Class: QgsAuthManager¶
-
class
qgis.core.
QgsAuthManager
¶ Bases:
PyQt5.QtCore.QObject
Singleton offering an interface to manage the authentication configuration database and to utilize configurations through various authentication method plugins
QgsAuthManager should not usually be directly created, but rather accessed through
QgsApplication.authManager()
Enums
Methods
Name of the authentication database table that stores configs
Sets up the application instance of the authentication database connection
Name of the authentication database table that stores server exceptions/configs
Simple text tag describing authentication system for message logs
Gets authentication method from the config/provider cache via its key
Gets authentication method edit widget via its key
Gets keys of supported authentication methods
authSetting get an authentication setting (retrieved as string and returned as QVariant( QString ))
The standard authentication database file in ~/.qgis3/ or defined location
Gets mapping of authentication config ids and their base configs (not decrypted data)
Close connection to current authentication database and back it up
certAuthority get a certificate authority by
id
(sha hash)certIdentities get certificate identities
certIdentity get a certificate identity by
id
(sha hash)certIdentityBundleToPem get a certificate identity bundle by
id
(sha hash) returned as PEM textcertIdentityIds get list of certificate identity ids from database
certTrustCache get cache of certificate sha1s, per trust policy
certTrustPolicy get whether certificate
cert
is trusted by usercertificateTrustPolicy get trust policy for a particular certificate
cert
Clear all authentication configs from authentication method caches
Clear an authentication config from its associated authentication method cache
Clear supplied master password
Gets authentication method from the config/provider cache
Gets key of authentication method associated with config ID
Returns the regular expression for authcfg=.{7} key/value token for authentication ids
Verify if provided authentication id is unique
Gets list of authentication ids from database
databaseCAs get database-stored certificate authorities
Gets the default certificate trust policy preferred by user
Standard message for when QCA’s qca-ossl plugin is missing and system is disabled
Utility function to dump the cache for debug purposes
Erase all rows from all tables in authentication database
Check if an authentication setting exists
Check if a certificate authority exists
Check if a certificate identity exists
Check if SSL certificate custom config exists
extraFileCAs extra file-based certificate authorities
Returns whether a string includes an authcfg ID token
init initialize QCA, prioritize qca-ossl plugin and optionally set up the authentication database
Initialize various SSL authentication caches
Whether QCA has the qca-ossl plugin, which a base run-time requirement
Load an authentication config from the database into subclass
mappedDatabaseCAs get sha1-mapped database-stored certificate authorities
Verify a password hash existing in authentication database
Whether master password has be input and verified, i.e.
Check whether supplied password is the same as the one already set
Password helper enabled getter
Store the password manager into the wallet
Rebuild certificate authority cache
Rebuild certificate authority cache
Rebuild ignoredSSL error cache
Rebuild trusted certificate authorities cache
Instantiate and register existing C++ core authentication methods from plugins
Clear all authentication configs from table in database and from provider caches
Remove an authentication setting
Remove an authentication config in the database
Remove a certificate authority
Remove a certificate identity
Remove a group certificate authorities
Remove a certificate authority
Remove an SSL certificate custom config
Reset the master password to a new one, then re-encrypt all previous configs in a new database file, optionally backup curren database
Sets the default certificate trust policy preferred by user
Main call to initially set or continually check master password is set
Password helper enabled setter
Re-emit a signal to schedule an optional erase of authentication database.
sslCertCustomConfig get an SSL certificate custom config by
id
(sha hash) andhostport
(host:port)sslCertCustomConfigByHost get an SSL certificate custom config by
hostport
(host:port)sslCertCustomConfigs get SSL certificate custom configs
Store an authentication setting (stored as string via QVariant( value ).toString() )
Store an authentication config in the database
Store multiple certificate authorities
Store a certificate authority
Store a certificate identity
Store user trust value for a certificate
Store an SSL certificate custom config
Gets supported authentication method expansion(s), e.g.
