QGIS API Documentation 3.43.0-Master (a6cade80589)
qgsauthmanager.h
Go to the documentation of this file.
1/***************************************************************************
2 qgsauthmanager.h
3 ---------------------
4 begin : October 5, 2014
5 copyright : (C) 2014 by Boundless Spatial, Inc. USA
6 author : Larry Shaffer
7 email : lshaffer at boundlessgeo dot com
8 ***************************************************************************
9 * *
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
14 * *
15 ***************************************************************************/
16
17#ifndef QGSAUTHMANAGER_H
18#define QGSAUTHMANAGER_H
19
20#include "qgis_core.h"
21#include "qgis_sip.h"
22#include <QObject>
23#include <QRecursiveMutex>
24#include <QNetworkReply>
25#include <QNetworkRequest>
26#include <QSqlDatabase>
27#include <QSqlError>
28#include <QSqlQuery>
29#include <QStringList>
30
31#ifndef QT_NO_SSL
32#include <QSslCertificate>
33#include <QSslKey>
34#include <QtCrypto>
35#include "qgsauthcertutils.h"
36#endif
37
38#include "qgsauthconfig.h"
39#include "qgsauthmethod.h"
40
41#if QT_VERSION >= QT_VERSION_CHECK(6, 0, 0)
42#include <qt6keychain/keychain.h>
43#else
44#include <qt5keychain/keychain.h>
45#endif
46
47#ifndef SIP_RUN
48namespace QCA
49{
50 class Initializer;
51}
52#endif
53class QgsAuthMethod;
55class QgsAuthProvider;
58class QTimer;
62
71class CORE_EXPORT QgsAuthManager : public QObject
72{
73 Q_OBJECT
74
75 public:
76
77 static const QgsSettingsEntryBool *settingsGenerateRandomPasswordForPasswordHelper SIP_SKIP;
78 static const QgsSettingsEntryBool *settingsUsingGeneratedRandomPassword SIP_SKIP;
79
82 {
83 INFO = 0,
84 WARNING = 1,
85 CRITICAL = 2
86 };
87 Q_ENUM( MessageLevel )
88
89
98 Q_DECL_DEPRECATED bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() ) SIP_DEPRECATED;
99
110 void setup( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
111
119 bool ensureInitialized() const;
120
121 ~QgsAuthManager() override;
122
127 QgsAuthConfigurationStorageRegistry *authConfigurationStorageRegistry() const;
128
134 Q_DECL_DEPRECATED QSqlDatabase authDatabaseConnection() const SIP_DEPRECATED;
135
140 Q_DECL_DEPRECATED const QString authDatabaseConfigTable() const SIP_DEPRECATED { return AUTH_CONFIG_TABLE; }
141
147 const QString methodConfigTableName() const;
148
153 Q_DECL_DEPRECATED const QString authDatabaseServersTable() const SIP_DEPRECATED { return AUTH_SERVERS_TABLE; }
154
155
157 bool isDisabled() const;
158
160 const QString disabledMessage() const;
161
167 Q_DECL_DEPRECATED const QString authenticationDatabasePath() const;
168
172 static bool isFilesystemBasedDatabase( const QString &uri );
173
179 QgsAuthConfigurationStorageDb *defaultDbStorage() const SIP_SKIP;
180
185 const QString authenticationDatabaseUri() const;
186
191 const QString authenticationDatabaseUriStripped() const;
192
200 bool createAndStoreRandomMasterPasswordInKeyChain() SIP_SKIP;
201
207 bool setMasterPassword( bool verify = false );
208
215 bool setMasterPassword( const QString &password, bool verify = false );
216
222 bool verifyMasterPassword( const QString &compare = QString() );
223
225 bool masterPasswordIsSet() const;
226
228 bool masterPasswordHashInDatabase() const;
229
234 void clearMasterPassword() { mMasterPass = QString(); }
235
240 bool masterPasswordSame( const QString &password ) const;
241
251 bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
252
266 bool resetMasterPasswordUsingStoredPasswordHelper( const QString &newPassword, bool keepBackup, QString *backupPath = nullptr ) SIP_SKIP;
267
272 bool scheduledAuthDatabaseErase() SIP_SKIP { return mScheduledDbErase; }
273
286 void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
287
296 void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
297
299 QString authManTag() const { return AUTH_MAN_TAG; }
300
302 bool registerCoreAuthMethods();
303
305 QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
306
308 void updateConfigAuthMethods();
309
314 QgsAuthMethod *configAuthMethod( const QString &authcfg );
315
320 QString configAuthMethodKey( const QString &authcfg ) const;
321
325 QStringList authMethodsKeys( const QString &dataprovider = QString() );
326
331 QgsAuthMethod *authMethod( const QString &authMethodKey );
332
338 const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;
339
345 QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
346
347#ifdef HAVE_GUI
348 SIP_IF_FEATURE( HAVE_GUI )
349
350
355 QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
356 SIP_END
357#endif
358
363 QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
364
366 const QString uniqueConfigId() const;
367
372 bool configIdUnique( const QString &id ) const;
373
378 static bool hasConfigId( const QString &txt );
379
381 QString configIdRegex() const { return AUTH_CFG_REGEX;}
382
384 QStringList configIds() const;
385
392 bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
393
399 bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
400
408 bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
409
415 bool removeAuthenticationConfig( const QString &authcfg );
416
424 bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
425
433 bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
434
439 bool removeAllAuthenticationConfigs();
440
445 bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
446
453 bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
454
455
457
465 bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
