Subgroup: Auth

Class: QgsAuthManager

class qgis.core.QgsAuthManager

Bases: PyQt5.QtCore.QObject

Singleton offering an interface to manage the authentication configuration database and to utilize configurations through various authentication method plugins

Methods

authDatabaseConfigTable Name of the authentication database table that stores configs
authDatabaseConnection Set up the application instance of the authentication database connection
authDatabaseServersTable Name of the authentication database table that stores server exceptions/configs
authManTag Simple text tag describing authentication system for message logs
authMethod Get authentication method from the config/provider cache via its key
authMethodEditWidget Get authentication method edit widget via its key
authMethodsKeys Get keys of supported authentication methods
authSetting authSetting get an authentication setting (retrieved as string and returned as QVariant( QString ))
authenticationDatabasePath The standard authentication database file in ~/.
availableAuthMethodConfigs Get mapping of authentication config ids and their base configs (not decrypted data)
backupAuthenticationDatabase Close connection to current authentication database and back it up
certAuthority certAuthority get a certificate authority by id (sha hash)
certIdentities certIdentities get certificate identities
certIdentity certIdentity get a certificate identity by id (sha hash)
certIdentityBundleToPem certIdentityBundleToPem get a certificate identity bundle by id (sha hash) returned as PEM text
certIdentityIds certIdentityIds get list of certificate identity ids from database
certTrustCache certTrustCache get cache of certificate sha1s, per trust policy
certTrustPolicy certTrustPolicy get whether certificate cert is trusted by user
certificateTrustPolicy certificateTrustPolicy get trust policy for a particular certificate cert
childEvent
clearAllCachedConfigs Clear all authentication configs from authentication method caches
clearCachedConfig Clear an authentication config from its associated authentication method cache
clearMasterPassword Clear supplied master password
configAuthMethod Get authentication method from the config/provider cache
configAuthMethodKey Get key of authentication method associated with config ID
configIdRegex Return regular expression for authcfg=.
configIdUnique Verify if provided authentication id is unique
configIds Get list of authentication ids from database
connectNotify
customEvent
databaseCAs databaseCAs get database-stored certificate authorities
defaultCertTrustPolicy Get the default certificate trust policy perferred by user
disabledMessage Standard message for when QCA’s qca-ossl plugin is missing and system is disabled
disconnectNotify
dumpIgnoredSslErrorsCache_ Utility function to dump the cache for debug purposes
eraseAuthenticationDatabase Erase all rows from all tables in authentication database
existsAuthSetting Check if an authentication setting exists
existsCertAuthority Check if a certificate authority exists
existsCertIdentity Check if a certificate identity exists
existsSslCertCustomConfig Check if SSL certificate custom config exists
extraFileCAs extraFileCAs extra file-based certificate authorities
hasConfigId Return whether a string includes an authcfg ID token
init init initialize QCA, prioritize qca-ossl plugin and optionally set up the authentication database
initSslCaches Initialize various SSL authentication caches
isDisabled Whether QCA has the qca-ossl plugin, which a base run-time requirement
isSignalConnected
loadAuthenticationConfig Load an authentication config from the database into subclass
mappedDatabaseCAs mappedDatabaseCAs get sha1-mapped database-stored certificate authorities
masterPasswordHashInDatabase Verify a password hash existing in authentication database
masterPasswordIsSet Whether master password has be input and verified, i.
masterPasswordSame Check whether supplied password is the same as the one already set
rebuildCaCertsCache Rebuild certificate authority cache
rebuildCertTrustCache Rebuild certificate authority cache
rebuildIgnoredSslErrorCache Rebuild ignoredSSL error cache
rebuildTrustedCaCertsCache Rebuild trusted certificate authorities cache
receivers
registerCoreAuthMethods Instantiate and register existing C++ core authentication methods from plugins
removeAllAuthenticationConfigs Clear all authentication configs from table in database and from provider caches
removeAuthSetting Remove an authentication setting
removeAuthenticationConfig Remove an authentication config in the database
removeCertAuthority Remove a certificate authority
removeCertIdentity Remove a certificate identity
removeCertTrustPolicies Remove a group certificate authorities
removeCertTrustPolicy Remove a certificate authority
removeSslCertCustomConfig Remove an SSL certificate custom config
resetMasterPassword Reset the master password to a new one, then re-encrypt all previous configs in a new database file, optionally backup curren database
sender
senderSignalIndex
setDefaultCertTrustPolicy Set the default certificate trust policy perferred by user
setMasterPassword Main call to initially set or continually check master password is set
setScheduledAuthDatabaseEraseRequestEmitted Re-emit a signal to schedule an optional erase of authentication database.
sslCertCustomConfig sslCertCustomConfig get an SSL certificate custom config by id (sha hash) and hostport (host:port)
sslCertCustomConfigByHost sslCertCustomConfigByHost get an SSL certificate custom config by hostport (host:port)
sslCertCustomConfigs sslCertCustomConfigs get SSL certificate custom configs
storeAuthSetting Store an authentication setting (stored as string via QVariant( value ).
storeAuthenticationConfig Store an authentication config in the database
storeCertAuthorities Store multiple certificate authorities
storeCertAuthority Store a certificate authority
storeCertIdentity Store a certificate identity
storeCertTrustPolicy Store user trust value for a certificate
storeSslCertCustomConfig Store an SSL certificate custom config
supportedAuthMethodExpansions Get supported authentication method expansion(s), e.
systemRootCAs systemRootCAs get root system certificate authorities
timerEvent
trustedCaCerts trustedCaCerts get list of all trusted CA certificates
trustedCaCertsCache trustedCaCertsCache cache of trusted certificate authorities, ready for network connections
trustedCaCertsPemText trustedCaCertsPemText get concatenated string of all trusted CA certificates
uniqueConfigId Get a unique generated 7-character string to assign to as config id
untrustedCaCerts untrustedCaCerts get list of untrusted certificate authorities
updateAuthenticationConfig Update an authentication config in the database
updateConfigAuthMethods Sync the confg/authentication method cache with what is in database
updateDataSourceUriItems Provider call to update a QgsDataSourceUri with an authentication config
updateIgnoredSslErrorsCache Update ignored SSL error cache with possible ignored SSL errors, using sha:host:port key
updateIgnoredSslErrorsCacheFromConfig Update ignored SSL error cache with possible ignored SSL errors, using server config
updateNetworkProxy Provider call to update a QNetworkProxy with an authentication config
updateNetworkReply Provider call to update a QNetworkReply with an authentication config (used to skip known SSL errors, etc.
updateNetworkRequest Provider call to update a QNetworkRequest with an authentication config
verifyMasterPassword Verify the supplied master password against any existing hash in authentication database

