[auth] Add trusted root CAs to OGR PG connnections

qgis · Nov 14, 2017 · 276bd1bfe1864eaa31da273707aab59fd93488ca · 276bd1b
1 parent 2c63671
commit 276bd1bfe1864eaa31da273707aab59fd93488ca
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/src/auth/basic/qgsauthbasicmethod.cpp b/src/auth/basic/qgsauthbasicmethod.cpp
@@ -102,6 +102,20 @@ bool QgsAuthBasicMethod::updateDataSourceUriItems( QStringList &connectionItems,
     return false;
   }
 
+  // SSL Extra CAs
+  QString caparam;
+  QList<QSslCertificate> cas;
+  cas = QgsApplication::authManager()->trustedCaCerts();
+  // save CAs to temp file
+  QString tempFileBase = QStringLiteral( "tmp_basic_%1.pem" );
+  QString caFilePath = QgsAuthCertUtils::pemTextToTempFile(
+                         tempFileBase.arg( QUuid::createUuid().toString() ),
+                         QgsAuthCertUtils::certsToPemText( cas ) );
+  if ( ! caFilePath.isEmpty() )
+  {
+    QString caparam = "sslrootcert='" + caFilePath + "'";
+  }
+
   // Branch for OGR
   if ( dataprovider == QStringLiteral( "ogr" ) )
   {
@@ -127,6 +141,11 @@ bool QgsAuthBasicMethod::updateDataSourceUriItems( QStringList &connectionItems,
             if ( !password.isEmpty() )
               uri += QStringLiteral( " password='%1'" ).arg( password );
           }
+          // add extra CAs
+          if ( ! caparam.isEmpty() )
+          {
+            uri += ' ' + caparam;
+          }
         }
         else if ( uri.startsWith( QStringLiteral( "SDE:" ) ) )
         {
@@ -226,9 +245,23 @@ bool QgsAuthBasicMethod::updateDataSourceUriItems( QStringList &connectionItems,
     {
       connectionItems.append( passparam );
     }
+    // add extra CAs
+    if ( ! caparam.isEmpty() )
+    {
+      int sslcaindx = connectionItems.indexOf( QRegExp( "^sslrootcert='.*" ) );
+      if ( sslcaindx != -1 )
+      {
+        connectionItems.replace( sslcaindx, caparam );
+      }
+      else
+      {
+        connectionItems.append( caparam );
+      }
+    }
   }
 
- return true;
+
+  return true;
 }
 
 bool QgsAuthBasicMethod::updateNetworkProxy( QNetworkProxy &proxy, const QString &authcfg, const QString &dataprovider )

diff --git a/tests/src/python/CMakeLists.txt b/tests/src/python/CMakeLists.txt
@@ -215,7 +215,7 @@ IF (ENABLE_PGTEST)
   ADD_PYTHON_TEST(PyQgsVectorLayerTools test_qgsvectorlayertools.py)
   ADD_PYTHON_TEST(PyQgsAuthManagerPKIPostgresTest test_authmanager_pki_postgres.py)
   ADD_PYTHON_TEST(PyQgsAuthManagerPasswordPostgresTest test_authmanager_password_postgres.py)
-  ENDIF (ENABLE_PGTEST)
+ENDIF (ENABLE_PGTEST)
 
 IF (ENABLE_MSSQLTEST)
   ADD_PYTHON_TEST(PyQgsMssqlProvider test_provider_mssql.py)