QGIS API Documentation 3.41.0-Master (45a0abf3bec)
Loading...
Searching...
No Matches
qgsauthmanager.h
Go to the documentation of this file.
1/***************************************************************************
2 qgsauthmanager.h
3 ---------------------
4 begin : October 5, 2014
5 copyright : (C) 2014 by Boundless Spatial, Inc. USA
6 author : Larry Shaffer
7 email : lshaffer at boundlessgeo dot com
8 ***************************************************************************
9 * *
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
14 * *
15 ***************************************************************************/
16
17#ifndef QGSAUTHMANAGER_H
18#define QGSAUTHMANAGER_H
19
20#include "qgis_core.h"
21#include "qgis_sip.h"
22#include <QObject>
23#include <QRecursiveMutex>
24#include <QNetworkReply>
25#include <QNetworkRequest>
26#include <QSqlDatabase>
27#include <QSqlError>
28#include <QSqlQuery>
29#include <QStringList>
30
31#ifndef QT_NO_SSL
32#include <QSslCertificate>
33#include <QSslKey>
34#include <QtCrypto>
35#include "qgsauthcertutils.h"
36#endif
37
38#include "qgsauthconfig.h"
39#include "qgsauthmethod.h"
40
41#if QT_VERSION >= QT_VERSION_CHECK(6, 0, 0)
42#include <qt6keychain/keychain.h>
43#else
44#include <qt5keychain/keychain.h>
45#endif
46
47#ifndef SIP_RUN
48namespace QCA
49{
50 class Initializer;
51}
52#endif
53class QgsAuthMethod;
55class QgsAuthProvider;
57class QTimer;
61
70class CORE_EXPORT QgsAuthManager : public QObject
71{
72 Q_OBJECT
73
74 public:
75
78 {
79 INFO = 0,
80 WARNING = 1,
81 CRITICAL = 2
82 };
83 Q_ENUM( MessageLevel )
84
85
94 Q_DECL_DEPRECATED bool init( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() ) SIP_DEPRECATED;
95
106 void setup( const QString &pluginPath = QString(), const QString &authDatabasePath = QString() );
107
115 bool ensureInitialized() const;
116
117 ~QgsAuthManager() override;
118
123 QgsAuthConfigurationStorageRegistry *authConfigurationStorageRegistry() const;
124
130 Q_DECL_DEPRECATED QSqlDatabase authDatabaseConnection() const SIP_DEPRECATED;
131
136 Q_DECL_DEPRECATED const QString authDatabaseConfigTable() const SIP_DEPRECATED { return AUTH_CONFIG_TABLE; }
137
143 const QString methodConfigTableName() const;
144
149 Q_DECL_DEPRECATED const QString authDatabaseServersTable() const SIP_DEPRECATED { return AUTH_SERVERS_TABLE; }
150
151
153 bool isDisabled() const;
154
156 const QString disabledMessage() const;
157
163 Q_DECL_DEPRECATED const QString authenticationDatabasePath() const;
164
168 static bool isFilesystemBasedDatabase( const QString &uri );
169
175 QgsAuthConfigurationStorageDb *defaultDbStorage() const SIP_SKIP;
176
181 const QString authenticationDatabaseUri() const;
182
187 const QString authenticationDatabaseUriStripped() const;
188
194 bool setMasterPassword( bool verify = false );
195
202 bool setMasterPassword( const QString &password, bool verify = false );
203
209 bool verifyMasterPassword( const QString &compare = QString() );
210
212 bool masterPasswordIsSet() const;
213
215 bool masterPasswordHashInDatabase() const;
216
221 void clearMasterPassword() { mMasterPass = QString(); }
222
227 bool masterPasswordSame( const QString &password ) const;
228
237 bool resetMasterPassword( const QString &newpass, const QString &oldpass, bool keepbackup, QString *backuppath SIP_INOUT = nullptr );
238
243 bool scheduledAuthDatabaseErase() { return mScheduledDbErase; } SIP_SKIP
244
257 void setScheduledAuthDatabaseErase( bool scheduleErase ) SIP_SKIP;
258
267 void setScheduledAuthDatabaseEraseRequestEmitted( bool emitted ) { mScheduledDbEraseRequestEmitted = emitted; }
268
270 QString authManTag() const { return AUTH_MAN_TAG; }
271
273 bool registerCoreAuthMethods();
274
276 QgsAuthMethodConfigsMap availableAuthMethodConfigs( const QString &dataprovider = QString() );