Signals

authDatabaseChanged Emitted when the authentication db is significantly changed, e.
authDatabaseEraseRequested Emitted when a user has indicated they may want to erase the authentication db.
masterPasswordVerified Emitted when a password has been verify (or not)
messageOut Custom logging signal to relay to console output and QgsMessageLog
passwordHelperFailure Signals emitted on password helper failure, mainly used in the tests to exit main application loop [signal]
passwordHelperMessageOut Custom logging signal to inform the user about master password <-> password manager interactions
passwordHelperSuccess Signals emitted on password helper success, mainly used in the tests to exit main application loop [signal]

Attributes

AUTH_MAN_TAG
AUTH_PASSWORD_HELPER_DISPLAY_NAME
CRITICAL
INFO
WARNING
AUTH_MAN_TAG = 'Authentication Manager'
AUTH_PASSWORD_HELPER_DISPLAY_NAME = 'Keychain'
CRITICAL = 2
INFO = 0
class MessageLevel

Bases: int

WARNING = 1
authDatabaseChanged

Emitted when the authentication db is significantly changed, e.g. large record removal, erased, etc. [signal]

authDatabaseConfigTable(self) → str

Name of the authentication database table that stores configs

authDatabaseConnection(self) → QSqlDatabase

Set up the application instance of the authentication database connection

authDatabaseEraseRequested

Emitted when a user has indicated they may want to erase the authentication db. [signal]

authDatabaseServersTable(self) → str

Name of the authentication database table that stores server exceptions/configs

authManTag(self) → str

Simple text tag describing authentication system for message logs

authMethod(self, authMethodKey: str) → QgsAuthMethod

Get authentication method from the config/provider cache via its key

Parameters:authMethodKey – Authentication method key
authMethodEditWidget(self, authMethodKey: str, parent: QWidget) → QWidget

