Subgroup: Auth
Class: QgsAuthManager¶
-
class
qgis.core.
QgsAuthManager
¶ Bases:
PyQt5.QtCore.QObject
Singleton offering an interface to manage the authentication configuration database and to utilize configurations through various authentication method plugins
Methods
authDatabaseConfigTable
Name of the authentication database table that stores configs authDatabaseConnection
Set up the application instance of the authentication database connection authDatabaseServersTable
Name of the authentication database table that stores server exceptions/configs authManTag
Simple text tag describing authentication system for message logs authMethod
Get authentication method from the config/provider cache via its key authMethodEditWidget
Get authentication method edit widget via its key authMethodsKeys
Get keys of supported authentication methods authSetting
authSetting get an authentication setting (retrieved as string and returned as QVariant( QString )) authenticationDatabasePath
The standard authentication database file in ~/. availableAuthMethodConfigs
Get mapping of authentication config ids and their base configs (not decrypted data) backupAuthenticationDatabase
Close connection to current authentication database and back it up certAuthority
certAuthority get a certificate authority by id
(sha hash)certIdentities
certIdentities get certificate identities certIdentity
certIdentity get a certificate identity by id
(sha hash)certIdentityBundleToPem
certIdentityBundleToPem get a certificate identity bundle by id
(sha hash) returned as PEM textcertIdentityIds
certIdentityIds get list of certificate identity ids from database certTrustCache
certTrustCache get cache of certificate sha1s, per trust policy certTrustPolicy
certTrustPolicy get whether certificate cert
is trusted by usercertificateTrustPolicy
certificateTrustPolicy get trust policy for a particular certificate cert
childEvent
clearAllCachedConfigs
Clear all authentication configs from authentication method caches clearCachedConfig
Clear an authentication config from its associated authentication method cache clearMasterPassword
Clear supplied master password configAuthMethod
Get authentication method from the config/provider cache configAuthMethodKey
Get key of authentication method associated with config ID configIdRegex
Return regular expression for authcfg=. configIdUnique
Verify if provided authentication id is unique configIds
Get list of authentication ids from database connectNotify
customEvent
databaseCAs
databaseCAs get database-stored certificate authorities defaultCertTrustPolicy
Get the default certificate trust policy perferred by user disabledMessage
Standard message for when QCA’s qca-ossl plugin is missing and system is disabled disconnectNotify
dumpIgnoredSslErrorsCache_
Utility function to dump the cache for debug purposes eraseAuthenticationDatabase
Erase all rows from all tables in authentication database existsAuthSetting
Check if an authentication setting exists existsCertAuthority
Check if a certificate authority exists existsCertIdentity
Check if a certificate identity exists existsSslCertCustomConfig
Check if SSL certificate custom config exists extraFileCAs
extraFileCAs extra file-based certificate authorities hasConfigId
Return whether a string includes an authcfg ID token init
init initialize QCA, prioritize qca-ossl plugin and optionally set up the authentication database initSslCaches
Initialize various SSL authentication caches isDisabled
Whether QCA has the qca-ossl plugin, which a base run-time requirement isSignalConnected
loadAuthenticationConfig
Load an authentication config from the database into subclass mappedDatabaseCAs
mappedDatabaseCAs get sha1-mapped database-stored certificate authorities masterPasswordHashInDatabase
Verify a password hash existing in authentication database masterPasswordIsSet
Whether master password has be input and verified, i. masterPasswordSame
Check whether supplied password is the same as the one already set rebuildCaCertsCache
Rebuild certificate authority cache rebuildCertTrustCache
Rebuild certificate authority cache rebuildIgnoredSslErrorCache
Rebuild ignoredSSL error cache rebuildTrustedCaCertsCache
Rebuild trusted certificate authorities cache receivers
registerCoreAuthMethods
Instantiate and register existing C++ core authentication methods from plugins removeAllAuthenticationConfigs
Clear all authentication configs from table in database and from provider caches removeAuthSetting
Remove an authentication setting removeAuthenticationConfig
Remove an authentication config in the database removeCertAuthority
Remove a certificate authority removeCertIdentity
Remove a certificate identity removeCertTrustPolicies
Remove a group certificate authorities removeCertTrustPolicy
Remove a certificate authority removeSslCertCustomConfig
Remove an SSL certificate custom config resetMasterPassword
Reset the master password to a new one, then re-encrypt all previous configs in a new database file, optionally backup curren database sender
senderSignalIndex