277
279 void updateConfigAuthMethods();
280
285 QgsAuthMethod *configAuthMethod( const QString &authcfg );
286
291 QString configAuthMethodKey( const QString &authcfg ) const;
292
296 QStringList authMethodsKeys( const QString &dataprovider = QString() );
297
302 QgsAuthMethod *authMethod( const QString &authMethodKey );
303
309 const QgsAuthMethodMetadata *authMethodMetadata( const QString &authMethodKey ) SIP_SKIP;
310
316 QgsAuthMethodsMap authMethodsMap( const QString &dataprovider = QString() ) SIP_SKIP;
317
318#ifdef HAVE_GUI
319 SIP_IF_FEATURE( HAVE_GUI )
320
321
326 QWidget *authMethodEditWidget( const QString &authMethodKey, QWidget *parent );
327 SIP_END
328#endif
329
334 QgsAuthMethod::Expansions supportedAuthMethodExpansions( const QString &authcfg );
335
337 const QString uniqueConfigId() const;
338
343 bool configIdUnique( const QString &id ) const;
344
349 static bool hasConfigId( const QString &txt );
350
352 QString configIdRegex() const { return AUTH_CFG_REGEX;}
353
355 QStringList configIds() const;
356
363 bool storeAuthenticationConfig( QgsAuthMethodConfig &mconfig SIP_INOUT, bool overwrite = false );
364
370 bool updateAuthenticationConfig( const QgsAuthMethodConfig &config );
371
379 bool loadAuthenticationConfig( const QString &authcfg, QgsAuthMethodConfig &mconfig SIP_INOUT, bool full = false );
380
386 bool removeAuthenticationConfig( const QString &authcfg );
387
395 bool exportAuthenticationConfigsToXml( const QString &filename, const QStringList &authcfgs, const QString &password = QString() );
396
404 bool importAuthenticationConfigsFromXml( const QString &filename, const QString &password = QString(), bool overwrite = false );
405
410 bool removeAllAuthenticationConfigs();
411
416 bool backupAuthenticationDatabase( QString *backuppath SIP_INOUT = nullptr );
417
424 bool eraseAuthenticationDatabase( bool backup, QString *backuppath SIP_INOUT = nullptr );
425
426
428
436 bool updateNetworkRequest( QNetworkRequest &request SIP_INOUT, const QString &authcfg,
437 const QString &dataprovider = QString() );
438
446 bool updateNetworkReply( QNetworkReply *reply, const QString &authcfg,
447 const QString &dataprovider = QString() );
448
456 bool updateDataSourceUriItems( QStringList &connectionItems SIP_INOUT, const QString &authcfg,
457 const QString &dataprovider = QString() );
458
466 bool updateNetworkProxy( QNetworkProxy &proxy SIP_INOUT, const QString &authcfg,
467 const QString &dataprovider = QString() );
468
470
472 bool storeAuthSetting( const QString &key, const QVariant &value, bool encrypt = false );
473
481 QVariant authSetting( const QString &key, const QVariant &defaultValue = QVariant(), bool decrypt = false );
482
484 bool existsAuthSetting( const QString &key );
485
487 bool removeAuthSetting( const QString &key );
488
489#ifndef QT_NO_SSL
491
493 bool initSslCaches();
494
496 bool storeCertIdentity( const QSslCertificate &cert, const QSslKey &key );
497
503 const QSslCertificate certIdentity( const QString &id );
504
511 const QPair<QSslCertificate, QSslKey> certIdentityBundle( const QString &id ) SIP_SKIP;
512
518 const QStringList certIdentityBundleToPem( const QString &id );
519
524 const QList<QSslCertificate> certIdentities();
525
527
532 QStringList certIdentityIds() const;
533
535 bool existsCertIdentity( const QString &id );
536
538 bool removeCertIdentity( const QString &id );
539
540
542 bool storeSslCertCustomConfig( const QgsAuthConfigSslServer &config );
543
550 const QgsAuthConfigSslServer sslCertCustomConfig( const QString &id, const QString &hostport );
551
557 const QgsAuthConfigSslServer sslCertCustomConfigByHost( const QString &hostport );
558
563 const QList<QgsAuthConfigSslServer> sslCertCustomConfigs();
564