Get authentication method edit widget via its key

Parameters:
  • authMethodKey – Authentication method key
  • parent – Parent widget
authMethodsKeys(self, dataprovider: str = '') → List[str]

Get keys of supported authentication methods

authSetting(self, key: str, defaultValue: Any = None, decrypt: bool = False) → Any

authSetting get an authentication setting (retrieved as string and returned as QVariant( QString ))

Parameters:
  • key – setting key
  • defaultValue
  • decrypt – if the value needs decrypted
Returns:

QVariant( QString ) authentication setting

New in version 3.0.

authenticationDatabasePath(self) → str

The standard authentication database file in ~/.qgis3/ or defined location

See also

QgsApplication.qgisAuthDatabaseFilePath()

availableAuthMethodConfigs(self, dataprovider: str = '') → object

Get mapping of authentication config ids and their base configs (not decrypted data)

backupAuthenticationDatabase(self, backuppath: str = '') → Tuple[bool, str]

Close connection to current authentication database and back it up

Returns:Path to backup
certAuthority(self, id: str) → QSslCertificate

certAuthority get a certificate authority by id (sha hash)

Parameters:id – sha hash
Returns:a certificate

New in version 3.0.

certIdentities(self) → List[QSslCertificate]

certIdentities get certificate identities

Returns:list of certificates

New in version 3.0.

certIdentity(self, id: str) → QSslCertificate

certIdentity get a certificate identity by id (sha hash)

Parameters:id – sha hash of the cert
Returns:the certificate

New in version 3.0.

certIdentityBundleToPem(self, id: str) → List[str]

certIdentityBundleToPem get a certificate identity bundle by id (sha hash) returned as PEM text

Parameters:id – sha hash
Returns:a list of strings

New in version 3.0.

certIdentityIds(self) → List[str]

certIdentityIds get list of certificate identity ids from database

Returns:list of certificate ids

New in version 3.0.

certTrustCache(self) → object

certTrustCache get cache of certificate sha1s, per trust policy

Returns:trust-policy-mapped certificate sha1s

New in version 3.0.

certTrustPolicy(self, cert: QSslCertificate) → QgsAuthCertUtils.CertTrustPolicy

certTrustPolicy get whether certificate cert is trusted by user

Parameters:cert
Returns:DefaultTrust if certificate sha not in trust table, i.e. follows default trust policy

New in version 3.0.

certificateTrustPolicy(self, cert: QSslCertificate) → QgsAuthCertUtils.CertTrustPolicy

certificateTrustPolicy get trust policy for a particular certificate cert

Parameters:cert
Returns:DefaultTrust if certificate sha not in trust table, i.e. follows default trust policy

New in version 3.0.

childEvent()
clearAllCachedConfigs(self)

Clear all authentication configs from authentication method caches

clearCachedConfig(self, authcfg: str)

Clear an authentication config from its associated authentication method cache

clearMasterPassword(self)

Clear supplied master password

Note

This will not necessarily clear authenticated connections cached in network connection managers

configAuthMethod(self, authcfg: str) → QgsAuthMethod

Get authentication method from the config/provider cache

Parameters:authcfg – Authentication config id
configAuthMethodKey(self, authcfg: str) → str

Get key of authentication method associated with config ID

Parameters:authcfg
configIdRegex(self) → str

Return regular expression for authcfg=.{7} key/value token for authentication ids

configIdUnique(self, id: str) → bool

Verify if provided authentication id is unique

Parameters:id – Id to check
configIds(self) → List[str]

Get list of authentication ids from database

connectNotify()
customEvent()
databaseCAs(self) → List[QSslCertificate]

databaseCAs get database-stored certificate authorities

Returns:list of certificate authorities

New in version 3.0.