systemRootCAs get root system certificate authorities
trustedCaCerts get list of all trusted CA certificates
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
trustedCaCertsPemText get concatenated string of all trusted CA certificates
Gets a unique generated 7-character string to assign to as config id
untrustedCaCerts get list of untrusted certificate authorities
Update an authentication config in the database
Sync the confg/authentication method cache with what is in database
Provider call to update a QgsDataSourceUri with an authentication config
Update ignored SSL error cache with possible ignored SSL errors, using sha:host:port key
Update ignored SSL error cache with possible ignored SSL errors, using server config
Provider call to update a QNetworkProxy with an authentication config
Provider call to update a QNetworkReply with an authentication config (used to skip known SSL errors, etc.)
Provider call to update a QNetworkRequest with an authentication config
Verify the supplied master password against any existing hash in authentication database
Signals
Emitted when the authentication db is significantly changed, e.g.
Emitted when a user has indicated they may want to erase the authentication db.
Emitted when a password has been verify (or not)
Custom logging signal to relay to console output and
QgsMessageLog
Signals emitted on password helper failure, mainly used in the tests to exit main application loop [signal]
Custom logging signal to inform the user about master password <-> password manager interactions
Signals emitted on password helper success, mainly used in the tests to exit main application loop [signal]
Attributes
-
AUTH_MAN_TAG
= 'Authentication Manager'¶
-
AUTH_PASSWORD_HELPER_DISPLAY_NAME
= 'Wallet/KeyRing'¶
-
CRITICAL
= 2¶
-
INFO
= 0¶
-
class
MessageLevel
¶ Bases:
int
-
baseClass
¶ alias of
QgsAuthManager
-
-
WARNING
= 1¶
-
authDatabaseChanged
¶ Emitted when the authentication db is significantly changed, e.g. large record removal, erased, etc. [signal]
-
authDatabaseConfigTable
(self) → str¶ Name of the authentication database table that stores configs
-
authDatabaseConnection
(self) → QSqlDatabase¶ Sets up the application instance of the authentication database connection
-
authDatabaseEraseRequested
¶ Emitted when a user has indicated they may want to erase the authentication db. [signal]
-
authDatabaseServersTable
(self) → str¶ Name of the authentication database table that stores server exceptions/configs
-
authManTag
(self) → str¶ Simple text tag describing authentication system for message logs
-
authMethod
(self, authMethodKey: str) → QgsAuthMethod¶ Gets authentication method from the config/provider cache via its key
- Parameters
authMethodKey – Authentication method key
-
authMethodEditWidget
(self, authMethodKey: str, parent: QWidget) → QWidget¶ Gets authentication method edit widget via its key
- Parameters
authMethodKey – Authentication method key
parent – Parent widget
-
authMethodsKeys
(self, dataprovider: str = '') → List[str]¶ Gets keys of supported authentication methods
-
authSetting
(self, key: str, defaultValue: Any = None, decrypt: bool = False) → Any¶ authSetting get an authentication setting (retrieved as string and returned as QVariant( QString ))
- Parameters
key – setting key
defaultValue –
decrypt – if the value needs decrypted
- Returns
QVariant( QString ) authentication setting
New in version 3.0.
-
authenticationDatabasePath
(self) → str¶ The standard authentication database file in ~/.qgis3/ or defined location
-
availableAuthMethodConfigs
(self, dataprovider: str = '') → Dict[str, QgsAuthMethodConfig]¶ Gets mapping of authentication config ids and their base configs (not decrypted data)
-
backupAuthenticationDatabase
(self, backuppath: str = '') → Tuple[bool, str]¶ Close connection to current authentication database and back it up
- Returns
Path to backup
-
certAuthority
(self, id: str) → QSslCertificate¶ certAuthority get a certificate authority by
id
(sha hash)- Parameters
id – sha hash
- Returns
a certificate
New in version 3.0.
-
certIdentities
(self) → List[QSslCertificate]¶ certIdentities get certificate identities
- Returns
list of certificates
New in version 3.0.
-
certIdentity
(self, id: str) → QSslCertificate¶ certIdentity get a certificate identity by
id
(sha hash)- Parameters
id – sha hash of the cert
- Returns
the certificate
New in version 3.0.
-
certIdentityBundleToPem
(self, id: str) → List[str]¶ certIdentityBundleToPem get a certificate identity bundle by
id
(sha hash) returned as PEM text- Parameters
id – sha hash
- Returns
a list of strings
New in version 3.0.
-
certIdentityIds
(self) → List[str]¶ certIdentityIds get list of certificate identity ids from database
- Returns
list of certificate ids
New in version 3.0.
-
certTrustCache
(self) → Dict[QgsAuthCertUtils.CertTrustPolicy, List[str]]¶ certTrustCache get cache of certificate sha1s, per trust policy
- Returns
trust-policy-mapped certificate sha1s
New in version 3.0.
-
certTrustPolicy
(self, cert: QSslCertificate) → QgsAuthCertUtils.CertTrustPolicy¶ certTrustPolicy get whether certificate
cert
is trusted by user- Parameters
cert –
- Returns
DefaultTrust if certificate sha not in trust table, i.e. follows default trust policy
New in version 3.0.
-
certificateTrustPolicy
(self, cert: QSslCertificate) → QgsAuthCertUtils.CertTrustPolicy¶ certificateTrustPolicy get trust policy for a particular certificate
cert
- Parameters
cert –
- Returns
DefaultTrust if certificate sha not in trust table, i.e. follows default trust policy
New in version 3.0.
-
childEvent
()¶
-
clearAllCachedConfigs
(self)¶ Clear all authentication configs from authentication method caches
-
clearCachedConfig
(self, authcfg: str)¶ Clear an authentication config from its associated authentication method cache
-
clearMasterPassword
(self)¶ Clear supplied master password
Note
This will not necessarily clear authenticated connections cached in network connection managers
-
configAuthMethod
(self, authcfg: str) → QgsAuthMethod¶ Gets authentication method from the config/provider cache
- Parameters
authcfg – Authentication config id
-
configAuthMethodKey
(self, authcfg: str) → str¶ Gets key of authentication method associated with config ID
- Parameters
authcfg –
-
configIdRegex
(self) → str¶ Returns the regular expression for authcfg=.{7} key/value token for authentication ids
-
configIdUnique
(self, id: str) → bool¶ Verify if provided authentication id is unique
- Parameters
id – Id to check
-
configIds
(self) → List[str]¶ Gets list of authentication ids from database
-
connectNotify
()¶
-
customEvent
()¶
-
databaseCAs
(self) → List[QSslCertificate]¶ databaseCAs get database-stored certificate authorities
- Returns
list of certificate authorities
New in version 3.0.
-
defaultCertTrustPolicy
(self) → QgsAuthCertUtils.CertTrustPolicy¶ Gets the default certificate trust policy preferred by user
-
disabledMessage
(self) → str¶ Standard message for when QCA’s qca-ossl plugin is missing and system is disabled
-
disconnectNotify
()¶
-
dumpIgnoredSslErrorsCache_
(self)¶ Utility function to dump the cache for debug purposes
-
eraseAuthenticationDatabase
(self, backup: bool, backuppath: str = '') → Tuple[bool, str]¶ Erase all rows from all tables in authentication database
- Parameters
backup – Whether to backup of current database
backuppath – Where the backup is locate
- Returns
Whether operation succeeded
-
existsAuthSetting
(self, key: str) → bool¶ Check if an authentication setting exists
-
existsCertAuthority
(self, cert: QSslCertificate) → bool¶ Check if a certificate authority exists
-
existsCertIdentity
(self, id: str) → bool¶ Check if a certificate identity exists
-
existsSslCertCustomConfig
(self, id: str, hostport: str) → bool¶ Check if SSL certificate custom config exists
-
extraFileCAs
(self) → List[QSslCertificate]¶ extraFileCAs extra file-based certificate authorities
- Returns
list of certificate authorities
New in version 3.0.
-
hasConfigId
(self, txt: str) → bool¶ Returns whether a string includes an authcfg ID token
- Parameters
txt – String to check
-
init
(self, pluginPath: str = '', authDatabasePath: str = '') → bool¶ init initialize QCA, prioritize qca-ossl plugin and optionally set up the authentication database
- Parameters
pluginPath – the plugin path
authDatabasePath – the authentication DB path
- Returns
True
on success
See also
-
initSslCaches
(self) → bool¶ Initialize various SSL authentication caches
-
isDisabled
(self) → bool¶ Whether QCA has the qca-ossl plugin, which a base run-time requirement
-
isSignalConnected
()¶
-
loadAuthenticationConfig
(self, authcfg: str, mconfig: QgsAuthMethodConfig, full: bool = False) → Tuple[bool, QgsAuthMethodConfig]¶ Load an authentication config from the database into subclass
- Parameters
authcfg – Associated authentication config id
mconfig – Subclassed config to load into
full – Whether to decrypt and populate all sensitive data in subclass
- Returns
Whether operation succeeded
-
mappedDatabaseCAs
(self) → Dict[str, QSslCertificate]¶ mappedDatabaseCAs get sha1-mapped database-stored certificate authorities
- Returns
sha1-mapped certificate authorities
New in version 3.0.
-
masterPasswordHashInDatabase
(self) → bool¶ Verify a password hash existing in authentication database
-
masterPasswordIsSet
(self) → bool¶ Whether master password has be input and verified, i.e. authentication database is accessible
-
masterPasswordSame
(self, pass_: str) → bool¶ Check whether supplied password is the same as the one already set
- Parameters
pass – Password to verify
-
masterPasswordVerified
¶ Emitted when a password has been verify (or not)
- Parameters
verified – The state of password’s verification [signal]
-
messageOut
¶ Custom logging signal to relay to console output and
QgsMessageLog
- Parameters
message – Message to send
tag – Associated tag (title)
level – Message log level
See also
QgsMessageLog
[signal]
-
passwordHelperEnabled
(self) → bool¶ Password helper enabled getter
Note
Available in Python bindings since QGIS 3.8.0
-
passwordHelperFailure
¶ Signals emitted on password helper failure, mainly used in the tests to exit main application loop [signal]
-
passwordHelperMessageOut
¶ Custom logging signal to inform the user about master password <-> password manager interactions
- Parameters
message – Message to send
tag – Associated tag (title)
level – Message log level
See also
QgsMessageLog
[signal]
-
passwordHelperSuccess
¶ Signals emitted on password helper success, mainly used in the tests to exit main application loop [signal]
-
passwordHelperSync
(self) → bool¶ Store the password manager into the wallet
Note
Available in Python bindings since QGIS 3.8.0
-
rebuildCaCertsCache
(self) → bool¶ Rebuild certificate authority cache
-
rebuildCertTrustCache
(self) → bool¶ Rebuild certificate authority cache
-
rebuildIgnoredSslErrorCache
(self) → bool¶ Rebuild ignoredSSL error cache
-
rebuildTrustedCaCertsCache
(self) → bool¶ Rebuild trusted certificate authorities cache
-
receivers
()¶
-
registerCoreAuthMethods
(self) → bool¶ Instantiate and register existing C++ core authentication methods from plugins
-
removeAllAuthenticationConfigs
(self) → bool¶ Clear all authentication configs from table in database and from provider caches
- Returns
Whether operation succeeded
-
removeAuthSetting
(self, key: str) → bool¶ Remove an authentication setting
-
removeAuthenticationConfig
(self, authcfg: str) → bool¶ Remove an authentication config in the database
- Parameters
authcfg – Associated authentication config id
- Returns
Whether operation succeeded
-
removeCertAuthority
(self, cert: QSslCertificate) → bool¶ Remove a certificate authority
-
removeCertIdentity
(self, id: str) → bool¶ Remove a certificate identity
-
removeCertTrustPolicies
(self, certs: Iterable[QSslCertificate]) → bool¶ Remove a group certificate authorities
-
removeCertTrustPolicy
(self, cert: QSslCertificate) → bool¶ Remove a certificate authority
-
removeSslCertCustomConfig
(self, id: str, hostport: str) → bool¶ Remove an SSL certificate custom config
-
resetMasterPassword
(self, newpass: str, oldpass: str, keepbackup: bool, backuppath: str = '') → Tuple[bool, str]¶ Reset the master password to a new one, then re-encrypt all previous configs in a new database file, optionally backup curren database
- Parameters
newpass – New master password to replace existing
oldpass – Current master password to replace existing
keepbackup – Whether to keep the generated backup of current database
backuppath – Where the backup is located, if kept
-
sender
()¶
-
senderSignalIndex
()¶
-
setDefaultCertTrustPolicy
(self, policy: QgsAuthCertUtils.CertTrustPolicy) → bool¶ Sets the default certificate trust policy preferred by user
-
setMasterPassword
(self, verify: bool = False) → bool¶ Main call to initially set or continually check master password is set
Note
If it is not set, the user is asked for its input
- Parameters
verify – Whether password’s hash was saved in authentication database
setMasterPassword(self, pass_: str, verify: bool = False) -> bool Overloaded call to reset master password or set it initially without user interaction
Note
Only use this in trusted reset functions, unit tests or user/app setup scripts!
- Parameters
pass – Password to use
verify – Whether password’s hash was saved in authentication database
-
setPasswordHelperEnabled
(self, enabled: bool)¶ Password helper enabled setter
Note
Available in Python bindings since QGIS 3.8.0
-
setScheduledAuthDatabaseEraseRequestEmitted
(self, emitted: bool)¶ Re-emit a signal to schedule an optional erase of authentication database.
Note
This can be called from the slot connected to a previously emitted scheduling signal, so that the slot can ask for another emit later, if the slot noticies the current GUI processing state is not ready for interacting with the user, e.g. project is still loading
- Parameters
emitted – Setting to
False
will cause signal to be emitted by the schedule timer. Setting toTrue
will stop any emitting, but will not stop the schedule timer.
-
sslCertCustomConfig
(self, id: str, hostport: str) → QgsAuthConfigSslServer¶ sslCertCustomConfig get an SSL certificate custom config by
id
(sha hash) andhostport
(host:port)- Parameters
id – sha hash
hostport – string host:port
- Returns
a SSL certificate custom config
New in version 3.0.
-
sslCertCustomConfigByHost
(self, hostport: str) → QgsAuthConfigSslServer¶ sslCertCustomConfigByHost get an SSL certificate custom config by
hostport
(host:port)- Parameters
hostport – host:port
- Returns
a SSL certificate custom config
New in version 3.0.
-
sslCertCustomConfigs
(self) → List[QgsAuthConfigSslServer]¶ sslCertCustomConfigs get SSL certificate custom configs
- Returns
list of SSL certificate custom config
New in version 3.0.
-
storeAuthSetting
(self, key: str, value: Any, encrypt: bool = False) → bool¶ Store an authentication setting (stored as string via QVariant( value ).toString() )
-
storeAuthenticationConfig
(self, mconfig: QgsAuthMethodConfig) → Tuple[bool, QgsAuthMethodConfig]¶ Store an authentication config in the database
- Parameters
mconfig – Associated authentication config id
- Returns
Whether operation succeeded
-
storeCertAuthorities
(self, certs: Iterable[QSslCertificate]) → bool¶ Store multiple certificate authorities
-
storeCertAuthority
(self, cert: QSslCertificate) → bool¶ Store a certificate authority
-
storeCertIdentity
(self, cert: QSslCertificate, key: QSslKey) → bool¶ Store a certificate identity
-
storeCertTrustPolicy
(self, cert: QSslCertificate, policy: QgsAuthCertUtils.CertTrustPolicy) → bool¶ Store user trust value for a certificate
-
storeSslCertCustomConfig
(self, config: QgsAuthConfigSslServer) → bool¶ Store an SSL certificate custom config
-
supportedAuthMethodExpansions
(self, authcfg: str) → QgsAuthMethod.Expansions¶ Gets supported authentication method expansion(s), e.g. NetworkRequest | DataSourceURI, as flags
- Parameters
authcfg –
-
systemRootCAs
(self) → List[QSslCertificate]¶ systemRootCAs get root system certificate authorities
- Returns
list of certificate authorities
New in version 3.0.
-
timerEvent
()¶
-
trustedCaCerts
(self, includeinvalid: bool = False) → List[QSslCertificate]¶ trustedCaCerts get list of all trusted CA certificates
- Parameters
includeinvalid – whether invalid certs needs to be returned
- Returns
list of certificates
New in version 3.0.
-
trustedCaCertsCache
(self) → List[QSslCertificate]¶ trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
- Returns
list of certificates
New in version 3.0.
-
trustedCaCertsPemText
(self) → QByteArray¶ trustedCaCertsPemText get concatenated string of all trusted CA certificates
- Returns
bye array with all PEM encoded trusted CAs
New in version 3.0.
-
uniqueConfigId
(self) → str¶ Gets a unique generated 7-character string to assign to as config id
-
untrustedCaCerts
(self, trustedCAs: Iterable[QSslCertificate] = []) → List[QSslCertificate]¶ untrustedCaCerts get list of untrusted certificate authorities
- Returns
list of certificates
New in version 3.0.
-
updateAuthenticationConfig
(self, config: QgsAuthMethodConfig) → bool¶ Update an authentication config in the database
- Parameters
config – Associated authentication config id
- Returns
Whether operation succeeded
-
updateConfigAuthMethods
(self)¶ Sync the confg/authentication method cache with what is in database
-
updateDataSourceUriItems
(self, connectionItems: Iterable[str], authcfg: str, dataprovider: str = '') → Tuple[bool, List[str]]¶ Provider call to update a QgsDataSourceUri with an authentication config
- Parameters
connectionItems – The connection items, e.g. username=myname, of
QgsDataSourceUri
authcfg – Associated authentication config id
dataprovider – Provider key filter, offering logic branching in authentication method
- Returns
Whether operation succeeded
-
updateIgnoredSslErrorsCache
(self, shahostport: str, errors: Iterable[QSslError]) → bool¶ Update ignored SSL error cache with possible ignored SSL errors, using sha:host:port key
-
updateIgnoredSslErrorsCacheFromConfig
(self, config: QgsAuthConfigSslServer) → bool¶ Update ignored SSL error cache with possible ignored SSL errors, using server config
-
updateNetworkProxy
(self, proxy: QNetworkProxy, authcfg: str, dataprovider: str = '') → Tuple[bool, QNetworkProxy]¶ Provider call to update a QNetworkProxy with an authentication config
- Parameters
proxy – the QNetworkProxy
authcfg – Associated authentication config id
dataprovider – Provider key filter, offering logic branching in authentication method
- Returns
Whether operation succeeded
-
updateNetworkReply
(self, reply: QNetworkReply, authcfg: str, dataprovider: str = '') → bool¶ Provider call to update a QNetworkReply with an authentication config (used to skip known SSL errors, etc.)
- Parameters
reply – The QNetworkReply
authcfg – Associated authentication config id
dataprovider – Provider key filter, offering logic branching in authentication method
- Returns
Whether operation succeeded
-
updateNetworkRequest
(self, request: QNetworkRequest, authcfg: str, dataprovider: str = '') → Tuple[bool, QNetworkRequest]¶ Provider call to update a QNetworkRequest with an authentication config
- Parameters
request – The QNetworkRequest
authcfg – Associated authentication config id
dataprovider – Provider key filter, offering logic branching in authentication method
- Returns
Whether operation succeeded
-
verifyMasterPassword
(self, compare: str = '') → bool¶ Verify the supplied master password against any existing hash in authentication database
Note
Do not emit verification signals when only comparing
- Parameters
compare – Password to compare against
-