466 const QString &dataprovider = QString() );
467
475 bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
476 const QString &dataprovider = QString() );
477
485 bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
486 const QString &dataprovider = QString() );
487
495 bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
496 const QString &dataprovider = QString() );
497
499
507 bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
508
521 QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
522
524 bool existsAuthSetting( const QString &key );
525
527 bool removeAuthSetting( const QString &key );
528
529#ifndef QT_NO_SSL
531
533 bool initSslCaches();
534
536 bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
537
543 const QSslCertificate certIdentity( const QString &id );
544
551 const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
552
558 const QStringList certIdentityBundleToPem( const QString &id );
559
564 const QList<QSslCertificate> certIdentities();
565
567
572 QStringList certIdentityIds() const;
573
575 bool existsCertIdentity( const QString &id );
576
578 bool removeCertIdentity( const QString &id );
579
580
582 bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
583
590 const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
591
597 const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
598
603 const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
604
606 bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
607
609 bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
610
616 QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() SIP_SKIP { return mIgnoredSslErrorsCache; }
617
619 void dumpIgnoredSslErrorsCache_();
620
622 bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
623
625 bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
626
628 bool rebuildIgnoredSslErrorCache();
629
630
632 bool storeCertAuthorities( const QList<QSslCertificate> &certs );
633
635 bool storeCertAuthority( const QSslCertificate &cert );
636
638
644 const QSslCertificate certAuthority( const QString &id );
645
647 bool existsCertAuthority( const QSslCertificate &cert );
648
650 bool removeCertAuthority( const QSslCertificate &cert );
651
656 static const QList<QSslCertificate> systemRootCAs();
657
662 const QList<QSslCertificate> extraFileCAs();
663
668 const QList<QSslCertificate> databaseCAs();
669
674 const QMap<QString, QSslCertificate> mappedDatabaseCAs();
675
681 const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
682 {
683 return mCaCertsCache;
684 }
685
687 bool rebuildCaCertsCache();
688
690 bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
691
697 QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
698
700 bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
701
703 bool removeCertTrustPolicy( const QSslCertificate &cert );
704
710 QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
711
713 bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
714
716 QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
717
722 const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
723
725 bool rebuildCertTrustCache();
726
732 const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
733
738 const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
739
741 bool rebuildTrustedCaCertsCache();
742
747 const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
748
753 const QByteArray trustedCaCertsPemText();
754
755#endif
756
761 const QString passwordHelperErrorMessage() SIP_SKIP { return mPasswordHelperErrorMessage; }
762
767 bool passwordHelperDelete() SIP_SKIP;
768
773 static bool passwordHelperEnabled();
774
779 void setPasswordHelperEnabled( bool enabled );
780
785 static bool passwordHelperLoggingEnabled() SIP_SKIP;
786
791 static void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
792
797 bool passwordHelperSync();
798
805 bool verifyStoredPasswordHelperPassword() SIP_SKIP;
806
807 // TODO QGIS 4.0 -- remove
808
814 static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
815
824 static QString passwordHelperDisplayName( bool titleCase = false );
825
827 static const QString AUTH_MAN_TAG;
828
834 QString sqliteDatabasePath() const SIP_SKIP;
835
836 signals:
837
842 void passwordHelperFailure();
843
848 void passwordHelperSuccess();
849
858 Q_DECL_DEPRECATED void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const SIP_DEPRECATED;
859
868 void messageLog( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, Qgis::MessageLevel level = Qgis::MessageLevel::Info ) const;
869
878 Q_DECL_DEPRECATED void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) SIP_DEPRECATED;
879
888 void passwordHelperMessageLog( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, Qgis::MessageLevel level = Qgis::MessageLevel::Info );
889
894 void masterPasswordVerified( bool verified );
895
897 void authDatabaseEraseRequested();
898
900 void authDatabaseChanged();
901
902 public slots:
904 void clearAllCachedConfigs();
905
907 void clearCachedConfig( const QString &authcfg );
908
909 private slots:
910 void writeToConsole( const QString &message, const QString &tag = QString(), Qgis::MessageLevel level = Qgis::MessageLevel::Info );
911
921 void tryToStartDbErase();
922
923 protected:
924
929 static QgsAuthManager *instance() SIP_SKIP;
930
931
932#ifdef Q_OS_WIN
933 public:
934 explicit QgsAuthManager() SIP_SKIP;
935#else
936 protected:
937 explicit QgsAuthManager() SIP_SKIP;
938#endif
939
940 private:
941
945 static QString generatePassword();
946
947 bool initPrivate( const QString &pluginPath );