defaultCertTrustPolicy(self) → QgsAuthCertUtils.CertTrustPolicy

Get the default certificate trust policy perferred by user

disabledMessage(self) → str

Standard message for when QCA’s qca-ossl plugin is missing and system is disabled

disconnectNotify()
dumpIgnoredSslErrorsCache_(self)

Utility function to dump the cache for debug purposes

eraseAuthenticationDatabase(self, backup: bool, backuppath: str = '') → Tuple[bool, str]

Erase all rows from all tables in authentication database

Parameters:
  • backup – Whether to backup of current database
  • backuppath – Where the backup is locate
Returns:

Whether operation succeeded
existsAuthSetting(self, key: str) → bool

Check if an authentication setting exists

existsCertAuthority(self, cert: QSslCertificate) → bool

Check if a certificate authority exists

existsCertIdentity(self, id: str) → bool

Check if a certificate identity exists

existsSslCertCustomConfig(self, id: str, hostport: str) → bool

Check if SSL certificate custom config exists

extraFileCAs(self) → List[QSslCertificate]

extraFileCAs extra file-based certificate authorities

Returns:list of certificate authorities

New in version 3.0.

hasConfigId(self, txt: str) → bool

Return whether a string includes an authcfg ID token

Parameters:txt – String to check
init(self, pluginPath: str = '', authDatabasePath: str = '') → bool

init initialize QCA, prioritize qca-ossl plugin and optionally set up the authentication database

Parameters:
  • pluginPath – the plugin path
  • authDatabasePath – the authentication DB path
Returns:

true on success

See also

QgsApplication.pluginPath()

See also

QgsApplication.qgisAuthDatabaseFilePath()

initSslCaches(self) → bool

Initialize various SSL authentication caches

isDisabled(self) → bool

Whether QCA has the qca-ossl plugin, which a base run-time requirement

isSignalConnected()
loadAuthenticationConfig(self, authcfg: str, mconfig: QgsAuthMethodConfig, full: bool = False) → Tuple[bool, QgsAuthMethodConfig]

Load an authentication config from the database into subclass

Parameters:
  • authcfg – Associated authentication config id
  • mconfig – Subclassed config to load into
  • full – Whether to decrypt and populate all sensitive data in subclass
Returns:

Whether operation succeeded
mappedDatabaseCAs(self) → Dict[str, QSslCertificate]

mappedDatabaseCAs get sha1-mapped database-stored certificate authorities

Returns:sha1-mapped certificate authorities

New in version 3.0.

masterPasswordHashInDatabase(self) → bool

Verify a password hash existing in authentication database

masterPasswordIsSet(self) → bool

Whether master password has be input and verified, i.e. authentication database is accessible

masterPasswordSame(self, pass_: str) → bool

Check whether supplied password is the same as the one already set

Parameters:pass – Password to verify
masterPasswordVerified

Emitted when a password has been verify (or not)

Parameters:verified – The state of password’s verification [signal]
messageOut

Custom logging signal to relay to console output and QgsMessageLog

Parameters:
  • message – Message to send
  • tag – Associated tag (title)
  • level – Message log level

See also

QgsMessageLog [signal]

passwordHelperFailure

Signals emitted on password helper failure, mainly used in the tests to exit main application loop [signal]

passwordHelperMessageOut

Custom logging signal to inform the user about master password <-> password manager interactions

Parameters:
  • message – Message to send
  • tag – Associated tag (title)
  • level – Message log level

See also

QgsMessageLog [signal]

passwordHelperSuccess

Signals emitted on password helper success, mainly used in the tests to exit main application loop [signal]

rebuildCaCertsCache(self) → bool

Rebuild certificate authority cache

rebuildCertTrustCache(self) → bool

Rebuild certificate authority cache

rebuildIgnoredSslErrorCache(self) → bool

Rebuild ignoredSSL error cache

rebuildTrustedCaCertsCache(self) → bool

Rebuild trusted certificate authorities cache

receivers()
registerCoreAuthMethods(self) → bool

Instantiate and register existing C++ core authentication methods from plugins

removeAllAuthenticationConfigs(self) → bool

Clear all authentication configs from table in database and from provider caches

Returns:Whether operation succeeded
removeAuthSetting(self, key: str) → bool

Remove an authentication setting

removeAuthenticationConfig(self, authcfg: str) → bool

Remove an authentication config in the database

Parameters:authcfg – Associated authentication config id
Returns:Whether operation succeeded
removeCertAuthority(self, cert: QSslCertificate) → bool