566 bool existsSslCertCustomConfig( const QString &id, const QString &hostport );
567
569 bool removeSslCertCustomConfig( const QString &id, const QString &hostport );
570
576 QHash<QString, QSet<QSslError::SslError> > ignoredSslErrorCache() { return mIgnoredSslErrorsCache; } SIP_SKIP
577
579 void dumpIgnoredSslErrorsCache_();
580
582 bool updateIgnoredSslErrorsCacheFromConfig( const QgsAuthConfigSslServer &config );
583
585 bool updateIgnoredSslErrorsCache( const QString &shahostport, const QList<QSslError> &errors );
586
588 bool rebuildIgnoredSslErrorCache();
589
590
592 bool storeCertAuthorities( const QList<QSslCertificate> &certs );
593
595 bool storeCertAuthority( const QSslCertificate &cert );
596
598
604 const QSslCertificate certAuthority( const QString &id );
605
607 bool existsCertAuthority( const QSslCertificate &cert );
608
610 bool removeCertAuthority( const QSslCertificate &cert );
611
616 static const QList<QSslCertificate> systemRootCAs();
617
622 const QList<QSslCertificate> extraFileCAs();
623
628 const QList<QSslCertificate> databaseCAs();
629
634 const QMap<QString, QSslCertificate> mappedDatabaseCAs();
635
641 const QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > caCertsCache() SIP_SKIP
642 {
643 return mCaCertsCache;
644 }
645
647 bool rebuildCaCertsCache();
648
650 bool storeCertTrustPolicy( const QSslCertificate &cert, QgsAuthCertUtils::CertTrustPolicy policy );
651
657 QgsAuthCertUtils::CertTrustPolicy certTrustPolicy( const QSslCertificate &cert );
658
660 bool removeCertTrustPolicies( const QList<QSslCertificate> &certs );
661
663 bool removeCertTrustPolicy( const QSslCertificate &cert );
664
670 QgsAuthCertUtils::CertTrustPolicy certificateTrustPolicy( const QSslCertificate &cert );
671
673 bool setDefaultCertTrustPolicy( QgsAuthCertUtils::CertTrustPolicy policy );
674
676 QgsAuthCertUtils::CertTrustPolicy defaultCertTrustPolicy();
677
682 const QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache() { return mCertTrustCache; }
683
685 bool rebuildCertTrustCache();
686
692 const QList<QSslCertificate> trustedCaCerts( bool includeinvalid = false );
693
698 const QList<QSslCertificate> untrustedCaCerts( QList<QSslCertificate> trustedCAs = QList<QSslCertificate>() );
699
701 bool rebuildTrustedCaCertsCache();
702
707 const QList<QSslCertificate> trustedCaCertsCache() { return mTrustedCaCertsCache; }
708
713 const QByteArray trustedCaCertsPemText();
714
715#endif
716
721 const QString passwordHelperErrorMessage() { return mPasswordHelperErrorMessage; } SIP_SKIP
722
727 bool passwordHelperDelete() SIP_SKIP;
728
733 static bool passwordHelperEnabled();
734
739 void setPasswordHelperEnabled( bool enabled );
740
745 static bool passwordHelperLoggingEnabled() SIP_SKIP;
746
751 static void setPasswordHelperLoggingEnabled( bool enabled ) SIP_SKIP;
752
757 bool passwordHelperSync();
758
760 static const QString AUTH_PASSWORD_HELPER_DISPLAY_NAME;
761
763 static const QString AUTH_MAN_TAG;
764
765
766 signals:
767
772 void passwordHelperFailure();
773
778 void passwordHelperSuccess();
779
788 Q_DECL_DEPRECATED void messageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) const SIP_DEPRECATED;
789
798 void messageLog( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, Qgis::MessageLevel level = Qgis::MessageLevel::Info ) const;
799
808 Q_DECL_DEPRECATED void passwordHelperMessageOut( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, QgsAuthManager::MessageLevel level = QgsAuthManager::INFO ) SIP_DEPRECATED;
809
818 void passwordHelperMessageLog( const QString &message, const QString &tag = QgsAuthManager::AUTH_MAN_TAG, Qgis::MessageLevel level = Qgis::MessageLevel::Info );
819
824 void masterPasswordVerified( bool verified );
825
827 void authDatabaseEraseRequested();
828