setDefaultCertTrustPolicy
Set the default certificate trust policy perferred by user setMasterPassword
Main call to initially set or continually check master password is set setScheduledAuthDatabaseEraseRequestEmitted
Re-emit a signal to schedule an optional erase of authentication database. sslCertCustomConfig
sslCertCustomConfig get an SSL certificate custom config by id
(sha hash) andhostport
(host:port)sslCertCustomConfigByHost
sslCertCustomConfigByHost get an SSL certificate custom config by hostport
(host:port)sslCertCustomConfigs
sslCertCustomConfigs get SSL certificate custom configs storeAuthSetting
Store an authentication setting (stored as string via QVariant( value ). storeAuthenticationConfig
Store an authentication config in the database storeCertAuthorities
Store multiple certificate authorities storeCertAuthority
Store a certificate authority storeCertIdentity
Store a certificate identity storeCertTrustPolicy
Store user trust value for a certificate storeSslCertCustomConfig
Store an SSL certificate custom config supportedAuthMethodExpansions
Get supported authentication method expansion(s), e. systemRootCAs
systemRootCAs get root system certificate authorities timerEvent
trustedCaCerts
trustedCaCerts get list of all trusted CA certificates trustedCaCertsCache
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections trustedCaCertsPemText
trustedCaCertsPemText get concatenated string of all trusted CA certificates uniqueConfigId
Get a unique generated 7-character string to assign to as config id untrustedCaCerts
untrustedCaCerts get list of untrusted certificate authorities updateAuthenticationConfig
Update an authentication config in the database updateConfigAuthMethods
Sync the confg/authentication method cache with what is in database updateDataSourceUriItems
Provider call to update a QgsDataSourceUri with an authentication config updateIgnoredSslErrorsCache
Update ignored SSL error cache with possible ignored SSL errors, using sha:host:port key updateIgnoredSslErrorsCacheFromConfig
Update ignored SSL error cache with possible ignored SSL errors, using server config updateNetworkProxy
Provider call to update a QNetworkProxy with an authentication config updateNetworkReply
Provider call to update a QNetworkReply with an authentication config (used to skip known SSL errors, etc. updateNetworkRequest
Provider call to update a QNetworkRequest with an authentication config verifyMasterPassword
Verify the supplied master password against any existing hash in authentication database Signals
authDatabaseChanged
Emitted when the authentication db is significantly changed, e. authDatabaseEraseRequested
Emitted when a user has indicated they may want to erase the authentication db. masterPasswordVerified
Emitted when a password has been verify (or not) messageOut
Custom logging signal to relay to console output and QgsMessageLog
passwordHelperFailure
Signals emitted on password helper failure, mainly used in the tests to exit main application loop [signal] passwordHelperMessageOut
Custom logging signal to inform the user about master password <-> password manager interactions passwordHelperSuccess
Signals emitted on password helper success, mainly used in the tests to exit main application loop [signal] Attributes
AUTH_MAN_TAG
AUTH_PASSWORD_HELPER_DISPLAY_NAME
CRITICAL
INFO
WARNING
-
AUTH_MAN_TAG
= 'Authentication Manager'¶
-
AUTH_PASSWORD_HELPER_DISPLAY_NAME
= 'Keychain'¶
-
CRITICAL
= 2¶
-
INFO
= 0¶
-
class
MessageLevel
¶ Bases:
int
-
WARNING
= 1¶
-
authDatabaseChanged
¶ Emitted when the authentication db is significantly changed, e.g. large record removal, erased, etc. [signal]
-
authDatabaseConfigTable
(self) → str¶ Name of the authentication database table that stores configs
-
authDatabaseConnection
(self) → QSqlDatabase¶ Set up the application instance of the authentication database connection
-
authDatabaseEraseRequested
¶ Emitted when a user has indicated they may want to erase the authentication db. [signal]
-
authDatabaseServersTable
(self) → str¶ Name of the authentication database table that stores server exceptions/configs
-
authManTag
(self) → str¶ Simple text tag describing authentication system for message logs
-
authMethod
(self, authMethodKey: str) → QgsAuthMethod¶ Get authentication method from the config/provider cache via its key
Parameters: authMethodKey – Authentication method key
-
authMethodEditWidget
(self, authMethodKey: str, parent: QWidget) → QWidget¶ Get authentication method edit widget via its key
Parameters: - authMethodKey – Authentication method key
- parent – Parent widget
-
authMethodsKeys
(self, dataprovider: str = '') → List[str]¶ Get keys of supported authentication methods
-
authSetting
(self, key: str, defaultValue: Any = None, decrypt: bool = False) → Any¶ authSetting get an authentication setting (retrieved as string and returned as QVariant( QString ))
Parameters: - key – setting key
- defaultValue –
- decrypt – if the value needs decrypted
Returns: QVariant( QString ) authentication setting
New in version 3.0.
-
authenticationDatabasePath
(self) → str¶ The standard authentication database file in ~/.qgis3/ or defined location
-
availableAuthMethodConfigs
(self, dataprovider: str = '') → object¶ Get mapping of authentication config ids and their base configs (not decrypted data)
-
backupAuthenticationDatabase
(self, backuppath: str = '') → Tuple[bool, str]¶ Close connection to current authentication database and back it up
Returns: Path to backup
-
certAuthority
(self, id: str) → QSslCertificate¶ certAuthority get a certificate authority by
id
(sha hash)Parameters: id – sha hash Returns: a certificate New in version 3.0.
-
certIdentities
(self) → List[QSslCertificate]¶ certIdentities get certificate identities
Returns: list of certificates New in version 3.0.
-
certIdentity
(self, id: str) → QSslCertificate¶ certIdentity get a certificate identity by
id
(sha hash)Parameters: id – sha hash of the cert Returns: the certificate New in version 3.0.
-
certIdentityBundleToPem
(self, id: str) → List[str]¶ certIdentityBundleToPem get a certificate identity bundle by
id
(sha hash) returned as PEM textParameters: id – sha hash Returns: a list of strings New in version 3.0.
-
certIdentityIds
(self) → List[str]¶ certIdentityIds get list of certificate identity ids from database
Returns: list of certificate ids New in version 3.0.
-
certTrustCache
(self) → object¶ certTrustCache get cache of certificate sha1s, per trust policy
Returns: trust-policy-mapped certificate sha1s New in version 3.0.
-
certTrustPolicy
(self, cert: QSslCertificate) → QgsAuthCertUtils.CertTrustPolicy¶ certTrustPolicy get whether certificate
cert
is trusted by userParameters: cert – Returns: DefaultTrust if certificate sha not in trust table, i.e. follows default trust policy New in version 3.0.
-
certificateTrustPolicy
(self, cert: QSslCertificate) → QgsAuthCertUtils.CertTrustPolicy¶ certificateTrustPolicy get trust policy for a particular certificate
cert
Parameters: cert – Returns: DefaultTrust if certificate sha not in trust table, i.e. follows default trust policy New in version 3.0.
-
childEvent
()¶
-
clearAllCachedConfigs
(self)¶ Clear all authentication configs from authentication method caches
-
clearCachedConfig
(self, authcfg: str)¶ Clear an authentication config from its associated authentication method cache
-
clearMasterPassword
(self)¶ Clear supplied master password
Note
This will not necessarily clear authenticated connections cached in network connection managers
-
configAuthMethod
(self, authcfg: str) → QgsAuthMethod¶ Get authentication method from the config/provider cache
Parameters: authcfg – Authentication config id
-
configAuthMethodKey
(self, authcfg: str) → str¶ Get key of authentication method associated with config ID
Parameters: authcfg –
-
configIdRegex
(self) → str¶ Return regular expression for authcfg=.{7} key/value token for authentication ids
-
configIdUnique
(self, id: str) → bool¶ Verify if provided authentication id is unique
Parameters: id – Id to check
-
configIds
(self) → List[str]¶ Get list of authentication ids from database
-
connectNotify
()¶
-
customEvent
()¶
-
databaseCAs
(self) → List[QSslCertificate]¶ databaseCAs get database-stored certificate authorities
Returns: list of certificate authorities New in version 3.0.
-
defaultCertTrustPolicy
(self) → QgsAuthCertUtils.CertTrustPolicy¶ Get the default certificate trust policy perferred by user
-
disabledMessage
(self) → str¶ Standard message for when QCA’s qca-ossl plugin is missing and system is disabled
-
disconnectNotify
()¶
-
dumpIgnoredSslErrorsCache_
(self)¶ Utility function to dump the cache for debug purposes
-
eraseAuthenticationDatabase
(self, backup: bool, backuppath: str = '') → Tuple[bool, str]¶ Erase all rows from all tables in authentication database
Parameters: - backup – Whether to backup of current database
- backuppath – Where the backup is locate
Returns: Whether operation succeeded
-
existsAuthSetting
(self, key: str) → bool¶ Check if an authentication setting exists
-
existsCertAuthority
(self, cert: QSslCertificate) → bool¶ Check if a certificate authority exists
-
existsCertIdentity
(self, id: str) → bool¶ Check if a certificate identity exists
-
existsSslCertCustomConfig
(self, id: str, hostport: str) → bool¶ Check if SSL certificate custom config exists
-
extraFileCAs
(self) → List[QSslCertificate]¶ extraFileCAs extra file-based certificate authorities
Returns: list of certificate authorities New in version 3.0.
-
hasConfigId
(self, txt: str) → bool¶ Return whether a string includes an authcfg ID token
Parameters: txt – String to check
-
init
(self, pluginPath: str = '', authDatabasePath: str = '') → bool¶ init initialize QCA, prioritize qca-ossl plugin and optionally set up the authentication database
Parameters: - pluginPath – the plugin path
- authDatabasePath – the authentication DB path
Returns: true on success
See also
-
initSslCaches
(self) → bool¶ Initialize various SSL authentication caches
-
isDisabled
(self) → bool¶ Whether QCA has the qca-ossl plugin, which a base run-time requirement
-
isSignalConnected
()¶
-
loadAuthenticationConfig
(self, authcfg: str, mconfig: QgsAuthMethodConfig, full: bool = False) → Tuple[bool, QgsAuthMethodConfig]¶ Load an authentication config from the database into subclass
Parameters: - authcfg – Associated authentication config id
- mconfig – Subclassed config to load into
- full – Whether to decrypt and populate all sensitive data in subclass
Returns: Whether operation succeeded
-
mappedDatabaseCAs
(self) → Dict[str, QSslCertificate]¶ mappedDatabaseCAs get sha1-mapped database-stored certificate authorities
Returns: sha1-mapped certificate authorities New in version 3.0.
-
masterPasswordHashInDatabase
(self) → bool¶ Verify a password hash existing in authentication database
-
masterPasswordIsSet
(self) → bool¶ Whether master password has be input and verified, i.e. authentication database is accessible
-
masterPasswordSame
(self, pass_: str) → bool¶ Check whether supplied password is the same as the one already set
Parameters: pass – Password to verify
-
masterPasswordVerified
¶ Emitted when a password has been verify (or not)
Parameters: verified – The state of password’s verification [signal]
-
messageOut
¶ Custom logging signal to relay to console output and
QgsMessageLog
Parameters: - message – Message to send
- tag – Associated tag (title)
- level – Message log level
See also
QgsMessageLog
[signal]
-
passwordHelperFailure
¶ Signals emitted on password helper failure, mainly used in the tests to exit main application loop [signal]
-
passwordHelperMessageOut
¶ Custom logging signal to inform the user about master password <-> password manager interactions
Parameters: - message – Message to send
- tag – Associated tag (title)
- level – Message log level
See also
QgsMessageLog
[signal]
-
passwordHelperSuccess
¶ Signals emitted on password helper success, mainly used in the tests to exit main application loop [signal]
-
rebuildCaCertsCache
(self) → bool¶ Rebuild certificate authority cache
-
rebuildCertTrustCache
(self) → bool¶ Rebuild certificate authority cache
-
rebuildIgnoredSslErrorCache
(self) → bool¶ Rebuild ignoredSSL error cache
-
rebuildTrustedCaCertsCache
(self) → bool¶ Rebuild trusted certificate authorities cache
-
receivers
()¶
-
registerCoreAuthMethods
(self) → bool¶ Instantiate and register existing C++ core authentication methods from plugins
-
removeAllAuthenticationConfigs
(self) → bool¶ Clear all authentication configs from table in database and from provider caches
Returns: Whether operation succeeded
-
removeAuthSetting
(self, key: str) → bool¶ Remove an authentication setting
-
removeAuthenticationConfig
(self, authcfg: str) → bool¶ Remove an authentication config in the database
Parameters: authcfg – Associated authentication config id Returns: Whether operation succeeded
-
removeCertAuthority
(self, cert: QSslCertificate) → bool¶ Remove a certificate authority
-
removeCertIdentity
(self, id: str) → bool¶ Remove a certificate identity
-
removeCertTrustPolicies
(self, certs: Iterable[QSslCertificate]) → bool¶ Remove a group certificate authorities
-
removeCertTrustPolicy
(self, cert: QSslCertificate) → bool¶ Remove a certificate authority
-
removeSslCertCustomConfig
(self, id: str, hostport: str) → bool¶ Remove an SSL certificate custom config
-
resetMasterPassword
(self, newpass: str, oldpass: str, keepbackup: bool, backuppath: str = '') → Tuple[bool, str]¶ Reset the master password to a new one, then re-encrypt all previous configs in a new database file, optionally backup curren database
Parameters: - newpass – New master password to replace existing
- oldpass – Current master password to replace existing
- keepbackup – Whether to keep the generated backup of current database
- backuppath – Where the backup is located, if kept
-
sender
()¶
-
senderSignalIndex
()¶
-
setDefaultCertTrustPolicy
(self, policy: QgsAuthCertUtils.CertTrustPolicy) → bool¶ Set the default certificate trust policy perferred by user
-
setMasterPassword
(self, verify: bool = False) → bool¶ Main call to initially set or continually check master password is set
Note
If it is not set, the user is asked for its input
Parameters: verify – Whether password’s hash was saved in authentication database setMasterPassword(self, pass_: str, verify: bool = False) -> bool Overloaded call to reset master password or set it initially without user interaction
Note
Only use this in trusted reset functions, unit tests or user/app setup scripts!
Parameters: - pass – Password to use
- verify – Whether password’s hash was saved in authentication database
-
setScheduledAuthDatabaseEraseRequestEmitted
(self, emitted: bool)¶ Re-emit a signal to schedule an optional erase of authentication database.
Note
This can be called from the slot connected to a previously emitted scheduling signal, so that the slot can ask for another emit later, if the slot noticies the current GUI processing state is not ready for interacting with the user, e.g. project is still loading
Parameters: emitted – Setting to false will cause signal to be emitted by the schedule timer. Setting to true will stop any emitting, but will not stop the schedule timer.
-
sslCertCustomConfig
(self, id: str, hostport: str) → QgsAuthConfigSslServer¶ sslCertCustomConfig get an SSL certificate custom config by
id
(sha hash) andhostport
(host:port)Parameters: - id – sha hash
- hostport – string host:port
Returns: a SSL certificate custom config
New in version 3.0.
-
sslCertCustomConfigByHost
(self, hostport: str) → QgsAuthConfigSslServer¶ sslCertCustomConfigByHost get an SSL certificate custom config by
hostport
(host:port)Parameters: hostport – host:port Returns: a SSL certificate custom config New in version 3.0.
-
sslCertCustomConfigs
(self) → List[QgsAuthConfigSslServer]¶ sslCertCustomConfigs get SSL certificate custom configs
Returns: list of SSL certificate custom config New in version 3.0.
-
storeAuthSetting
(self, key: str, value: Any, encrypt: bool = False) → bool¶ Store an authentication setting (stored as string via QVariant( value ).toString() )
-
storeAuthenticationConfig
(self, mconfig: QgsAuthMethodConfig) → Tuple[bool, QgsAuthMethodConfig]¶ Store an authentication config in the database
Parameters: mconfig – Associated authentication config id Returns: Whether operation succeeded
-
storeCertAuthorities
(self, certs: Iterable[QSslCertificate]) → bool¶ Store multiple certificate authorities
-
storeCertAuthority
(self, cert: QSslCertificate) → bool¶ Store a certificate authority
-
storeCertIdentity
(self, cert: QSslCertificate, key: QSslKey) → bool¶ Store a certificate identity
-
storeCertTrustPolicy
(self, cert: QSslCertificate, policy: QgsAuthCertUtils.CertTrustPolicy) → bool¶ Store user trust value for a certificate
-
storeSslCertCustomConfig
(self, config: QgsAuthConfigSslServer) → bool¶ Store an SSL certificate custom config
-
supportedAuthMethodExpansions
(self, authcfg: str) → QgsAuthMethod.Expansions¶ Get supported authentication method expansion(s), e.g. NetworkRequest | DataSourceURI, as flags
Parameters: authcfg –
-
systemRootCAs
(self) → List[QSslCertificate]¶ systemRootCAs get root system certificate authorities
Returns: list of certificate authorities New in version 3.0.
-
timerEvent
()¶
-
trustedCaCerts
(self, includeinvalid: bool = False) → List[QSslCertificate]¶ trustedCaCerts get list of all trusted CA certificates
Parameters: includeinvalid – whether invalid certs needs to be returned Returns: list of certificates New in version 3.0.
-
trustedCaCertsCache
(self) → List[QSslCertificate]¶ trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
Returns: list of certificates New in version 3.0.
-
trustedCaCertsPemText
(self) → QByteArray¶ trustedCaCertsPemText get concatenated string of all trusted CA certificates
Returns: bye array with all PEM encoded trusted CAs New in version 3.0.
-
uniqueConfigId
(self) → str¶ Get a unique generated 7-character string to assign to as config id
-
untrustedCaCerts
(self, trustedCAs: Iterable[QSslCertificate] = []) → List[QSslCertificate]¶ untrustedCaCerts get list of untrusted certificate authorities
Returns: list of certificates New in version 3.0.
-
updateAuthenticationConfig
(self, config: QgsAuthMethodConfig) → bool¶ Update an authentication config in the database
Parameters: config – Associated authentication config id Returns: Whether operation succeeded
-
updateConfigAuthMethods
(self)¶ Sync the confg/authentication method cache with what is in database
-
updateDataSourceUriItems
(self, connectionItems: Iterable[str], authcfg: str, dataprovider: str = '') → Tuple[bool, List[str]]¶ Provider call to update a QgsDataSourceUri with an authentication config
Parameters: - connectionItems – The connection items, e.g. username=myname, of
QgsDataSourceUri
- authcfg – Associated authentication config id
- dataprovider – Provider key filter, offering logic branching in authentication method
Returns: Whether operation succeeded
- connectionItems – The connection items, e.g. username=myname, of
-
updateIgnoredSslErrorsCache
(self, shahostport: str, errors: Iterable[QSslError]) → bool¶ Update ignored SSL error cache with possible ignored SSL errors, using sha:host:port key
-
updateIgnoredSslErrorsCacheFromConfig
(self, config: QgsAuthConfigSslServer) → bool¶ Update ignored SSL error cache with possible ignored SSL errors, using server config
-
updateNetworkProxy
(self, proxy: QNetworkProxy, authcfg: str, dataprovider: str = '') → Tuple[bool, QNetworkProxy]¶ Provider call to update a QNetworkProxy with an authentication config
Parameters: - proxy – the QNetworkProxy
- authcfg – Associated authentication config id
- dataprovider – Provider key filter, offering logic branching in authentication method
Returns: Whether operation succeeded
-
updateNetworkReply
(self, reply: QNetworkReply, authcfg: str, dataprovider: str = '') → bool¶ Provider call to update a QNetworkReply with an authentication config (used to skip known SSL errors, etc.)
Parameters: - reply – The QNetworkReply
- authcfg – Associated authentication config id
- dataprovider – Provider key filter, offering logic branching in authentication method
Returns: Whether operation succeeded
-
updateNetworkRequest
(self, request: QNetworkRequest, authcfg: str, dataprovider: str = '') → Tuple[bool, QNetworkRequest]¶ Provider call to update a QNetworkRequest with an authentication config
Parameters: - request – The QNetworkRequest
- authcfg – Associated authentication config id
- dataprovider – Provider key filter, offering logic branching in authentication method
Returns: Whether operation succeeded
-
verifyMasterPassword
(self, compare: str = '') → bool¶ Verify the supplied master password against any existing hash in authentication database
Note
Do not emit verification signals when only comparing
Parameters: compare – Password to compare against
-