Remove a certificate authority

removeCertIdentity(self, id: str) → bool

Remove a certificate identity

removeCertTrustPolicies(self, certs: Iterable[QSslCertificate]) → bool

Remove a group certificate authorities

removeCertTrustPolicy(self, cert: QSslCertificate) → bool

Remove a certificate authority

removeSslCertCustomConfig(self, id: str, hostport: str) → bool

Remove an SSL certificate custom config

resetMasterPassword(self, newpass: str, oldpass: str, keepbackup: bool, backuppath: str = '') → Tuple[bool, str]

Reset the master password to a new one, then re-encrypt all previous configs in a new database file, optionally backup curren database

Parameters:
  • newpass – New master password to replace existing
  • oldpass – Current master password to replace existing
  • keepbackup – Whether to keep the generated backup of current database
  • backuppath – Where the backup is located, if kept
sender()
senderSignalIndex()
setDefaultCertTrustPolicy(self, policy: QgsAuthCertUtils.CertTrustPolicy) → bool

Set the default certificate trust policy perferred by user

setMasterPassword(self, verify: bool = False) → bool

Main call to initially set or continually check master password is set

Note

If it is not set, the user is asked for its input

Parameters:verify – Whether password’s hash was saved in authentication database

setMasterPassword(self, pass_: str, verify: bool = False) -> bool Overloaded call to reset master password or set it initially without user interaction

Note

Only use this in trusted reset functions, unit tests or user/app setup scripts!

Parameters:
  • pass – Password to use
  • verify – Whether password’s hash was saved in authentication database
setScheduledAuthDatabaseEraseRequestEmitted(self, emitted: bool)

Re-emit a signal to schedule an optional erase of authentication database.

Note

This can be called from the slot connected to a previously emitted scheduling signal, so that the slot can ask for another emit later, if the slot noticies the current GUI processing state is not ready for interacting with the user, e.g. project is still loading

Parameters:emitted – Setting to false will cause signal to be emitted by the schedule timer.

Setting to true will stop any emitting, but will not stop the schedule timer.

sslCertCustomConfig(self, id: str, hostport: str) → QgsAuthConfigSslServer

sslCertCustomConfig get an SSL certificate custom config by id (sha hash) and hostport (host:port)

Parameters:
  • id – sha hash
  • hostport – string host:port
Returns:

a SSL certificate custom config

New in version 3.0.

sslCertCustomConfigByHost(self, hostport: str) → QgsAuthConfigSslServer

sslCertCustomConfigByHost get an SSL certificate custom config by hostport (host:port)

Parameters:hostport – host:port
Returns:a SSL certificate custom config

New in version 3.0.

sslCertCustomConfigs(self) → List[QgsAuthConfigSslServer]

sslCertCustomConfigs get SSL certificate custom configs

Returns:list of SSL certificate custom config

New in version 3.0.

storeAuthSetting(self, key: str, value: Any, encrypt: bool = False) → bool

Store an authentication setting (stored as string via QVariant( value ).toString() )

storeAuthenticationConfig(self, mconfig: QgsAuthMethodConfig) → Tuple[bool, QgsAuthMethodConfig]

Store an authentication config in the database

Parameters:mconfig – Associated authentication config id
Returns:Whether operation succeeded
storeCertAuthorities(self, certs: Iterable[QSslCertificate]) → bool

Store multiple certificate authorities

storeCertAuthority(self, cert: QSslCertificate) → bool

Store a certificate authority

storeCertIdentity(self, cert: QSslCertificate, key: QSslKey) → bool

Store a certificate identity

storeCertTrustPolicy(self, cert: QSslCertificate, policy: QgsAuthCertUtils.CertTrustPolicy) → bool

Store user trust value for a certificate

storeSslCertCustomConfig(self, config: QgsAuthConfigSslServer) → bool

Store an SSL certificate custom config

supportedAuthMethodExpansions(self, authcfg: str) → QgsAuthMethod.Expansions

Get supported authentication method expansion(s), e.g. NetworkRequest | DataSourceURI, as flags

Parameters:authcfg
systemRootCAs(self) → List[QSslCertificate]

systemRootCAs get root system certificate authorities

Returns:list of certificate authorities

New in version 3.0.

timerEvent()
trustedCaCerts(self, includeinvalid: bool = False) → List[QSslCertificate]

trustedCaCerts get list of all trusted CA certificates

Parameters:includeinvalid – whether invalid certs needs to be returned
Returns:list of certificates

New in version 3.0.

trustedCaCertsCache(self) → List[QSslCertificate]

trustedCaCertsCache cache of trusted certificate authorities, ready for network connections

Returns:list of certificates

New in version 3.0.

trustedCaCertsPemText(self) → QByteArray

trustedCaCertsPemText get concatenated string of all trusted CA certificates

Returns:bye array with all PEM encoded trusted CAs

New in version 3.0.

uniqueConfigId(self) → str

Get a unique generated 7-character string to assign to as config id

untrustedCaCerts(self, trustedCAs: Iterable[QSslCertificate] = []) → List[QSslCertificate]

untrustedCaCerts get list of untrusted certificate authorities

Returns:list of certificates

New in version 3.0.

updateAuthenticationConfig(self, config: QgsAuthMethodConfig) → bool

Update an authentication config in the database

Parameters:config – Associated authentication config id
Returns:Whether operation succeeded
updateConfigAuthMethods(self)

Sync the confg/authentication method cache with what is in database

updateDataSourceUriItems(self, connectionItems: Iterable[str], authcfg: str, dataprovider: str = '') → Tuple[bool, List[str]]

Provider call to update a QgsDataSourceUri with an authentication config

Parameters:
  • connectionItems – The connection items, e.g. username=myname, of QgsDataSourceUri
  • authcfg – Associated authentication config id
  • dataprovider – Provider key filter, offering logic branching in authentication method
Returns:

Whether operation succeeded
updateIgnoredSslErrorsCache(self, shahostport: str, errors: Iterable[QSslError]) → bool

Update ignored SSL error cache with possible ignored SSL errors, using sha:host:port key

updateIgnoredSslErrorsCacheFromConfig(self, config: QgsAuthConfigSslServer) → bool

Update ignored SSL error cache with possible ignored SSL errors, using server config

updateNetworkProxy(self, proxy: QNetworkProxy, authcfg: str, dataprovider: str = '') → Tuple[bool, QNetworkProxy]

Provider call to update a QNetworkProxy with an authentication config

Parameters:
  • proxy – the QNetworkProxy
  • authcfg – Associated authentication config id
  • dataprovider – Provider key filter, offering logic branching in authentication method
Returns:

Whether operation succeeded
updateNetworkReply(self, reply: QNetworkReply, authcfg: str, dataprovider: str = '') → bool

Provider call to update a QNetworkReply with an authentication config (used to skip known SSL errors, etc.)

Parameters:
  • reply – The QNetworkReply
  • authcfg – Associated authentication config id
  • dataprovider – Provider key filter, offering logic branching in authentication method
Returns:

Whether operation succeeded
updateNetworkRequest(self, request: QNetworkRequest, authcfg: str, dataprovider: str = '') → Tuple[bool, QNetworkRequest]

Provider call to update a QNetworkRequest with an authentication config

Parameters:
  • request – The QNetworkRequest
  • authcfg – Associated authentication config id
  • dataprovider – Provider key filter, offering logic branching in authentication method
Returns:

Whether operation succeeded
verifyMasterPassword(self, compare: str = '') → bool

Verify the supplied master password against any existing hash in authentication database

Note

Do not emit verification signals when only comparing

Parameters:compare – Password to compare against