830 void authDatabaseChanged();
831
832 public slots:
834 void clearAllCachedConfigs();
835
837 void clearCachedConfig( const QString &authcfg );
838
839 private slots:
840 void writeToConsole( const QString &message, const QString &tag = QString(), Qgis::MessageLevel level = Qgis::MessageLevel::Info );
841
851 void tryToStartDbErase();
852
853 protected:
854
859 static QgsAuthManager *instance() SIP_SKIP;
860
861
862#ifdef Q_OS_WIN
863 public:
864 explicit QgsAuthManager() SIP_SKIP;
865#else
866 protected:
867 explicit QgsAuthManager() SIP_SKIP;
868#endif
869
870 private:
871
872 bool initPrivate( const QString &pluginPath );
873
875 // Password Helper methods
876
878 QString passwordHelperName() const;
879
881 void passwordHelperLog( const QString &msg ) const;
882
884 QString passwordHelperRead();
885
887 bool passwordHelperWrite( const QString &password );
888
890 void passwordHelperSetErrorMessage( const QString &errorMessage ) { mPasswordHelperErrorMessage = errorMessage; }
891
893 void passwordHelperClearErrors();
894
899 void passwordHelperProcessError();
900
901 bool masterPasswordInput();
902
903 bool masterPasswordRowsInDb( int *rows ) const;
904
905 bool masterPasswordCheckAgainstDb( const QString &compare = QString() ) const;
906
907 bool masterPasswordStoreInDb() const;
908
909 bool masterPasswordClearDb();
910
911 const QString masterPasswordCiv() const;
912
913 bool verifyPasswordCanDecryptConfigs() const;
914
915 bool reencryptAllAuthenticationConfigs( const QString &prevpass, const QString &prevciv );
916
917 bool reencryptAuthenticationConfig( const QString &authcfg, const QString &prevpass, const QString &prevciv );
918
919 bool reencryptAllAuthenticationSettings( const QString &prevpass, const QString &prevciv );
920
921 bool reencryptAllAuthenticationIdentities( const QString &prevpass, const QString &prevciv );
922
923 bool reencryptAuthenticationIdentity( const QString &identid, const QString &prevpass, const QString &prevciv );
924
925#ifndef QT_NO_SSL
926 void insertCaCertInCache( QgsAuthCertUtils::CaCertSource source, const QList<QSslCertificate> &certs );
927#endif
928
929 QString authPasswordHelperKeyName() const;
930
934 QgsAuthConfigurationStorage *firstStorageWithCapability( Qgis::AuthConfigurationStorageCapability capability ) const;
935
939 const QString sqliteDatabasePath() const;
940
941 static QgsAuthManager *sInstance;
942 static const QString AUTH_CONFIG_TABLE;
943 static const QString AUTH_SERVERS_TABLE;
944 static const QString AUTH_CFG_REGEX;
945
946 QString mPluginPath;
947 QString mAuthDatabaseConnectionUri;
948
949 mutable bool mLazyInitResult = false;
950 bool mAuthInit = false;
951
952 mutable std::unique_ptr<QgsAuthConfigurationStorageRegistry> mAuthConfigurationStorageRegistry;
953
954 std::unique_ptr<QCA::Initializer> mQcaInitializer;
955
956 QHash<QString, QString> mConfigAuthMethods;
957 QHash<QString, QgsAuthMethod *> mAuthMethods;
958
959 QString mMasterPass;
960 int mPassTries = 0;
961 bool mAuthDisabled = false;
962 QString mAuthDisabledMessage;
963 QTimer *mScheduledDbEraseTimer = nullptr;
964 bool mScheduledDbErase = false;
965 int mScheduledDbEraseRequestWait = 3 ; // in seconds
966 bool mScheduledDbEraseRequestEmitted = false;
967 int mScheduledDbEraseRequestCount = 0;
968
969 std::unique_ptr<QRecursiveMutex> mMutex;
970 std::unique_ptr<QRecursiveMutex> mMasterPasswordMutex;
971#ifndef QT_NO_SSL
972 // mapping of sha1 digest and cert source and cert
973 // appending removes duplicates
974 QMap<QString, QPair<QgsAuthCertUtils::CaCertSource, QSslCertificate> > mCaCertsCache;
975 // list of sha1 digests per policy
976 QMap<QgsAuthCertUtils::CertTrustPolicy, QStringList > mCertTrustCache;
977 // cache of certs ready to be utilized in network connections
978 QList<QSslCertificate> mTrustedCaCertsCache;
979 // cache of SSL errors to be ignored in network connections, per sha-hostport
980 QHash<QString, QSet<QSslError::SslError> > mIgnoredSslErrorsCache;
981
982 bool mHasCustomConfigByHost = false;
983 bool mHasCheckedIfCustomConfigByHostExists = false;
984 QMap< QString, QgsAuthConfigSslServer > mCustomConfigByHostCache;
985#endif
986
988 // Password Helper Variables
989
991 bool mPasswordHelperVerificationError = false;
992
994 QString mPasswordHelperErrorMessage;
995
997 QKeychain::Error mPasswordHelperErrorCode = QKeychain::NoError;
998
1000 bool mPasswordHelperLoggingEnabled = false;
1001
1003 bool mPasswordHelperFailedInit = false;
1004
1006 static const QLatin1String AUTH_PASSWORD_HELPER_KEY_NAME_BASE;
1007
1009 static const QLatin1String AUTH_PASSWORD_HELPER_FOLDER_NAME;
1010
1011 mutable QMap<QThread *, QMetaObject::Connection> mConnectedThreads;
1012
1013 friend class QgsApplication;
1014
1015};
1016
1017#endif // QGSAUTHMANAGER_H
The Qgis class provides global constants for use throughout the application.
Definition qgis.h:54
AuthConfigurationStorageCapability
Authentication configuration storage capabilities.
Definition qgis.h:100
Extends QApplication to provide access to QGIS specific resources such as theme paths,...
CertTrustPolicy
Type of certificate trust policy.
CaCertSource
Type of CA certificate source.
Configuration container for SSL server connection exceptions or overrides.
QSqlDatabase based implementation of QgsAuthConfigurationStorage.
Registry for authentication configuration storages.
Abstract class that defines the interface for all authentication configuration storage implementation...
Singleton offering an interface to manage the authentication configuration database and to utilize co...
MessageLevel
Message log level (mirrors that of QgsMessageLog, so it can also output there)
const QList< QSslCertificate > trustedCaCertsCache()
trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
const QMap< QgsAuthCertUtils::CertTrustPolicy, QStringList > certTrustCache()
certTrustCache get cache of certificate sha1s, per trust policy
bool scheduledAuthDatabaseErase()
Whether there is a scheduled opitonal erase of authentication database.
QString authManTag() const
Simple text tag describing authentication system for message logs.
const QMap< QString, QPair< QgsAuthCertUtils::CaCertSource, QSslCertificate > > caCertsCache()
caCertsCache get all CA certs mapped to their sha1 from cache.
QString configIdRegex() const
Returns the regular expression for authcfg=.{7} key/value token for authentication ids.
void setScheduledAuthDatabaseEraseRequestEmitted(bool emitted)
Re-emit a signal to schedule an optional erase of authentication database.
const QString passwordHelperErrorMessage()
Error message getter.
QHash< QString, QSet< QSslError::SslError > > ignoredSslErrorCache()
ignoredSslErrorCache Get ignored SSL error cache, keyed with cert/connection's sha:host:port.
Q_DECL_DEPRECATED const QString authDatabaseServersTable() const
Name of the authentication database table that stores server exceptions/configs.
Configuration storage class for authentication method configurations.
Abstract base class for the edit widget of authentication method plugins.
Holds data auth method key, description, and associated shared library file information.
Abstract base class for authentication method plugins.
QFlags< Expansion > Expansions
#define SIP_DEPRECATED
Definition qgis_sip.h:106
#define SIP_SKIP
Definition qgis_sip.h:126
#define SIP_IF_FEATURE(feature)
Definition qgis_sip.h:181
#define SIP_INOUT
Definition qgis_sip.h:71
#define SIP_END
Definition qgis_sip.h:208
QHash< QString, QgsAuthMethodConfig > QgsAuthMethodConfigsMap
QHash< QString, QgsAuthMethod * > QgsAuthMethodsMap