QGIS API Documentation  3.21.0-Master (564c892cfd)
qgsauthmanager.h
Go to the documentation of this file.
1 /***************************************************************************
2  qgsauthmanager.h
3  ---------------------
4  begin : October 5, 2014
5  copyright : (C) 2014 by Boundless Spatial, Inc. USA
6  author : Larry Shaffer
7  email : lshaffer at boundlessgeo dot com
8  ***************************************************************************
9  * *
10  * This program is free software; you can redistribute it and/or modify *
11  * it under the terms of the GNU General Public License as published by *
12  * the Free Software Foundation; either version 2 of the License, or *
13  * (at your option) any later version. *
14  * *
15  ***************************************************************************/
16 
17 #ifndef QGSAUTHMANAGER_H
18 #define QGSAUTHMANAGER_H
19 
20 #include "qgis_core.h"
21 #include "qgis_sip.h"
22 #include <QObject>
23 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
24 #include <QMutex>
25 #else
26 #include <QRecursiveMutex>
27 #endif
28 #include <QNetworkReply>
29 #include <QNetworkRequest>
30 #include <QSqlDatabase>
31 #include <QSqlError>
32 #include <QSqlQuery>
33 #include <QStringList>
34 
35 #ifndef QT_NO_SSL
36 #include <QSslCertificate>
37 #include <QSslKey>
38 #include <QtCrypto>
39 #include "qgsauthcertutils.h"
40 #endif
41 
42 #include "qgsauthconfig.h"
43 #include "qgsauthmethod.h"
44 
45 // Qt5KeyChain library
46 #include "keychain.h"
47 
48 #ifndef SIP_RUN
49 namespace QCA
50 {
51  class Initializer;
52 }
53 #endif
54 class QgsAuthMethod;
55 class QgsAuthMethodEdit;
56 class QgsAuthProvider;
57 class QTimer;
58 
59 
68 class CORE_EXPORT QgsAuthManager : public QObject
69 {
70  Q_OBJECT
71 
72  public:
73 
76  {
77  INFO = 0,
78  WARNING = 1,
79  CRITICAL = 2
80  };
81  Q_ENUM( MessageLevel )
82 
83 
91  bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
92 
93  ~QgsAuthManager() override;
94 
96  QSqlDatabase authDatabaseConnection() const;
97 
99  const QString authDatabaseConfigTable() const { return AUTH_CONFIG_TABLE; }
100 
102  const QString authDatabaseServersTable() const { return AUTH_SERVERS_TABLE; }
103 
104 
106  bool isDisabled() const;
107 
109  const QString disabledMessage() const;
110 
115  const QString authenticationDatabasePath() const { return mAuthDbPath; }
116 
122  bool setMasterPassword( bool verify = false );
123 
130  bool setMasterPassword( const QString &pass, bool verify = false );
131 
137  bool verifyMasterPassword( const QString &compare = QString() );
138 
140  bool masterPasswordIsSet() const;
141 
143  bool masterPasswordHashInDatabase() const;
144 
149  void clearMasterPassword() { mMasterPass = QString(); }
150 
155  bool masterPasswordSame( const QString &pass ) const;
156 
165  bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
166 
171  bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
172 
185  void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
186 
195  void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
196 
198  QString authManTag() const { return AUTH_MAN_TAG; }
199 
201  bool registerCoreAuthMethods();
202 
204  QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
205 
207  void updateConfigAuthMethods();
208 
213  QgsAuthMethod *configAuthMethod( const QString &authcfg );
214 
219  QString configAuthMethodKey( const QString &authcfg ) const;
220 
224  QStringList authMethodsKeys( const QString &dataprovider = QString() );
225 
230  QgsAuthMethod *authMethod( const QString &authMethodKey );
231 
237  QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
238 
244  QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
245 
250  QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
251 
253  const QString uniqueConfigId() const;
254 
259  bool configIdUnique( const QString &id ) const;
260 
265  bool hasConfigId( const QString &txt ) const;
266 
268  QString configIdRegex() const { return AUTH_CFG_REGEX;}
269 
271  QStringList configIds() const;
272 
279  bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
280 
286  bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
287 
295  bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
296 
302  bool removeAuthenticationConfig( const QString &authcfg );
303 
311  bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
312 
320  bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
321 
326  bool removeAllAuthenticationConfigs();
327 
332  bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
333 
340  bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
341 
342 
344 
352  bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
353  const QString &dataprovider = QString() );
354 
362  bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
363  const QString &dataprovider = QString() );
364 
372  bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
373  const QString &dataprovider = QString() );
374 
382  bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
383  const QString &dataprovider = QString() );
384 
386 
388  bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
389 
398  QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
399 
401  bool existsAuthSetting( const QString &key );
402 
404  bool removeAuthSetting( const QString &key );
405 
406 #ifndef QT_NO_SSL
408 
410  bool initSslCaches();
411 
413  bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
414 
421  const QSslCertificate certIdentity( const QString &id );
422 
430  const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
431 
438  const QStringList certIdentityBundleToPem( const QString &id );
439 
445  const QList<QSslCertificate> certIdentities();
446 
448 
454  QStringList certIdentityIds() const;
455 
457  bool existsCertIdentity( const QString &id );
458 
460  bool removeCertIdentity( const QString &id );
461 
462 
464  bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
465 
473  const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
474 
481  const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
482 
488  const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
489 
491  bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
492 
494  bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
495 
502  QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
503 
505  void dumpIgnoredSslErrorsCache_();
506 
508  bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
509 
511  bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
512 
514  bool rebuildIgnoredSslErrorCache();
515 
516 
518  bool storeCertAuthorities( const QList<QSslCertificate> &certs );
519 
521  bool storeCertAuthority( const QSslCertificate &cert );
522 
524 
531  const QSslCertificate certAuthority( const QString &id );
532 
534  bool existsCertAuthority( const QSslCertificate &cert );
535 
537  bool removeCertAuthority( const QSslCertificate &cert );
538 
544  const QList<QSslCertificate> systemRootCAs();
545 
551  const QList<QSslCertificate> extraFileCAs();
552 
558  const QList<QSslCertificate> databaseCAs();
559 
565  const QMap<QString, QSslCertificate> mappedDatabaseCAs();
566 
573  const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
574  {
575  return mCaCertsCache;
576  }
577 
579  bool rebuildCaCertsCache();
580 
582  bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
583 
590  QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
591 
593  bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
594 
596  bool removeCertTrustPolicy( const QSslCertificate &cert );
597 
604  QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
605 
607  bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
608 
610  QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
611 
617  const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
618 
620  bool rebuildCertTrustCache();
621 
628  const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
629 
635  const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
636 
638  bool rebuildTrustedCaCertsCache();
639 
645  const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
646 
652  const QByteArray trustedCaCertsPemText();
653 
654 #endif
655 
660  const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
661 
666  bool passwordHelperDelete() SIP_SKIP;
667 
672  bool passwordHelperEnabled() const;
673 
678  void setPasswordHelperEnabled( bool enabled );
679 
684  bool passwordHelperLoggingEnabled() const SIP_SKIP;
685 
690  void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
691 
696  bool passwordHelperSync();
697 
699  static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
700 
702  static const QString AUTH_MAN_TAG;
703 
704  signals:
705 
710  void passwordHelperFailure();
711 
716  void passwordHelperSuccess();
717 
725  void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const;
726 
734  void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO );
735 
736 
741  void masterPasswordVerified( bool verified );
742 
744  void authDatabaseEraseRequested();
745 
747  void authDatabaseChanged();
748 
749  public slots:
751  void clearAllCachedConfigs();
752 
754  void clearCachedConfig( const QString &authcfg );
755 
756  private slots:
757  void writeToConsole( const QString &message, const QString &tag = QString(), QgsAuthManager::MessageLevel level = INFO );
758 
768  void tryToStartDbErase();
769 
770  protected:
771 
776  static QgsAuthManager *instance() SIP_SKIP;
777 
778 
779 #ifdef Q_OS_WIN
780  public:
781  explicit QgsAuthManager() SIP_SKIP;
782 #else
783  protected:
784  explicit QgsAuthManager() SIP_SKIP;
785 #endif
786 
787  private:
788 
790  // Password Helper methods
791 
793  QString passwordHelperName() const;
794 
796  void passwordHelperLog( const QString &msg ) const;
797 
799  QString passwordHelperRead();
800 
802  bool passwordHelperWrite( const QString &password );
803 
805  void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
806 
808  void passwordHelperClearErrors();
809 
814  void passwordHelperProcessError();
815 
816  bool createConfigTables();
817 
818  bool createCertTables();
819 
820  bool masterPasswordInput();
821 
822  bool masterPasswordRowsInDb( int *rows ) const;
823 
824  bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
825 
826  bool masterPasswordStoreInDb() const;
827 
828  bool masterPasswordClearDb();
829 
830  const QString masterPasswordCiv() const;
831 
832  bool verifyPasswordCanDecryptConfigs() const;
833 
834  bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
835 
836  bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
837 
838  bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
839 
840  bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
841 
842  bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
843 
844  bool authDbOpen() const;
845 
846  bool authDbQuery( QSqlQuery *query ) const;
847 
848  bool authDbStartTransaction() const;
849 
850  bool authDbCommit() const;
851 
852  bool authDbTransactionQuery( QSqlQuery *query ) const;
853 
854 #ifndef QT_NO_SSL
855  void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
856 #endif
857 
858  const QString authDbPassTable() const { return AUTH_PASS_TABLE; }
859 
860  const QString authDbSettingsTable() const { return AUTH_SETTINGS_TABLE; }
861 
862  const QString authDbIdentitiesTable() const { return AUTH_IDENTITIES_TABLE; }
863 
864  const QString authDbAuthoritiesTable() const { return AUTH_AUTHORITIES_TABLE; }
865 
866  const QString authDbTrustTable() const { return AUTH_TRUST_TABLE; }
867 
868  static QgsAuthManager *sInstance;
869  static const QString AUTH_CONFIG_TABLE;
870  static const QString AUTH_PASS_TABLE;
871  static const QString AUTH_SETTINGS_TABLE;
872  static const QString AUTH_IDENTITIES_TABLE;
873  static const QString AUTH_SERVERS_TABLE;
874  static const QString AUTH_AUTHORITIES_TABLE;
875  static const QString AUTH_TRUST_TABLE;
876  static const QString AUTH_CFG_REGEX;
877 
878  bool mAuthInit = false;
879  QString mAuthDbPath;
880 
881  std::unique_ptr<QCA::Initializer> mQcaInitializer;
882 
883  QHash<QString, QString> mConfigAuthMethods;
884  QHash<QString, QgsAuthMethod *> mAuthMethods;
885 
886  QString mMasterPass;
887  int mPassTries = 0;
888  bool mAuthDisabled = false;
889  QString mAuthDisabledMessage;
890  QTimer *mScheduledDbEraseTimer = nullptr;
891  bool mScheduledDbErase = false;
892  int mScheduledDbEraseRequestWait = 3 ; // in seconds
893  bool mScheduledDbEraseRequestEmitted = false;
894  int mScheduledDbEraseRequestCount = 0;
895 
896 #if QT_VERSION < QT_VERSION_CHECK(5, 14, 0)
897  std::unique_ptr<QMutex> mMutex;
898  std::unique_ptr<QMutex> mMasterPasswordMutex;
899 #else
900  std::unique_ptr<QRecursiveMutex> mMutex;
901  std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
902 #endif
903 #ifndef QT_NO_SSL
904  // mapping of sha1 digest and cert source and cert
905  // appending removes duplicates
906  QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
907  // list of sha1 digests per policy
908  QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
909  // cache of certs ready to be utilized in network connections
910  QList<QSslCertificate> mTrustedCaCertsCache;
911  // cache of SSL errors to be ignored in network connections, per sha-hostport
912  QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
913 
914  bool mHasCustomConfigByHost = false;
915  bool mHasCheckedIfCustomConfigByHostExists = false;
916  QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
917 #endif
918 
920  // Password Helper Variables
921 
923  bool mPasswordHelperVerificationError = false;
924 
926  QString mPasswordHelperErrorMessage;
927 
929  QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
930 
932  bool mPasswordHelperLoggingEnabled = false;
933 
935  bool mPasswordHelperFailedInit = false;
936 
938  static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME;
939 
941  static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
942 
943  mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
944 
945  friend class QgsApplication;
946 
947 };
948 
949 #endif // QGSAUTHMANAGER_H
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
CertTrustPolicy
Type of certificate trust policy.
CaCertSource
Type of CA certificate source.
Configuration container for SSL server connection exceptions or overrides.
Singleton offering an interface to manage the authentication configuration database and to utilize co...
const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
const QString authenticationDatabasePath() const
The standard authentication database file in ~/.qgis3/ or defined location.
QString authManTag() const
Simple text tag describing authentication system for message logs.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
void clearMasterPassword()
Clear supplied master password.
const QString passwordHelperErrorMessage()
Error message getter.
const QString authDatabaseConfigTable() const
Name of the authentication database table that stores configs.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
Configuration storage class for authentication method configurations.
Definition: qgsauthconfig.h:42
Abstract base class for the edit widget of authentication method plugins.
Abstract base class for authentication method plugins.
Definition: qgsauthmethod.h:42
#define SIP_SKIP
Definition: qgis_sip.h:126
#define SIP_INOUT
Definition: qgis_sip.h:71
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap