api/qgsauthmanager_8h_source.html

/***************************************************************************

    qgsauthmanager.h

    ---------------------

    begin                : October 5, 2014

    copyright            : (C) 2014 by Boundless Spatial, Inc. USA

    author               : Larry Shaffer

    email                : lshaffer at boundlessgeo dot com

 ***************************************************************************

 *                                                                         *

 *   This program is free software; you can redistribute it and/or modify  *

 *   it under the terms of the GNU General Public License as published by  *

 *   the Free Software Foundation; either version 2 of the License, or     *

 *   (at your option) any later version.                                   *

 *                                                                         *

 ***************************************************************************/


#ifndef QGSAUTHMANAGER_H

#define QGSAUTHMANAGER_H


#include "qgis_core.h"

#include "qgis_sip.h"

#include <QObject>

#include <QRecursiveMutex>

#include <QNetworkReply>

#include <QNetworkRequest>

#include <QSqlDatabase>

#include <QSqlError>

#include <QSqlQuery>

#include <QStringList>


#ifndef QT_NO_SSL

#include <QSslCertificate>

#include <QSslKey>

#include <QtCrypto>

#include "qgsauthcertutils.h"

#endif


#include "qgsauthconfig.h"

#include "qgsauthmethod.h"


// Qt5KeyChain library

#include "keychain.h"


#ifndef SIP_RUN

namespace QCA

{

  class Initializer;

}

#endif

class QgsAuthMethod;

class QgsAuthMethodEdit;

class QgsAuthProvider;

class QgsAuthMethodMetadata;

class QTimer;


class CORE_EXPORT QgsAuthManager : public QObject

{

    Q_OBJECT


  public:


    enum MessageLevel

    {

      INFO = 0,

      WARNING = 1,

      CRITICAL = 2

    };

    Q_ENUM( MessageLevel )


    bool init( const QString &pluginPath = QString(),  const QString &authDatabasePath = QString() );


    ~QgsAuthManager() override;


    QSqlDatabase authDatabaseConnection() const;


    const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }


    const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }


    bool isDisabled() const;


    const QString disabledMessage() const;


    const QString authenticationDatabasePath() const { return mAuthDbPath; }


    bool setMasterPassword( bool verify = false );


    bool setMasterPassword( const QString &pass, bool verify = false );


    bool verifyMasterPassword( const QString &compare = QString() );


    bool masterPasswordIsSet() const;


    bool masterPasswordHashInDatabase() const;


    void clearMasterPassword() { mMasterPass = QString(); }


    bool masterPasswordSame( const QString &pass ) const;


    bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );


    bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP


    void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;


    void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }


    QString authManTag() const { return AUTH_MAN_TAG; }


    bool registerCoreAuthMethods();


    QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );


    void updateConfigAuthMethods();


    QgsAuthMethod *configAuthMethod( const QString &authcfg );


    QString configAuthMethodKey( const QString &authcfg ) const;


    QStringList authMethodsKeys( const QString &dataprovider = QString() );


    QgsAuthMethod *authMethod( const QString &authMethodKey );


    const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;


    QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;


#ifdef HAVE_GUI

    SIP_IF_FEATURE( HAVE_GUI )


    QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );

    SIP_END

#endif


    QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );


    const QString uniqueConfigId() const;


    bool configIdUnique( const QString &id ) const;


    bool hasConfigId( const QString &txt ) const;


    QString configIdRegex() const { return AUTH_CFG_REGEX;}


    QStringList configIds() const;


    bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );


    bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );


    bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );


    bool removeAuthenticationConfig( const QString &authcfg );


    bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );


    bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );


    bool removeAllAuthenticationConfigs();


    bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );


    bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );


    bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,

                               const QString &dataprovider = QString() );


    bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,

                             const QString &dataprovider = QString() );


    bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,

                                   const QString &dataprovider = QString() );


    bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,

                             const QString &dataprovider = QString() );


    bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );


    QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );


    bool existsAuthSetting( const QString &key );


    bool removeAuthSetting( const QString &key );


#ifndef QT_NO_SSL


    bool initSslCaches();


    bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );


    const QSslCertificate certIdentity( const QString &id );


    const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;


    const QStringList certIdentityBundleToPem( const QString &id );


    const QList<QSslCertificate> certIdentities();


