QGIS API Documentation  2.14.0-Essen
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include <QObject>
21 #include <QMutex>
22 #include <QNetworkReply>
23 #include <QNetworkRequest>
24 #include <QSqlDatabase>
25 #include <QSqlError>
26 #include <QSqlQuery>
27 #include <QStringList>
28 
29 #ifndef QT_NO_OPENSSL
30 #include <QSslCertificate>
31 #include <QSslKey>
32 #include <QtCrypto>
33 #include "qgsauthcertutils.h"
34 #endif
35 
36 #include "qgsauthconfig.h"
37 #include "qgsauthmethod.h"
38 #include "qgsdatasourceuri.h"
39 
40 namespace QCA
41 {
42  class Initializer;
43 }
44 class QgsAuthMethod;
45 class QgsAuthMethodEdit;
46 class QgsAuthProvider;
47 class QTimer;
48 
49 
54 class CORE_EXPORT QgsAuthManager : public QObject
55 {
56  Q_OBJECT
57  Q_ENUMS( MessageLevel )
58 
59  public:
60 
63  {
64  INFO = 0,
65  WARNING = 1,
66  CRITICAL = 2
67  };
68 
72  static QgsAuthManager *instance();
73 
74  ~QgsAuthManager();
75 
77  QSqlDatabase authDbConnection() const;
78 
80  const QString authDbConfigTable() const { return smAuthConfigTable; }
81 
83  const QString authDbServersTable() const { return smAuthServersTable; }
84 
86  bool init( const QString& pluginPath = QString::null );
87 
89  bool isDisabled() const;
90 
92  const QString disabledMessage() const;
93 
97  const QString authenticationDbPath() const { return mAuthDbPath; }
98 
103  bool setMasterPassword( bool verify = false );
104 
110  bool setMasterPassword( const QString& pass, bool verify = false );
111 
116  bool verifyMasterPassword( const QString &compare = QString::null );
117 
119  bool masterPasswordIsSet() const;
120 
122  bool masterPasswordHashInDb() const;
123 
127  void clearMasterPassword() { mMasterPass = QString(); }
128 
132  bool masterPasswordSame( const QString& pass ) const;
133 
141  bool resetMasterPassword( const QString& newpass, const QString& oldpass, bool keepbackup, QString *backuppath = nullptr );
142 
146  bool scheduledAuthDbErase() { return mScheduledDbErase; }
147 
159  void setScheduledAuthDbErase( bool scheduleErase );
160 
168  void setScheduledAuthDbEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
169 
171  QString authManTag() const { return smAuthManTag; }
172 
174  bool registerCoreAuthMethods();
175 
177  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
178 
180  void updateConfigAuthMethods();
181 
186  QgsAuthMethod *configAuthMethod( const QString& authcfg );
187 
192  QString configAuthMethodKey( const QString& authcfg ) const;
193 
197  QStringList authMethodsKeys( const QString &dataprovider = QString() );
198 
203  QgsAuthMethod *authMethod( const QString &authMethodKey );
204 
210  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() );
211 
217  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
218 
223  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
224 
226  const QString uniqueConfigId() const;
227 
232  bool configIdUnique( const QString &id ) const;
233 
238  bool hasConfigId( const QString &txt ) const;
239 
241  QString configIdRegex() const { return smAuthCfgRegex;}
242 
244  QStringList configIds() const;
245 
251  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig );
252 
258  bool updateAuthenticationConfig( const QgsAuthMethodConfig& config );
259 
267  bool loadAuthenticationConfig( const QString& authcfg, QgsAuthMethodConfig &mconfig, bool full = false );
268 
274  bool removeAuthenticationConfig( const QString& authcfg );
275 
280  bool removeAllAuthenticationConfigs();
281 
286  bool backupAuthenticationDatabase( QString *backuppath = nullptr );
287 
294  bool eraseAuthenticationDatabase( bool backup, QString *backuppath = nullptr );
295 
296 
298 
306  bool updateNetworkRequest( QNetworkRequest &request, const QString& authcfg,
307  const QString &dataprovider = QString() );
308 
316  bool updateNetworkReply( QNetworkReply *reply, const QString& authcfg,
317  const QString &dataprovider = QString() );
318 
326  bool updateDataSourceUriItems( QStringList &connectionItems, const QString& authcfg,
327  const QString &dataprovider = QString() );
328 
330 
332  bool storeAuthSetting( const QString& key, const QVariant& value, bool encrypt = false );
333 
335  QVariant getAuthSetting( const QString& key, const QVariant& defaultValue = QVariant(), bool decrypt = false );
336 
338  bool existsAuthSetting( const QString& key );
339 
341  bool removeAuthSetting( const QString& key );
342 
343 #ifndef QT_NO_OPENSSL
344 
347  bool initSslCaches();
348 
350  bool storeCertIdentity( const QSslCertificate& cert, const QSslKey& key );
351 
353  const QSslCertificate getCertIdentity( const QString& id );
354 
358  const QPair<QSslCertificate, QSslKey> getCertIdentityBundle( const QString& id );
359 
361  const QStringList getCertIdentityBundleToPem( const QString& id );
362 
364  const QList<QSslCertificate> getCertIdentities();
365 
367  QStringList getCertIdentityIds() const;
368 
370  bool existsCertIdentity( const QString& id );
371 
373  bool removeCertIdentity( const QString& id );
374 
375 
377  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer& config );
378 
380  const QgsAuthConfigSslServer getSslCertCustomConfig( const QString& id, const QString &hostport );
381 
383  const QgsAuthConfigSslServer getSslCertCustomConfigByHost( const QString& hostport );
384 
386  const QList<QgsAuthConfigSslServer> getSslCertCustomConfigs();
387 
389  bool existsSslCertCustomConfig( const QString& id, const QString &hostport );
390 
392  bool removeSslCertCustomConfig( const QString& id, const QString &hostport );
393 
398 
400  void dumpIgnoredSslErrorsCache_();
401 
403  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
404 
406  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
407 
409  bool rebuildIgnoredSslErrorCache();
410 
411 
413  bool storeCertAuthorities( const QList<QSslCertificate>& certs );
414 
416  bool storeCertAuthority( const QSslCertificate& cert );
417 
419  const QSslCertificate getCertAuthority( const QString& id );
420 
422  bool existsCertAuthority( const QSslCertificate& cert );
423 
425  bool removeCertAuthority( const QSslCertificate& cert );
426 
428  const QList<QSslCertificate> getSystemRootCAs();
429 
431  const QList<QSslCertificate> getExtraFileCAs();
432 
434  const QList<QSslCertificate> getDatabaseCAs();
435 
437  const QMap<QString, QSslCertificate> getMappedDatabaseCAs();
438 
443  {
444  return mCaCertsCache;
445  }
446 
448  bool rebuildCaCertsCache();
449 
451  bool storeCertTrustPolicy( const QSslCertificate& cert, QgsAuthCertUtils::CertTrustPolicy policy );
452 
456  QgsAuthCertUtils::CertTrustPolicy getCertTrustPolicy( const QSslCertificate& cert );
457 
459  bool removeCertTrustPolicies( const QList<QSslCertificate>& certs );
460 
462  bool removeCertTrustPolicy( const QSslCertificate& cert );
463 
465  QgsAuthCertUtils::CertTrustPolicy getCertificateTrustPolicy( const QSslCertificate& cert );
466 
468  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
469 
471  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
472 
475 
477  bool rebuildCertTrustCache();
478 
480  const QList<QSslCertificate> getTrustedCaCerts( bool includeinvalid = false );
481 
483  const QList<QSslCertificate> getUntrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
484 
486  bool rebuildTrustedCaCertsCache();
487 
489  const QList<QSslCertificate> getTrustedCaCertsCache() { return mTrustedCaCertsCache; }
490 
492  const QByteArray getTrustedCaCertsPemText();
493 
494 #endif
495 
497  QMutex *mutex() { return mMutex; }
498 
499  signals:
507  void messageOut( const QString& message, const QString& tag = smAuthManTag, QgsAuthManager::MessageLevel level = INFO ) const;
508 
513  void masterPasswordVerified( bool verified ) const;
514 
516  void authDatabaseEraseRequested() const;
517 
519  void authDatabaseChanged() const;
520 
521  public slots:
523  void clearAllCachedConfigs();
524 
526  void clearCachedConfig( const QString& authcfg );
527 
528  private slots:
529  void writeToConsole( const QString& message, const QString& tag = QString(), QgsAuthManager::MessageLevel level = INFO );
530 
539  void tryToStartDbErase();
540 
541  protected:
542  explicit QgsAuthManager();
543 
544  private:
545 
546  bool createConfigTables();
547 
548  bool createCertTables();
549 
550  bool masterPasswordInput();
551 
552  bool masterPasswordRowsInDb( int *rows ) const;
553 
554  bool masterPasswordCheckAgainstDb( const QString &compare = QString::null ) const;
555 
556  bool masterPasswordStoreInDb() const;
557 
558  bool masterPasswordClearDb();
559 
560  const QString masterPasswordCiv() const;
561 
562  bool verifyPasswordCanDecryptConfigs() const;
563 
564  bool reencryptAllAuthenticationConfigs( const QString& prevpass, const QString& prevciv );
565 
566  bool reencryptAuthenticationConfig( const QString& authcfg, const QString& prevpass, const QString& prevciv );
567 
568  bool reencryptAllAuthenticationSettings( const QString& prevpass, const QString& prevciv );
569 
570  bool reencryptAllAuthenticationIdentities( const QString& prevpass, const QString& prevciv );
571 
572  bool reencryptAuthenticationIdentity( const QString& identid, const QString& prevpass, const QString& prevciv );
573 
574  bool authDbOpen() const;
575 
576  bool authDbQuery( QSqlQuery *query ) const;
577 
578  bool authDbStartTransaction() const;
579 
580  bool authDbCommit() const;
581 
582  bool authDbTransactionQuery( QSqlQuery *query ) const;
583 
584 #ifndef QT_NO_OPENSSL
585  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
586 #endif
587 
588  const QString authDbPassTable() const { return smAuthPassTable; }
589 
590  const QString authDbSettingsTable() const { return smAuthSettingsTable; }
591 
592  const QString authDbIdentitiesTable() const { return smAuthIdentitiesTable; }
593 
594  const QString authDbAuthoritiesTable() const { return smAuthAuthoritiesTable; }
595 
596  const QString authDbTrustTable() const { return smAuthTrustTable; }
597 
598  static QgsAuthManager* smInstance;
599  static const QString smAuthConfigTable;
600  static const QString smAuthPassTable;
601  static const QString smAuthSettingsTable;
602  static const QString smAuthIdentitiesTable;
603  static const QString smAuthServersTable;
604  static const QString smAuthAuthoritiesTable;
605  static const QString smAuthTrustTable;
606  static const QString smAuthManTag;
607  static const QString smAuthCfgRegex;
608 
609  bool mAuthInit;
610  QString mAuthDbPath;
611 
612  QCA::Initializer * mQcaInitializer;
613 
614  QHash<QString, QString> mConfigAuthMethods;
615  QHash<QString, QgsAuthMethod*> mAuthMethods;
616 
617  QString mMasterPass;
618  int mPassTries;
619  bool mAuthDisabled;
620  QString mAuthDisabledMessage;
621  QTimer *mScheduledDbEraseTimer;
622  bool mScheduledDbErase;
623  int mScheduledDbEraseRequestWait; // in seconds
624  bool mScheduledDbEraseRequestEmitted;
625  int mScheduledDbEraseRequestCount;
626  QMutex *mMutex;
627 
628 #ifndef QT_NO_OPENSSL
629  // mapping of sha1 digest and cert source and cert
630  // appending removes duplicates
632  // list of sha1 digests per policy
634  // cache of certs ready to be utilized in network connections
635  QList<QSslCertificate> mTrustedCaCertsCache;
636  // cache of SSL errors to be ignored in network connections, per sha-hostport
637  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
638 #endif
639 };
640 
641 #endif // QGSAUTHMANAGER_H
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDbServersTable() const
Name of the authentication database table that stores server exceptions/configs.
bool scheduledAuthDbErase()
Whether there is a scheduled opitonal erase of authentication database.
Configuration container for SSL server connection exceptions or overrides.
QString authManTag() const
Simple text tag describing authentication system for message logs.
Abstract base class for the edit widget of authentication method plugins.
const QString authenticationDbPath() const
The standard authentication database file in ~/.qgis2/ or defined location.
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
QString configIdRegex() const
Return regular expression for authcfg=.
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:36
const QList< QSslCertificate > getTrustedCaCertsCache()
Get cache of trusted certificate authorities, ready for network connections.
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > getCertTrustCache()
Get cache of certificate sha1s, per trust policy.
void setScheduledAuthDbEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:33
CaCertSource
Type of CA certificate source.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > getCaCertsCache()
Get all CA certs mapped to their sha1 from cache.
const QString authDbConfigTable() const
Name of the authentication database table that stores configs.
void clearMasterPassword()
Clear supplied master password.
QHash< QString, QSet< QSslError::SslError > > getIgnoredSslErrorCache()
Get ignored SSL error cache, keyed with cert/connection&#39;s sha:host:port.
QMutex * mutex()
Return pointer to mutex.
CertTrustPolicy
Type of certificate trust policy.