaseErase( false );
    QgsDebugMsgLevel( u"authDatabaseEraseRequest emitting/scheduling canceled"_s, 2 );
    return;
  }
  else
  {
    QgsDebugMsgLevel( u"authDatabaseEraseRequest attempt (%1 of %2)"_s
                      .arg( mScheduledDbEraseRequestCount ).arg( trycutoff ), 2 );
  }
 
  if ( scheduledAuthDatabaseErase() && !mScheduledDbEraseRequestEmitted && mMutex->tryLock() )
  {
    // see note in header about this signal's use
    mScheduledDbEraseRequestEmitted = true;
    emit authDatabaseEraseRequested();
 
    mMutex->unlock();
 
    QgsDebugMsgLevel( u"authDatabaseEraseRequest emitted"_s, 2 );
    return;
  }
  QgsDebugMsgLevel( u"authDatabaseEraseRequest emit skipped"_s, 2 );
#endif
}
 
 
QgsAuthManager::~QgsAuthManager()
{
#ifdef HAVE_AUTH
  QMutexLocker locker( mMutex.get() );
 
  QMapIterator<QThread *, QMetaObject::Connection> iterator( mConnectedThreads );
  while ( iterator.hasNext() )
  {
    iterator.next();
    QThread::disconnect( iterator.value() );
  }
 
  if ( !mAuthInit )
    return;
 
  locker.unlock();
 
  if ( !isDisabled() )
  {
    delete QgsAuthMethodRegistry::instance();
    qDeleteAll( mAuthMethods );
 
    Q_NOWARN_DEPRECATED_PUSH
    QSqlDatabase authConn = authDatabaseConnection();
    Q_NOWARN_DEPRECATED_POP
    if ( authConn.isValid() && authConn.isOpen() )
      authConn.close();
  }
 
  QSqlDatabase::removeDatabase( u"authentication.configs"_s );
#endif
}
 
QgsAuthConfigurationStorageRegistry *QgsAuthManager::authConfigurationStorageRegistry() const
{
  QMutexLocker locker( mMutex.get() );
  if ( ! mAuthConfigurationStorageRegistry )
  {
    mAuthConfigurationStorageRegistry = std::make_unique<QgsAuthConfigurationStorageRegistry>();
  }
  return mAuthConfigurationStorageRegistry.get();
}
 
 
QString QgsAuthManager::passwordHelperName() const
{
#ifdef HAVE_AUTH
  return tr( "Password Helper" );
#else
  return QString();
#endif
}
 
 
void QgsAuthManager::passwordHelperLog( const QString &msg ) const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( passwordHelperLoggingEnabled() )
  {
    QgsMessageLog::logMessage( msg, passwordHelperName() );
  }
#else
  Q_UNUSED( msg )
#endif
}
 
bool QgsAuthManager::passwordHelperDelete()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  passwordHelperLog( tr( "Opening %1 for DELETE…" ).arg( passwordHelperDisplayName() ) );
  bool result;
  QKeychain::DeletePasswordJob job( AUTH_PASSWORD_HELPER_FOLDER_NAME );
  QgsSettings settings;
  job.setInsecureFallback( settings.value( u"password_helper_insecure_fallback"_s, false, QgsSettings::Section::Auth ).toBool() );
  job.setAutoDelete( false );
  job.setKey( authPasswordHelperKeyName() );
  QEventLoop loop;
  connect( &job, &QKeychain::Job::finished, &loop, &QEventLoop::quit );
  job.start();
  loop.exec();
  if ( job.error() )
  {
    mPasswordHelperErrorCode = job.error();
    mPasswordHelperErrorMessage = tr( "Delete password failed: %1." ).arg( job.errorString() );
    // Signals used in the tests to exit main application loop
    emit passwordHelperFailure();
    result = false;
  }
  else
  {
    // Signals used in the tests to exit main application loop
    emit passwordHelperSuccess();
    result = true;
  }
  passwordHelperProcessError();
  return result;
#else
  return false;
#endif
}
 
QString QgsAuthManager::passwordHelperRead( bool &ok )
{
#ifdef HAVE_AUTH
  ok = false;
  ensureInitialized();
 
  // Retrieve it!
  QString password;
  passwordHelperLog( tr( "Opening %1 for READ…" ).arg( passwordHelperDisplayName() ) );
  QKeychain::ReadPasswordJob job( AUTH_PASSWORD_HELPER_FOLDER_NAME );
  QgsSettings settings;
  job.setInsecureFallback( settings.value( u"password_helper_insecure_fallback"_s, false, QgsSettings::Section::Auth ).toBool() );
  job.setAutoDelete( false );
  job.setKey( authPasswordHelperKeyName() );
  QEventLoop loop;
  connect( &job, &QKeychain::Job::finished, &loop, &QEventLoop::quit );
  job.start();
  loop.exec();
  if ( job.error() )
  {
    mPasswordHelperErrorCode = job.error();
    mPasswordHelperErrorMessage = tr( "Retrieving password from the %1 failed: %2." ).arg( passwordHelperDisplayName(), job.errorString() );
    // Signals used in the tests to exit main application loop
    emit passwordHelperFailure();
  }
  else
  {
    password = job.textData();
    // Password is there but it is empty, treat it like if it was not found
    if ( password.isEmpty() )
    {
      mPasswordHelperErrorCode = QKeychain::EntryNotFound;
      mPasswordHelperErrorMessage = tr( "Empty password retrieved from the %1." ).arg( passwordHelperDisplayName( true ) );
      // Signals used in the tests to exit main application loop
      emit passwordHelperFailure();
    }
    else
    {
      ok = true;
      // Signals used in the tests to exit main application loop
      emit passwordHelperSuccess();
    }
  }
  passwordHelperProcessError();
  return password;
#else
  Q_UNUSED( ok )
  return QString();
#endif
}
 
bool QgsAuthManager::passwordHelperWrite( const QString &password )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  Q_ASSERT( !password.isEmpty() );
  bool result;
  passwordHelperLog( tr( "Opening %1 for WRITE…" ).arg( passwordHelperDisplayName() ) );
  QKeychain::WritePasswordJob job( AUTH_PASSWORD_HELPER_FOLDER_NAME );
  QgsSettings settings;
  job.setInsecureFallback( settings.value( u"password_helper_insecure_fallback"_s, false, QgsSettings::Section::Auth ).toBool() );
  job.setAutoDelete( false );
  job.setKey( authPasswordHelperKeyName() );
  job.setTextData( password );
  QEventLoop loop;
  connect( &job, &QKeychain::Job::finished, &loop, &QEventLoop::quit );
  job.start();
  loop.exec();
  if ( job.error() )
  {
    mPasswordHelperErrorCode = job.error();
    mPasswordHelperErrorMessage = tr( "Storing password in the %1 failed: %2." ).arg( passwordHelperDisplayName(), job.errorString() );
    // Signals used in the tests to exit main application loop
    emit passwordHelperFailure();
    result = false;
  }
  else
  {
    passwordHelperClearErrors();
    // Signals used in the tests to exit main application loop
    emit passwordHelperSuccess();
    result = true;
  }
  passwordHelperProcessError();
  return result;
#else
  Q_UNUSED( password )
  return false;
#endif
}
 
bool QgsAuthManager::passwordHelperEnabled()
{
#ifdef HAVE_AUTH
  // Does the user want to store the password in the wallet?
  QgsSettings settings;
  return settings.value( u"use_password_helper"_s, true, QgsSettings::Section::Auth ).toBool();
#else
  return false;
#endif
}
 
void QgsAuthManager::setPasswordHelperEnabled( const bool enabled )
{
#ifdef HAVE_AUTH
  QgsSettings settings;
  settings.setValue( u"use_password_helper"_s,  enabled, QgsSettings::Section::Auth );
  emit messageLog( enabled ? tr( "Your %1 will be <b>used from now</b> on to store and retrieve the master password." )
                   .arg( passwordHelperDisplayName() ) :
                   tr( "Your %1 will <b>not be used anymore</b> to store and retrieve the master password." )
                   .arg( passwordHelperDisplayName() ) );
#else
  Q_UNUSED( enabled )
#endif
}
 
bool QgsAuthManager::passwordHelperLoggingEnabled()
{
#ifdef HAVE_AUTH
  // Does the user want to store the password in the wallet?
  QgsSettings settings;
  return settings.value( u"password_helper_logging"_s, false, QgsSettings::Section::Auth ).toBool();
#else
  return false;
#endif
}
 
void QgsAuthManager::setPasswordHelperLoggingEnabled( const bool enabled )
{
#ifdef HAVE_AUTH
  QgsSettings settings;
  settings.setValue( u"password_helper_logging"_s,  enabled, QgsSettings::Section::Auth );
#else
  Q_UNUSED( enabled )
#endif
}
 
void QgsAuthManager::passwordHelperClearErrors()
{
#ifdef HAVE_AUTH
  mPasswordHelperErrorCode = QKeychain::NoError;
  mPasswordHelperErrorMessage.clear();
#endif
}
 
void QgsAuthManager::passwordHelperProcessError()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( mPasswordHelperErrorCode == QKeychain::AccessDenied ||
       mPasswordHelperErrorCode == QKeychain::AccessDeniedByUser ||
       mPasswordHelperErrorCode == QKeychain::NoBackendAvailable ||
       mPasswordHelperErrorCode == QKeychain::NotImplemented )
  {
    // If the error is permanent or the user denied access to the wallet
    // we also want to disable the wallet system to prevent annoying
    // notification on each subsequent access.
    setPasswordHelperEnabled( false );
    mPasswordHelperErrorMessage = tr( "There was an error and integration with your %1 has been disabled. "
                                      "You can re-enable it at any time through the \"Utilities\" menu "
                                      "in the Authentication pane of the options dialog. %2" )
                                  .arg( passwordHelperDisplayName(), mPasswordHelperErrorMessage );
  }
  if ( mPasswordHelperErrorCode != QKeychain::NoError )
  {
    // We've got an error from the wallet
    passwordHelperLog( tr( "Error in %1: %2" ).arg( passwordHelperDisplayName(), mPasswordHelperErrorMessage ) );
    emit passwordHelperMessageLog( mPasswordHelperErrorMessage, authManTag(), Qgis::MessageLevel::Critical );
  }
  passwordHelperClearErrors();
#endif
}
 
 
bool QgsAuthManager::masterPasswordInput()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  QString pass;
  bool storedPasswordIsValid = false;
  bool ok = false;
 
  // Read the password from the wallet
  if ( passwordHelperEnabled() )
  {
    bool readOk = false;
    pass = passwordHelperRead( readOk );
    if ( readOk && ! pass.isEmpty() && ( mPasswordHelperErrorCode == QKeychain::NoError ) )
    {
      // Let's check the password!
      if ( verifyMasterPassword( pass ) )
      {
        ok = true;
        storedPasswordIsValid = true;
      }
      else
      {
        emit passwordHelperMessageLog( tr( "Master password stored in the %1 is not valid" ).arg( passwordHelperDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
  }
 
  if ( ! ok )
  {
    pass.clear();
    ok = QgsCredentials::instance()->getMasterPassword( pass, masterPasswordHashInDatabase() );
  }
 
  if ( ok && !pass.isEmpty() && mMasterPass != pass )
  {
    mMasterPass = pass;
    if ( passwordHelperEnabled() && ! storedPasswordIsValid )
    {
      if ( !passwordHelperWrite( pass ) )
      {
        emit passwordHelperMessageLog( tr( "Master password could not be written to the %1" ).arg( passwordHelperDisplayName() ), authManTag(), Qgis::MessageLevel::Warning );
      }
    }
    return true;
  }
  return false;
#else
  return false;
#endif
}
 
bool QgsAuthManager::masterPasswordRowsInDb( int &rows ) const
{
#ifdef HAVE_AUTH
  bool res = false;
  ensureInitialized();
 
  if ( isDisabled() )
    return res;
 
  rows = 0;
 
  QMutexLocker locker( mMutex.get() );
 
  // Loop through all storages with capability ReadMasterPassword and count the number of master passwords
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadMasterPassword ) };
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any authentication configuration storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
  else
  {
    for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
    {
      try
      {
        rows += storage->masterPasswords( ).count();
        // if we successfully queuried at least one storage, the result from this function must be true
        res = true;
      }
      catch ( const QgsNotSupportedException &e )
      {
        // It should not happen because we are checking the capability in advance
        emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      }
    }
  }
 
  return res;
#else
  Q_UNUSED( rows )
  return false;
#endif
}
 
bool QgsAuthManager::masterPasswordHashInDatabase() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  int rows = 0;
  if ( !masterPasswordRowsInDb( rows ) )
  {
    const char *err = QT_TR_NOOP( "Master password: FAILED to access database" );
    QgsDebugError( err );
    emit messageLog( tr( err ), authManTag(), Qgis::MessageLevel::Critical );
 
    return false;
  }
  return ( rows == 1 );
#else
  return false;
#endif
}
 
bool QgsAuthManager::masterPasswordCheckAgainstDb( const QString &compare ) const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  // Only check the default DB
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::ReadMasterPassword ) )
  {
    try
    {
      const QList<QgsAuthConfigurationStorage::MasterPasswordConfig> passwords { defaultStorage->masterPasswords( ) };
      if ( passwords.size() == 0 )
      {
        emit messageLog( tr( "Master password: FAILED to access database" ), authManTag(), Qgis::MessageLevel::Critical );
        return false;
      }
      const QgsAuthConfigurationStorage::MasterPasswordConfig storedPassword { passwords.first() };
      return QgsAuthCrypto::verifyPasswordKeyHash( compare.isNull() ? mMasterPass : compare, storedPassword.salt, storedPassword.hash );
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      return false;
    }
 
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  Q_UNUSED( compare )
  return false;
#endif
}
 
bool QgsAuthManager::masterPasswordStoreInDb() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  QString salt, hash, civ;
  QgsAuthCrypto::passwordKeyHash( mMasterPass, &salt, &hash, &civ );
 
  // Only store in the default DB
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::CreateMasterPassword ) )
  {
    try
    {
      return defaultStorage->storeMasterPassword( { salt, civ, hash } );
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      return false;
    }
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  return false;
#endif
}
 
bool QgsAuthManager::masterPasswordClearDb()
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::DeleteMasterPassword ) )
  {
 
    try
    {
      return defaultStorage->clearMasterPasswords();
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      return false;
    }
 
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
#else
  return false;
#endif
}
 
const QString QgsAuthManager::masterPasswordCiv() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return QString();
 
  if ( QgsAuthConfigurationStorage *defaultStorage = firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability::ReadMasterPassword ) )
  {
    try
    {
      const QList<QgsAuthConfigurationStorage::MasterPasswordConfig> passwords { defaultStorage->masterPasswords( ) };
      if ( passwords.size() == 0 )
      {
        emit messageLog( tr( "Master password: FAILED to access database" ), authManTag(), Qgis::MessageLevel::Critical );
        return  QString();
      }
      return passwords.first().civ;
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      return QString();
    }
  }
  else
  {
    emit messageLog( tr( "Could not connect to the default storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return QString();
  }
#else
  return QString();
#endif
}
 
QStringList QgsAuthManager::configIds() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QStringList configKeys = QStringList();
 
  if ( isDisabled() )
    return configKeys;
 
  // Loop through all storages with capability ReadConfiguration and get the config ids
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadConfiguration ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    try
    {
      const QgsAuthMethodConfigsMap configs = storage->authMethodConfigs();
      // Check if the config ids are already in the list
      for ( auto it = configs.cbegin(); it != configs.cend(); ++it )
      {
        if ( !configKeys.contains( it.key() ) )
        {
          configKeys.append( it.key() );
        }
        else
        {
          emit messageLog( tr( "Config id %1 is already in the list" ).arg( it.key() ), authManTag(), Qgis::MessageLevel::Warning );
        }
      }
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
    }
  }
 
  return configKeys;
#else
  return QStringList();
#endif
}
 
bool QgsAuthManager::verifyPasswordCanDecryptConfigs() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  // no need to check for setMasterPassword, since this is private and it will be set
 
  // Loop through all storages with capability ReadConfiguration and check if the password can decrypt the configs
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadConfiguration ) };
 
  for ( const QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
 
    if ( ! storage->isEncrypted() )
    {
      continue;
    }
 
    try
    {
      const QgsAuthMethodConfigsMap configs = storage->authMethodConfigsWithPayload();
      for ( auto it = configs.cbegin(); it != configs.cend(); ++it )
      {
        QString configstring( QgsAuthCrypto::decrypt( mMasterPass, masterPasswordCiv(), it.value().config( u"encrypted_payload"_s ) ) );
        if ( configstring.isEmpty() )
        {
          QgsDebugError( u"Verify password can decrypt configs FAILED, could not decrypt a config (id: %1) from storage %2"_s
                         .arg( it.key(), storage->name() ) );
          return false;
        }
      }
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      return false;
    }
 
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any authentication configuration storage." ), authManTag(), Qgis::MessageLevel::Critical );
    return false;
  }
 
  return true;
#else
  return false;
#endif
}
 
bool QgsAuthManager::reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  bool res = true;
  const QStringList ids = configIds();
  for ( const auto &configid : ids )
  {
    res = res && reencryptAuthenticationConfig( configid, prevpass, prevciv );
  }
  return res;
#else
  Q_UNUSED( prevpass )
  Q_UNUSED( prevciv )
  return false;
#endif
}
 
bool QgsAuthManager::reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  // no need to check for setMasterPassword, since this is private and it will be set
 
  // Loop through all storages with capability ReadConfiguration and reencrypt the config
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadConfiguration ) };
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    try
    {
      if ( storage->methodConfigExists( authcfg ) )
      {
        if ( ! storage->isEncrypted() )
        {
          return true;
        }
 
        QString payload;
        const QgsAuthMethodConfig config = storage->loadMethodConfig( authcfg, payload, true );
        if ( payload.isEmpty() || ! config.isValid( true ) )
        {
          QgsDebugError( u"Reencrypt FAILED, could not find config (id: %1)"_s.arg( authcfg ) );
          return false;
        }
 
        QString configstring( QgsAuthCrypto::decrypt( prevpass, prevciv, payload ) );
        if ( configstring.isEmpty() )
        {
          QgsDebugError( u"Reencrypt FAILED, could not decrypt config (id: %1)"_s.arg( authcfg ) );
          return false;
        }
 
        configstring = QgsAuthCrypto::encrypt( mMasterPass, masterPasswordCiv(), configstring );
 
        if ( !storage->storeMethodConfig( config, configstring ) )
        {
          emit messageLog( tr( "Store config: FAILED to store config in default storage: %1" ).arg( storage->lastError() ), authManTag(), Qgis::MessageLevel::Warning );
          return false;
        }
        return true;
      }
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      return false;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any authentication configuration storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
  else
  {
    emit messageLog( tr( "Reencrypt FAILED, could not find config (id: %1)" ).arg( authcfg ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( authcfg )
  Q_UNUSED( prevpass )
  Q_UNUSED( prevciv )
  return false;
#endif
}
 
bool QgsAuthManager::reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv )
{
  ensureInitialized();
 
  // TODO: start remove (when function is actually used)
  Q_UNUSED( prevpass )
  Q_UNUSED( prevciv )
  return true;
  // end remove
 
#if 0
  if ( isDisabled() )
    return false;

  // When adding settings that require encryption, add to list //
 
  QStringList encryptedsettings;
  encryptedsettings << "";
 
  for ( const auto & sett, std::as_const( encryptedsettings ) )
  {
    if ( sett.isEmpty() || !existsAuthSetting( sett ) )
      continue;
 
    // no need to check for setMasterPassword, since this is private and it will be set
 
    QSqlQuery query( authDbConnection() );
 
    query.prepare( QStringLiteral( "SELECT value FROM %1 "
                                   "WHERE setting = :setting" ).arg( authDbSettingsTable() ) );
 
    query.bindValue( ":setting", sett );
 
    if ( !authDbQuery( &query ) )
      return false;
 
    if ( !query.isActive() || !query.isSelect() )
    {
      QgsDebugError( u"Reencrypt FAILED, query not active or a select operation for setting: %2"_s.arg( sett ) );
      return false;
    }
 
    if ( query.first() )
    {
      QString settvalue( QgsAuthCrypto::decrypt( prevpass, prevciv, query.value( 0 ).toString() ) );
 
      query.clear();
 
      query.prepare( QStringLiteral( "UPDATE %1 "
                                     "SET value = :value "
                                     "WHERE setting = :setting" ).arg( authDbSettingsTable() ) );
 
      query.bindValue( ":setting", sett );
      query.bindValue( ":value", QgsAuthCrypto::encrypt( mMasterPass, masterPasswordCiv(), settvalue ) );
 
      if ( !authDbStartTransaction() )
        return false;
 
      if ( !authDbQuery( &query ) )
        return false;
 
      if ( !authDbCommit() )
        return false;
 
      QgsDebugMsgLevel( u"Reencrypt SUCCESS for setting: %2"_s.arg( sett ), 2 );
      return true;
    }
    else
    {
      QgsDebugError( u"Reencrypt FAILED, could not find in db setting: %2"_s.arg( sett ) );
      return false;
    }
 
    if ( query.next() )
    {
      QgsDebugError( u"Select contains more than one for setting: %1"_s.arg( sett ) );
      emit messageOut( tr( "Authentication database contains duplicate setting keys" ), authManTag(), WARNING );
    }
 
    return false;
  }
 
  return true;
#endif
}
 
bool QgsAuthManager::reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  bool res = true;
  const QStringList ids = certIdentityIds();
  for ( const auto &identid : ids )
  {
    res = res && reencryptAuthenticationIdentity( identid, prevpass, prevciv );
  }
  return res;
#else
  Q_UNUSED( prevpass )
  Q_UNUSED( prevciv )
  return false;
#endif
}
 
bool QgsAuthManager::reencryptAuthenticationIdentity(
  const QString &identid,
  const QString &prevpass,
  const QString &prevciv )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  if ( isDisabled() )
    return false;
 
  // no need to check for setMasterPassword, since this is private and it will be set
 
  // Loop through all storages with capability ReadCertificateIdentity and reencrypt the identity
  const QList<QgsAuthConfigurationStorage *> storages { authConfigurationStorageRegistry()->readyStoragesWithCapability( Qgis::AuthConfigurationStorageCapability::ReadCertificateIdentity ) };
 
 
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
 
    try
    {
 
      if ( storage->certIdentityExists( identid ) )
      {
        if ( ! storage->isEncrypted() )
        {
          return true;
        }
 
        const QPair<QSslCertificate, QString> identityBundle = storage->loadCertIdentityBundle( identid );
        QString keystring( QgsAuthCrypto::decrypt( prevpass, prevciv, identityBundle.second ) );
        if ( keystring.isEmpty() )
        {
          QgsDebugError( u"Reencrypt FAILED, could not decrypt identity id: %1"_s.arg( identid ) );
          return false;
        }
 
        keystring = QgsAuthCrypto::encrypt( mMasterPass, masterPasswordCiv(), keystring );
        return storage->storeCertIdentity( identityBundle.first, keystring );
      }
    }
    catch ( const QgsNotSupportedException &e )
    {
      // It should not happen because we are checking the capability in advance
      emit messageLog( e.what(), authManTag(), Qgis::MessageLevel::Critical );
      return false;
    }
  }
 
  if ( storages.empty() )
  {
    emit messageLog( tr( "Could not connect to any authentication configuration storage." ), authManTag(), Qgis::MessageLevel::Critical );
  }
  else
  {
    emit messageLog( tr( "Reencrypt FAILED, could not find identity (id: %1)" ).arg( identid ), authManTag(), Qgis::MessageLevel::Critical );
  }
 
  return false;
#else
  Q_UNUSED( identid )
  Q_UNUSED( prevpass )
  Q_UNUSED( prevciv )
  return false;
#endif
}
 
#ifndef QT_NO_SSL
void QgsAuthManager::insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs )
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  for ( const auto &cert : certs )
  {
    mCaCertsCache.insert( QgsAuthCertUtils::shaHexForCert( cert ),
                          QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate>( source, cert ) );
  }
#else
  Q_UNUSED( source )
  Q_UNUSED( certs )
#endif
}
#endif
 
QString QgsAuthManager::authPasswordHelperKeyName() const
{
#ifdef HAVE_AUTH
  ensureInitialized();
 
  QString dbProfilePath;
 
  // TODO: get the current profile name from the application
 
  if ( isFilesystemBasedDatabase( mAuthDatabaseConnectionUri ) )
  {
    const QFileInfo info( mAuthDatabaseConnectionUri );
    dbProfilePath = info.dir().dirName();
  }
  else
  {
    dbProfilePath = QCryptographicHash::hash( ( mAuthDatabaseConnectionUri.toUtf8() ), QCryptographicHash::Md5 ).toHex();
  }
 
  // if not running from the default profile, ensure that a different key is used
  return AUTH_PASSWORD_HELPER_KEY_NAME_BASE + ( dbProfilePath.compare( "default"_L1, Qt::CaseInsensitive ) == 0 ? QString() : dbProfilePath );
#else
  return QString();
#endif
}
 
QgsAuthConfigurationStorageDb *QgsAuthManager::defaultDbStorage() const
{
#ifdef HAVE_AUTH
  QgsAuthConfigurationStorageRegistry *storageRegistry = authConfigurationStorageRegistry();
  const auto storages = storageRegistry->readyStorages( );
  for ( QgsAuthConfigurationStorage *storage : std::as_const( storages ) )
  {
    if ( qobject_cast<QgsAuthConfigurationStorageDb *>( storage ) )
    {
      return static_cast<QgsAuthConfigurationStorageDb *>( storage );
    }
  }
#endif
  return nullptr;
}
 
QgsAuthConfigurationStorage *QgsAuthManager::firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability capability ) const
{
#ifdef HAVE_AUTH
  QgsAuthConfigurationStorageRegistry *storageRegistry = authConfigurationStorageRegistry();
  return storageRegistry->firstReadyStorageWithCapability( capability );
#else
  Q_UNUSED( capability )
  return nullptr;
#endif
}