    QStringList certIdentityIds() const;


    bool existsCertIdentity( const QString &id );


    bool removeCertIdentity( const QString &id );


    bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );


    const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );


    const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );


    const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();


    bool existsSslCertCustomConfig( const QString &id, const QString &hostport );


    bool removeSslCertCustomConfig( const QString &id, const QString &hostport );


    QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP


    void dumpIgnoredSslErrorsCache_();


    bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );


    bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );


    bool rebuildIgnoredSslErrorCache();


    bool storeCertAuthorities( const QList<QSslCertificate> &certs );


    bool storeCertAuthority( const QSslCertificate &cert );


    const QSslCertificate certAuthority( const QString &id );


    bool existsCertAuthority( const QSslCertificate &cert );


    bool removeCertAuthority( const QSslCertificate &cert );


    const QList<QSslCertificate> systemRootCAs();


    const QList<QSslCertificate> extraFileCAs();


    const QList<QSslCertificate> databaseCAs();


    const QMap<QString, QSslCertificate> mappedDatabaseCAs();


    const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP

    {

      return mCaCertsCache;

    }


    bool rebuildCaCertsCache();


    bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );


    QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );


    bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );


    bool removeCertTrustPolicy( const QSslCertificate &cert );


    QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );


    bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );


    QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();


    const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }


    bool rebuildCertTrustCache();


    const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );


    const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );


    bool rebuildTrustedCaCertsCache();


    const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }


    const QByteArray trustedCaCertsPemText();


#endif


    const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP


    bool passwordHelperDelete() SIP_SKIP;


    bool passwordHelperEnabled() const;


    void setPasswordHelperEnabled( bool enabled );


    bool passwordHelperLoggingEnabled() const SIP_SKIP;


    void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;


    bool passwordHelperSync();


    static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;


    static const QString AUTH_MAN_TAG;


  signals:


    void passwordHelperFailure();


    void passwordHelperSuccess();


    void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;


    void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );


    void masterPasswordVerified( bool verified );


    void authDatabaseEraseRequested();


    void authDatabaseChanged();


  public slots:

    void clearAllCachedConfigs();


    void clearCachedConfig( const QString &authcfg );


  private slots:

    void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );


    void tryToStartDbErase();


  protected:


    static QgsAuthManager *instance() SIP_SKIP;


#ifdef Q_OS_WIN

  public:

    explicit QgsAuthManager() SIP_SKIP;

#else

  protected:

    explicit QgsAuthManager() SIP_SKIP;

#endif


  private:


    // Password Helper methods


    QString passwordHelperName() const;


    void passwordHelperLog( const QString &msg ) const;


    QString passwordHelperRead();


    bool passwordHelperWrite( const QString &password );


    void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }


    void passwordHelperClearErrors();


    void passwordHelperProcessError();


    bool createConfigTables();


    bool createCertTables();


    bool masterPasswordInput();


    bool masterPasswordRowsInDb( int *rows ) const;


    bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;


    bool masterPasswordStoreInDb() const;


    bool masterPasswordClearDb();


    const QString masterPasswordCiv() const;


    bool verifyPasswordCanDecryptConfigs() const;


    bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );


    bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );


    bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );


    bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );


    bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );


    bool authDbOpen() const;


    bool authDbQuery( QSqlQuery *query ) const;


    bool authDbStartTransaction() const;


    bool authDbCommit() const;


    bool authDbTransactionQuery( QSqlQuery *query ) const;


#ifndef QT_NO_SSL

    void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );

#endif


    const QString authDbPassTable() const { return AUTH_PASS_TABLE; }


    const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }


    const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }


    const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }


    const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }


    static QgsAuthManager *sInstance;

    static const QString AUTH_CONFIG_TABLE;

    static const QString AUTH_PASS_TABLE;

    static const QString AUTH_SETTINGS_TABLE;

    static const QString AUTH_IDENTITIES_TABLE;

    static const QString AUTH_SERVERS_TABLE;

    static const QString AUTH_AUTHORITIES_TABLE;

    static const QString AUTH_TRUST_TABLE;

    static const QString AUTH_CFG_REGEX;


    bool mAuthInit = false;

    QString mAuthDbPath;


    std::unique_ptr<QCA::Initializer> mQcaInitializer;


    QHash<QString, QString> mConfigAuthMethods;

    QHash<QString, QgsAuthMethod *> mAuthMethods;


    QString mMasterPass;

    int mPassTries = 0;

    bool mAuthDisabled = false;

    QString mAuthDisabledMessage;

    QTimer *mScheduledDbEraseTimer = nullptr;

    bool mScheduledDbErase = false;

    int mScheduledDbEraseRequestWait = 3 ; // in seconds

    bool mScheduledDbEraseRequestEmitted = false;

    int mScheduledDbEraseRequestCount = 0;


    std::unique_ptr<QRecursiveMutex> mMutex;

    std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;

#ifndef QT_NO_SSL

    // mapping of sha1 digest and cert source and cert

    // appending removes duplicates

    QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;

    // list of sha1 digests per policy

    QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;

    // cache of certs ready to be utilized in network connections

    QList<QSslCertificate> mTrustedCaCertsCache;

    // cache of SSL errors to be ignored in network connections, per sha-hostport

    QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;


    bool mHasCustomConfigByHost = false;

    bool mHasCheckedIfCustomConfigByHostExists = false;

    QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;

#endif


    // Password Helper Variables


    bool mPasswordHelperVerificationError = false;


    QString mPasswordHelperErrorMessage;


    QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;


    bool mPasswordHelperLoggingEnabled = false;


    bool mPasswordHelperFailedInit = false;


    static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;


    static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;


    mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;


    friend class QgsApplication;


};


#endif // QGSAUTHMANAGER_H

QgsApplication
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
Definition: qgsapplication.h:94

QgsAuthCertUtils::CertTrustPolicy
CertTrustPolicy
Type of certificate trust policy.
Definition: qgsauthcertutils.h:54

QgsAuthCertUtils::CaCertSource
CaCertSource
Type of CA certificate source.
Definition: qgsauthcertutils.h:45

QgsAuthConfigSslServer
Configuration container for SSL server connection exceptions or overrides.
Definition: qgsauthconfig.h:393

QgsAuthManager
Singleton offering an interface to manage the authentication configuration database and to utilize co...
Definition: qgsauthmanager.h:66

QgsAuthManager::authDatabaseServersTable
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
Definition: qgsauthmanager.h:99

QgsAuthManager::MessageLevel
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
Definition: qgsauthmanager.h:73

QgsAuthManager::trustedCaCertsCache
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
Definition: qgsauthmanager.h:654

QgsAuthManager::certTrustCache
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
Definition: qgsauthmanager.h:626

QgsAuthManager::scheduledAuthDatabaseErase
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
Definition: qgsauthmanager.h:168

QgsAuthManager::authenticationDatabasePath
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
Definition: qgsauthmanager.h:112

QgsAuthManager::authManTag
QString authManTag() const
Simple text tag describing authentication system for message logs.
Definition: qgsauthmanager.h:195

QgsAuthManager::caCertsCache
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
Definition: qgsauthmanager.h:582

QgsAuthManager::configIdRegex
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
Definition: qgsauthmanager.h:277

QgsAuthManager::setScheduledAuthDatabaseEraseRequestEmitted
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
Definition: qgsauthmanager.h:192

QgsAuthManager::clearMasterPassword
void clearMasterPassword()
Clear supplied master password.
Definition: qgsauthmanager.h:146

QgsAuthManager::passwordHelperErrorMessage
const QString passwordHelperErrorMessage()
Error message getter.
Definition: qgsauthmanager.h:669

QgsAuthManager::authDatabaseConfigTable
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
Definition: qgsauthmanager.h:96

QgsAuthManager::ignoredSslErrorCache
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Definition: qgsauthmanager.h:511

QgsAuthMethodConfig
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:42

QgsAuthMethodEdit
Abstract base class for the edit widget of authentication method plugins.
Definition: qgsauthmethodedit.h:30

QgsAuthMethodMetadata
Holds data auth method key, description, and associated shared library file information.
Definition: qgsauthmethodmetadata.h:44

QgsAuthMethod
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:39

QCA
Definition: qgsauthmanager.h:46

qgis_sip.h

SIP_SKIP
#define SIP_SKIP
Definition: qgis_sip.h:126

SIP_IF_FEATURE
#define SIP_IF_FEATURE(feature)
Definition: qgis_sip.h:176

SIP_INOUT
#define SIP_INOUT
Definition: qgis_sip.h:71

SIP_END
#define SIP_END
Definition: qgis_sip.h:203

qgsauthcertutils.h

qgsauthconfig.h

QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
Definition: qgsauthconfig.h:200

qgsauthmethod.h

QgsAuthMethodsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap
Definition: qgsauthmethod.h:209