948
950 // Password Helper methods
951
953 QString passwordHelperName() const;
954
956 void passwordHelperLog( const QString &msg ) const;
957
959 QString passwordHelperRead( bool &ok );
960
962 bool passwordHelperWrite( const QString &password );
963
965 void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
966
968 void passwordHelperClearErrors();
969
974 void passwordHelperProcessError();
975
976 bool masterPasswordInput();
977
978 bool masterPasswordRowsInDb( int *rows ) const;
979
980 bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
981
982 bool masterPasswordStoreInDb() const;
983
984 bool masterPasswordClearDb();
985
986 const QString masterPasswordCiv() const;
987
988 bool verifyPasswordCanDecryptConfigs() const;
989
990 bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
991
992 bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
993
994 bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
995
996 bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
997
998 bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
999
1000#ifndef QT_NO_SSL
1001 void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
1002#endif
1003
1004 QString authPasswordHelperKeyName() const;
1005
1009 QgsAuthConfigurationStorage *firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability capability ) const;
1010
1011 static QgsAuthManager *sInstance;
1012 static const QString AUTH_CONFIG_TABLE;
1013 static const QString AUTH_SERVERS_TABLE;
1014 static const QString AUTH_CFG_REGEX;
1015
1016 QString mPluginPath;
1017 QString mAuthDatabaseConnectionUri;
1018
1019 mutable bool mLazyInitResult = false;
1020 bool mAuthInit = false;
1021
1022 mutable std::unique_ptr<QgsAuthConfigurationStorageRegistry> mAuthConfigurationStorageRegistry;
1023
1024 std::unique_ptr<QCA::Initializer> mQcaInitializer;
1025
1026 QHash<QString, QString> mConfigAuthMethods;
1027 QHash<QString, QgsAuthMethod *> mAuthMethods;
1028
1029 QString mMasterPass;
1030 int mPassTries = 0;
1031 bool mAuthDisabled = false;
1032 QString mAuthDisabledMessage;
1033 std::unique_ptr<QTimer> mScheduledDbEraseTimer;
1034 bool mScheduledDbErase = false;
1035 int mScheduledDbEraseRequestWait = 3 ; // in seconds
1036 bool mScheduledDbEraseRequestEmitted = false;
1037 int mScheduledDbEraseRequestCount = 0;
1038
1039 std::unique_ptr<QRecursiveMutex> mMutex;
1040 std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
1041#ifndef QT_NO_SSL
1042 // mapping of sha1 digest and cert source and cert
1043 // appending removes duplicates
1044 QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
1045 // list of sha1 digests per policy
1046 QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
1047 // cache of certs ready to be utilized in network connections
1048 QList<QSslCertificate> mTrustedCaCertsCache;
1049 // cache of SSL errors to be ignored in network connections, per sha-hostport
1050 QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
1051
1052 bool mHasCustomConfigByHost = false;
1053 bool mHasCheckedIfCustomConfigByHostExists = false;
1054 QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
1055#endif
1056
1058 // Password Helper Variables
1059
1061 bool mPasswordHelperVerificationError = false;
1062
1064 QString mPasswordHelperErrorMessage;
1065
1067 QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
1068
1070 bool mPasswordHelperLoggingEnabled = false;
1071
1073 bool mPasswordHelperFailedInit = false;
1074
1076 static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME_BASE;
1077
1079 static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
1080
1081 mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
1082
1083 friend class QgsApplication;
1084
1085};
1086
1087#endif // QGSAUTHMANAGER_H
Provides global constants and enumerations for use throughout the application.
Definition qgis.h:54
AuthConfigurationStorageCapability
Authentication configuration storage capabilities.
Definition qgis.h:100
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
CertTrustPolicy
Type of certificate trust policy.
CaCertSource
Type of CA certificate source.
Configuration container for SSL server connection exceptions or overrides.
QSqlDatabase based implementation of QgsAuthConfigurationStorage.
Registry for authentication configuration storages.
Abstract class that defines the interface for all authentication configuration storage implementation...
Singleton which offers an interface to manage the authentication configuration database and to utiliz...
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
QString authManTag() const
Simple text tag describing authentication system for message logs.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
const QString passwordHelperErrorMessage()
Error message getter.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Q_DECL_DEPRECATED const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
Configuration storage class for authentication method configurations.
Abstract base class for the edit widget of authentication method plugins.
Holds data auth method key, description, and associated shared library file information.
Abstract base class for authentication method plugins.
QFlags< Expansion > Expansions
A boolean settings entry.
#define SIP_DEPRECATED
Definition qgis_sip.h:106
#define SIP_SKIP
Definition qgis_sip.h:126
#define SIP_IF_FEATURE(feature)
Definition qgis_sip.h:181
#define SIP_INOUT
Definition qgis_sip.h:71
#define SIP_END
Definition qgis_sip.h:208
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap