QGIS API Documentation 3.35.0-Master (ffb31addd7f)
Loading...
Searching...
No Matches
qgsauthmanager.h
Go to the documentation of this file.
1/***************************************************************************
2 qgsauthmanager.h
3 ---------------------
4 begin : October 5, 2014
5 copyright : (C) 2014 by Boundless Spatial, Inc. USA
6 author : Larry Shaffer
7 email : lshaffer at boundlessgeo dot com
8 ***************************************************************************
9 * *
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
14 * *
15 ***************************************************************************/
16
17#ifndef QGSAUTHMANAGER_H
18#define QGSAUTHMANAGER_H
19
20#include "qgis_core.h"
21#include "qgis_sip.h"
22#include <QObject>
23#include <QRecursiveMutex>
24#include <QNetworkReply>
25#include <QNetworkRequest>
26#include <QSqlDatabase>
27#include <QSqlError>
28#include <QSqlQuery>
29#include <QStringList>
30
31#ifndef QT_NO_SSL
32#include <QSslCertificate>
33#include <QSslKey>
34#include <QtCrypto>
35#include "qgsauthcertutils.h"
36#endif
37
38#include "qgsauthconfig.h"
39#include "qgsauthmethod.h"
40
41// Qt5KeyChain library
42#include "keychain.h"
43
44#ifndef SIP_RUN
45namespace QCA
46{
47 class Initializer;
48}
49#endif
50class QgsAuthMethod;
52class QgsAuthProvider;
54class QTimer;
55
56
65class CORE_EXPORT QgsAuthManager : public QObject
66{
67 Q_OBJECT
68
69 public:
70
73 {
74 INFO = 0,
75 WARNING = 1,
76 CRITICAL = 2
77 };
78 Q_ENUM( MessageLevel )
79
80
88 bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
89
90 ~QgsAuthManager() override;
91
93 QSqlDatabase authDatabaseConnection() const;
94
96 const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
97
99 const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
100
101
103 bool isDisabled() const;
104
106 const QString disabledMessage() const;
107
112 const QString authenticationDatabasePath() const { return mAuthDbPath; }
113
119 bool setMasterPassword( bool verify = false );
120
127 bool setMasterPassword( const QString &pass, bool verify = false );
128
134 bool verifyMasterPassword( const QString &compare = QString() );
135
137 bool masterPasswordIsSet() const;
138
140 bool masterPasswordHashInDatabase() const;
141
146 void clearMasterPassword() { mMasterPass = QString(); }
147
152 bool masterPasswordSame( const QString &pass ) const;
153
162 bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
163
168 bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
169
182 void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
183
192 void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
193
195 QString authManTag() const { return AUTH_MAN_TAG; }
196
198 bool registerCoreAuthMethods();
199
201 QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
202
204 void updateConfigAuthMethods();
205
210 QgsAuthMethod *configAuthMethod( const QString &authcfg );
211
216 QString configAuthMethodKey( const QString &authcfg ) const;
217
221 QStringList authMethodsKeys( const QString &dataprovider = QString() );
222
227 QgsAuthMethod *authMethod( const QString &authMethodKey );
228
234 const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;
235
241 QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
242
243#ifdef HAVE_GUI
244 SIP_IF_FEATURE( HAVE_GUI )
245
246
251 QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
252 SIP_END
253#endif
254
259 QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
260
262 const QString uniqueConfigId() const;
263
268 bool configIdUnique( const QString &id ) const;
269
274 bool hasConfigId( const QString &txt ) const;
275
277 QString configIdRegex() const { return AUTH_CFG_REGEX;}
278
280 QStringList configIds() const;
281
288 bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
289
295 bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
296
304 bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
305
311 bool removeAuthenticationConfig( const QString &authcfg );
312
320 bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
321
329 bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
330
335 bool removeAllAuthenticationConfigs();
336
341 bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
342
349 bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
350
351
353
361 bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
362 const QString &dataprovider = QString() );
363
371 bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
372 const QString &dataprovider = QString() );
373
381 bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
382 const QString &dataprovider = QString() );
383
391 bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
392 const QString &dataprovider = QString() );
393
395
397 bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
398
407 QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
408
410 bool existsAuthSetting( const QString &key );
411
413 bool removeAuthSetting( const QString &key );
414
415#ifndef QT_NO_SSL
417
419 bool initSslCaches();
420
422 bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
423
430 const QSslCertificate certIdentity( const QString &id );
431
439 const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
440
447 const QStringList certIdentityBundleToPem( const QString &id );
448
454 const QList<QSslCertificate> certIdentities();
455
457
463 QStringList certIdentityIds() const;
464
466 bool existsCertIdentity( const QString &id );
467
469 bool removeCertIdentity( const QString &id );
470
471
473 bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
474
482 const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
483
490 const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
491
497 const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
498
500 bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
501
503 bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
504
511 QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
512
514 void dumpIgnoredSslErrorsCache_();
515
517 bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
518
520 bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
521
523 bool rebuildIgnoredSslErrorCache();
524
525
527 bool storeCertAuthorities( const QList<QSslCertificate> &certs );
528
530 bool storeCertAuthority( const QSslCertificate &cert );
531
533
540 const QSslCertificate certAuthority( const QString &id );
541
543 bool existsCertAuthority( const QSslCertificate &cert );
544
546 bool removeCertAuthority( const QSslCertificate &cert );
547
553 const QList<QSslCertificate> systemRootCAs();
554
560 const QList<QSslCertificate> extraFileCAs();
561
567 const QList<QSslCertificate> databaseCAs();
568
574 const QMap<QString, QSslCertificate> mappedDatabaseCAs();
575
582 const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
583 {
584 return mCaCertsCache;
585 }
586
588 bool rebuildCaCertsCache();
589
591 bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
592
599 QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
600
602 bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
603
605 bool removeCertTrustPolicy( const QSslCertificate &cert );
606
613 QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
614
616 bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
617
619 QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
620
626 const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
627
629 bool rebuildCertTrustCache();
630
637 const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
638
644 const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
645
647 bool rebuildTrustedCaCertsCache();
648
654 const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
655
661 const QByteArray trustedCaCertsPemText();
662
663#endif
664
669 const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
670
675 bool passwordHelperDelete() SIP_SKIP;
676
681 bool passwordHelperEnabled() const;
682
687 void setPasswordHelperEnabled( bool enabled );
688
693 bool passwordHelperLoggingEnabled() const SIP_SKIP;
694
699 void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
700
705 bool passwordHelperSync();
706
708 static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
709
711 static const QString AUTH_MAN_TAG;
712
713 signals:
714
719 void passwordHelperFailure();
720
725 void passwordHelperSuccess();
726
734 void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
735
743 void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
744
745
750 void masterPasswordVerified( bool verified );
751
753 void authDatabaseEraseRequested();
754
756 void authDatabaseChanged();
757
758 public slots:
760 void clearAllCachedConfigs();
761
763 void clearCachedConfig( const QString &authcfg );
764
765 private slots:
766 void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
767
777 void tryToStartDbErase();
778
779 protected:
780
785 static QgsAuthManager *instance() SIP_SKIP;
786
787
788#ifdef Q_OS_WIN
789 public:
790 explicit QgsAuthManager() SIP_SKIP;
791#else
792 protected:
793 explicit QgsAuthManager() SIP_SKIP;
794#endif
795
796 private:
797
799 // Password Helper methods
800
802 QString passwordHelperName() const;
803
805 void passwordHelperLog( const QString &msg ) const;
806
808 QString passwordHelperRead();
809
811 bool passwordHelperWrite( const QString &password );
812
814 void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
815
817 void passwordHelperClearErrors();
818
823 void passwordHelperProcessError();
824
825 bool createConfigTables();
826
827 bool createCertTables();
828
829 bool masterPasswordInput();
830
831 bool masterPasswordRowsInDb( int *rows ) const;
832
833 bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
834
835 bool masterPasswordStoreInDb() const;
836
837 bool masterPasswordClearDb();
838
839 const QString masterPasswordCiv() const;
840
841 bool verifyPasswordCanDecryptConfigs() const;
842
843 bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
844
845 bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
846
847 bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
848
849 bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
850
851 bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
852
853 bool authDbOpen() const;
854
855 bool authDbQuery( QSqlQuery *query ) const;
856
857 bool authDbStartTransaction() const;
858
859 bool authDbCommit() const;
860
861 bool authDbTransactionQuery( QSqlQuery *query ) const;
862
863#ifndef QT_NO_SSL
864 void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
865#endif
866
867 const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
868
869 const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
870
871 const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
872
873 const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
874
875 const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
876
877 QString authPasswordHelperKeyName() const;
878
879 static QgsAuthManager *sInstance;
880 static const QString AUTH_CONFIG_TABLE;
881 static const QString AUTH_PASS_TABLE;
882 static const QString AUTH_SETTINGS_TABLE;
883 static const QString AUTH_IDENTITIES_TABLE;
884 static const QString AUTH_SERVERS_TABLE;
885 static const QString AUTH_AUTHORITIES_TABLE;
886 static const QString AUTH_TRUST_TABLE;
887 static const QString AUTH_CFG_REGEX;
888
889 bool mAuthInit = false;
890 QString mAuthDbPath;
891
892 std::unique_ptr<QCA::Initializer> mQcaInitializer;
893
894 QHash<QString, QString> mConfigAuthMethods;
895 QHash<QString, QgsAuthMethod *> mAuthMethods;
896
897 QString mMasterPass;
898 int mPassTries = 0;
899 bool mAuthDisabled = false;
900 QString mAuthDisabledMessage;
901 QTimer *mScheduledDbEraseTimer = nullptr;
902 bool mScheduledDbErase = false;
903 int mScheduledDbEraseRequestWait = 3 ; // in seconds
904 bool mScheduledDbEraseRequestEmitted = false;
905 int mScheduledDbEraseRequestCount = 0;
906
907 std::unique_ptr<QRecursiveMutex> mMutex;
908 std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
909#ifndef QT_NO_SSL
910 // mapping of sha1 digest and cert source and cert
911 // appending removes duplicates
912 QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
913 // list of sha1 digests per policy
914 QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
915 // cache of certs ready to be utilized in network connections
916 QList<QSslCertificate> mTrustedCaCertsCache;
917 // cache of SSL errors to be ignored in network connections, per sha-hostport
918 QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
919
920 bool mHasCustomConfigByHost = false;
921 bool mHasCheckedIfCustomConfigByHostExists = false;
922 QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
923#endif
924
926 // Password Helper Variables
927
929 bool mPasswordHelperVerificationError = false;
930
932 QString mPasswordHelperErrorMessage;
933
935 QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
936
938 bool mPasswordHelperLoggingEnabled = false;
939
941 bool mPasswordHelperFailedInit = false;
942
944 static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME_BASE;
945
947 static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
948
949 mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
950
951 friend class QgsApplication;
952
953};
954
955#endif // QGSAUTHMANAGER_H
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
CertTrustPolicy
Type of certificate trust policy.
CaCertSource
Type of CA certificate source.
Configuration container for SSL server connection exceptions or overrides.
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
QString authManTag() const
Simple text tag describing authentication system for message logs.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
void clearMasterPassword()
Clear supplied master password.
const QString passwordHelperErrorMessage()
Error message getter.
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Configuration storage class for authentication method configurations.
Abstract base class for the edit widget of authentication method plugins.
Holds data auth method key, description, and associated shared library file information.
Abstract base class for authentication method plugins.
#define SIP_SKIP
Definition qgis_sip.h:126
#define SIP_IF_FEATURE(feature)
Definition qgis_sip.h:176
#define SIP_INOUT
Definition qgis_sip.h:71
#define SIP_END
Definition qgis_sip.h:203
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap