QGIS API Documentation  3.23.0-Master (eb871beae0)
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include "qgis_core.h"
21 #include "qgis_sip.h"
22 #include <QObject>
23 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
24 #include <QMutex>
25 #else
26 #include <QRecursiveMutex>
27 #endif
28 #include <QNetworkReply>
29 #include <QNetworkRequest>
30 #include <QSqlDatabase>
31 #include <QSqlError>
32 #include <QSqlQuery>
33 #include <QStringList>
34 
35 #ifndef QT_NO_SSL
36 #include <QSslCertificate>
37 #include <QSslKey>
38 #include <QtCrypto>
39 #include "qgsauthcertutils.h"
40 #endif
41 
42 #include "qgsauthconfig.h"
43 #include "qgsauthmethod.h"
44 
45 // Qt5KeyChain library
46 #include "keychain.h"
47 
48 #ifndef SIP_RUN
49 namespace QCA
50 {
51  class Initializer;
52 }
53 #endif
54 class QgsAuthMethod;
55 class QgsAuthMethodEdit;
56 class QgsAuthProvider;
58 class QTimer;
59 
60 
69 class CORE_EXPORT QgsAuthManager : public QObject
70 {
71  Q_OBJECT
72 
73  public:
74 
77  {
78  INFO = 0,
79  WARNING = 1,
80  CRITICAL = 2
81  };
82  Q_ENUM( MessageLevel )
83 
84 
92  bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
93 
94  ~QgsAuthManager() override;
95 
97  QSqlDatabase authDatabaseConnection() const;
98 
100  const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
101 
103  const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
104 
105 
107  bool isDisabled() const;
108 
110  const QString disabledMessage() const;
111 
116  const QString authenticationDatabasePath() const { return mAuthDbPath; }
117 
123  bool setMasterPassword( bool verify = false );
124 
131  bool setMasterPassword( const QString &pass, bool verify = false );
132 
138  bool verifyMasterPassword( const QString &compare = QString() );
139 
141  bool masterPasswordIsSet() const;
142 
144  bool masterPasswordHashInDatabase() const;
145 
150  void clearMasterPassword() { mMasterPass = QString(); }
151 
156  bool masterPasswordSame( const QString &pass ) const;
157 
166  bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
167 
172  bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
173 
186  void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
187 
196  void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
197 
199  QString authManTag() const { return AUTH_MAN_TAG; }
200 
202  bool registerCoreAuthMethods();
203 
205  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
206 
208  void updateConfigAuthMethods();
209 
214  QgsAuthMethod *configAuthMethod( const QString &authcfg );
215 
220  QString configAuthMethodKey( const QString &authcfg ) const;
221 
225  QStringList authMethodsKeys( const QString &dataprovider = QString() );
226 
231  QgsAuthMethod *authMethod( const QString &authMethodKey );
232 
238  const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;
239 
245  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
246 
247 #ifdef HAVE_GUI
248  SIP_IF_FEATURE( HAVE_GUI )
249 
250 
255  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
256  SIP_END
257 #endif
258 
263  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
264 
266  const QString uniqueConfigId() const;
267 
272  bool configIdUnique( const QString &id ) const;
273 
278  bool hasConfigId( const QString &txt ) const;
279 
281  QString configIdRegex() const { return AUTH_CFG_REGEX;}
282 
284  QStringList configIds() const;
285 
292  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
293 
299  bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
300 
308  bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
309 
315  bool removeAuthenticationConfig( const QString &authcfg );
316 
324  bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
325 
333  bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
334 
339  bool removeAllAuthenticationConfigs();
340 
345  bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
346 
353  bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
354 
355 
357 
365  bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
366  const QString &dataprovider = QString() );
367 
375  bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
376  const QString &dataprovider = QString() );
377 
385  bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
386  const QString &dataprovider = QString() );
387 
395  bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
396  const QString &dataprovider = QString() );
397 
399 
401  bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
402 
411  QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
412 
414  bool existsAuthSetting( const QString &key );
415 
417  bool removeAuthSetting( const QString &key );
418 
419 #ifndef QT_NO_SSL
421 
423  bool initSslCaches();
424 
426  bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
427 
434  const QSslCertificate certIdentity( const QString &id );
435 
443  const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
444 
451  const QStringList certIdentityBundleToPem( const QString &id );
452 
458  const QList<QSslCertificate> certIdentities();
459 
461 
467  QStringList certIdentityIds() const;
468 
470  bool existsCertIdentity( const QString &id );
471 
473  bool removeCertIdentity( const QString &id );
474 
475 
477  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
478 
486  const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
487 
494  const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
495 
501  const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
502 
504  bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
505 
507  bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
508 
515  QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
516 
518  void dumpIgnoredSslErrorsCache_();
519 
521  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
522 
524  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
525 
527  bool rebuildIgnoredSslErrorCache();
528 
529 
531  bool storeCertAuthorities( const QList<QSslCertificate> &certs );
532 
534  bool storeCertAuthority( const QSslCertificate &cert );
535 
537 
544  const QSslCertificate certAuthority( const QString &id );
545 
547  bool existsCertAuthority( const QSslCertificate &cert );
548 
550  bool removeCertAuthority( const QSslCertificate &cert );
551 
557  const QList<QSslCertificate> systemRootCAs();
558 
564  const QList<QSslCertificate> extraFileCAs();
565 
571  const QList<QSslCertificate> databaseCAs();
572 
578  const QMap<QString, QSslCertificate> mappedDatabaseCAs();
579 
586  const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
587  {
588  return mCaCertsCache;
589  }
590 
592  bool rebuildCaCertsCache();
593 
595  bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
596 
603  QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
604 
606  bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
607 
609  bool removeCertTrustPolicy( const QSslCertificate &cert );
610 
617  QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
618 
620  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
621 
623  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
624 
630  const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
631 
633  bool rebuildCertTrustCache();
634 
641  const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
642 
648  const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
649 
651  bool rebuildTrustedCaCertsCache();
652 
658  const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
659 
665  const QByteArray trustedCaCertsPemText();
666 
667 #endif
668 
673  const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
674 
679  bool passwordHelperDelete() SIP_SKIP;
680 
685  bool passwordHelperEnabled() const;
686 
691  void setPasswordHelperEnabled( bool enabled );
692 
697  bool passwordHelperLoggingEnabled() const SIP_SKIP;
698 
703  void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
704 
709  bool passwordHelperSync();
710 
712  static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
713 
715  static const QString AUTH_MAN_TAG;
716 
717  signals:
718 
723  void passwordHelperFailure();
724 
729  void passwordHelperSuccess();
730 
738  void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
739 
747  void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
748 
749 
754  void masterPasswordVerified( bool verified );
755 
757  void authDatabaseEraseRequested();
758 
760  void authDatabaseChanged();
761 
762  public slots:
764  void clearAllCachedConfigs();
765 
767  void clearCachedConfig( const QString &authcfg );
768 
769  private slots:
770  void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
771 
781  void tryToStartDbErase();
782 
783  protected:
784 
789  static QgsAuthManager *instance() SIP_SKIP;
790 
791 
792 #ifdef Q_OS_WIN
793  public:
794  explicit QgsAuthManager() SIP_SKIP;
795 #else
796  protected:
797  explicit QgsAuthManager() SIP_SKIP;
798 #endif
799 
800  private:
801 
803  // Password Helper methods
804 
806  QString passwordHelperName() const;
807 
809  void passwordHelperLog( const QString &msg ) const;
810 
812  QString passwordHelperRead();
813 
815  bool passwordHelperWrite( const QString &password );
816 
818  void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
819 
821  void passwordHelperClearErrors();
822 
827  void passwordHelperProcessError();
828 
829  bool createConfigTables();
830 
831  bool createCertTables();
832 
833  bool masterPasswordInput();
834 
835  bool masterPasswordRowsInDb( int *rows ) const;
836 
837  bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
838 
839  bool masterPasswordStoreInDb() const;
840 
841  bool masterPasswordClearDb();
842 
843  const QString masterPasswordCiv() const;
844 
845  bool verifyPasswordCanDecryptConfigs() const;
846 
847  bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
848 
849  bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
850 
851  bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
852 
853  bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
854 
855  bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
856 
857  bool authDbOpen() const;
858 
859  bool authDbQuery( QSqlQuery *query ) const;
860 
861  bool authDbStartTransaction() const;
862 
863  bool authDbCommit() const;
864 
865  bool authDbTransactionQuery( QSqlQuery *query ) const;
866 
867 #ifndef QT_NO_SSL
868  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
869 #endif
870 
871  const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
872 
873  const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
874 
875  const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
876 
877  const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
878 
879  const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
880 
881  static QgsAuthManager *sInstance;
882  static const QString AUTH_CONFIG_TABLE;
883  static const QString AUTH_PASS_TABLE;
884  static const QString AUTH_SETTINGS_TABLE;
885  static const QString AUTH_IDENTITIES_TABLE;
886  static const QString AUTH_SERVERS_TABLE;
887  static const QString AUTH_AUTHORITIES_TABLE;
888  static const QString AUTH_TRUST_TABLE;
889  static const QString AUTH_CFG_REGEX;
890 
891  bool mAuthInit = false;
892  QString mAuthDbPath;
893 
894  std::unique_ptr<QCA::Initializer> mQcaInitializer;
895 
896  QHash<QString, QString> mConfigAuthMethods;
897  QHash<QString, QgsAuthMethod *> mAuthMethods;
898 
899  QString mMasterPass;
900  int mPassTries = 0;
901  bool mAuthDisabled = false;
902  QString mAuthDisabledMessage;
903  QTimer *mScheduledDbEraseTimer = nullptr;
904  bool mScheduledDbErase = false;
905  int mScheduledDbEraseRequestWait = 3 ; // in seconds
906  bool mScheduledDbEraseRequestEmitted = false;
907  int mScheduledDbEraseRequestCount = 0;
908 
909 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
910  std::unique_ptr<QMutex> mMutex;
911  std::unique_ptr<QMutex> mMasterPasswordMutex;
912 #else
913  std::unique_ptr<QRecursiveMutex> mMutex;
914  std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
915 #endif
916 #ifndef QT_NO_SSL
917  // mapping of sha1 digest and cert source and cert
918  // appending removes duplicates
919  QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
920  // list of sha1 digests per policy
921  QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
922  // cache of certs ready to be utilized in network connections
923  QList<QSslCertificate> mTrustedCaCertsCache;
924  // cache of SSL errors to be ignored in network connections, per sha-hostport
925  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
926 
927  bool mHasCustomConfigByHost = false;
928  bool mHasCheckedIfCustomConfigByHostExists = false;
929  QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
930 #endif
931 
933  // Password Helper Variables
934 
936  bool mPasswordHelperVerificationError = false;
937 
939  QString mPasswordHelperErrorMessage;
940 
942  QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
943 
945  bool mPasswordHelperLoggingEnabled = false;
946 
948  bool mPasswordHelperFailedInit = false;
949 
951  static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
952 
954  static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
955 
956  mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
957 
958  friend class QgsApplication;
959 
960 };
961 
962 #endif // QGSAUTHMANAGER_H
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
CertTrustPolicy
Type of certificate trust policy.
CaCertSource
Type of CA certificate source.
Configuration container for SSL server connection exceptions or overrides.
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
QString authManTag() const
Simple text tag describing authentication system for message logs.
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
void clearMasterPassword()
Clear supplied master password.
const QString passwordHelperErrorMessage()
Error message getter.
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:42
Abstract base class for the edit widget of authentication method plugins.
Holds data auth method key, description, and associated shared library file information.
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:43
#define SIP_SKIP
Definition: qgis_sip.h:126
#define SIP_IF_FEATURE(feature)
Definition: qgis_sip.h:167
#define SIP_INOUT
Definition: qgis_sip.h:71
#define SIP_END
Definition: qgis_sip.h:194
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap