Skip to content
Permalink
Browse files

[auth] Ensure ident cert cache is used

  • Loading branch information
luipir committed Jan 14, 2016
1 parent 2550218 commit 2a12f0189b9ea98902425acda446160f3b503d49
Showing with 64 additions and 95 deletions.
  1. +32 −47 src/auth/pkipaths/qgsauthpkipathsmethod.cpp
  2. +32 −48 src/auth/pkipkcs12/qgsauthpkcs12method.cpp
@@ -112,75 +112,60 @@ bool QgsAuthPkiPathsMethod::updateDataSourceUriItems( QStringList &connectionIte

QgsDebugMsg( QString( "Update URI items for authcfg: %1" ).arg( authcfg ) );

QString pkiTempFilePrefix = "tmppki_";

QgsAuthMethodConfig amConfig;
if ( !QgsAuthManager::instance()->loadAuthenticationConfig( authcfg, amConfig, true ) )
{
QgsDebugMsg( QString( "Update URI items: FAILED to retrieve config for authcfg: %1" ).arg( authcfg ) );
return false;
}

if ( !amConfig.isValid() )
QgsPkiConfigBundle * pkibundle = getPkiConfigBundle( authcfg );
if ( !pkibundle || !pkibundle->isValid() )
{
QgsDebugMsg( QString( "Update URI items: FAILED retrieved invalid Auth method for authcfg: %1" ).arg( authcfg ) );
QgsDebugMsg( "Update URI items FAILED: PKI bundle invalid" );
return false;
}
QgsDebugMsg( "Update URI items: PKI bundle valid" );

// get client cent and key
QSslCertificate clientCert = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).first;
QSslKey clientKey = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).second;

// get common name of the client certificate
QString commonName = QgsAuthCertUtils::resolvedCertName( clientCert, false );

// get CA
QByteArray caCert = QgsAuthManager::instance()->getTrustedCaCertsPemText();
QString pkiTempFileBase = "tmppki_%1.pem";

// save client cert to temp file
QFile certFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
if ( certFile.open( QIODevice::WriteOnly ) )
QString certFilePath = QgsAuthCertUtils::pemTextToTempFile(
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
pkibundle->clientCert().toPem() );
if ( certFilePath.isEmpty() )
{
certFile.write( clientCert.toPem() );
}
else
{
QgsDebugMsg( QString( "Update URI items: FAILED to save client cert temporary file" ) );
return false;
}

certFile.setPermissions( QFile::ReadUser | QFile::WriteUser );

// save key cert to temp file setting it's permission only read to the current user
QFile keyFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
if ( keyFile.open( QIODevice::WriteOnly ) )
// save client cert key to temp file
QString keyFilePath = QgsAuthCertUtils::pemTextToTempFile(
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
pkibundle->clientCertKey().toPem() );
if ( keyFilePath.isEmpty() )
{
keyFile.write( clientKey.toPem() );
return false;
}
else

// save CAs to temp file
QString caFilePath = QgsAuthCertUtils::pemTextToTempFile(
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
QgsAuthManager::instance()->getTrustedCaCertsPemText() );
if ( caFilePath.isEmpty() )
{
QgsDebugMsg( QString( "Update URI items: FAILED to save client key temporary file" ) );
return false;
}

keyFile.setPermissions( QFile::ReadUser );
// get common name of the client certificate
QString commonName = QgsAuthCertUtils::resolvedCertName( pkibundle->clientCert(), false );

// save CA to tempo file
QFile caFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
if ( caFile.open( QIODevice::WriteOnly ) )
// add uri parameters
QString userparam = "user='" + commonName + "'";
int userindx = connectionItems.indexOf( QRegExp( "^user='.*" ) );
if ( userindx != -1 )
{
caFile.write( caCert );
connectionItems.replace( userindx, userparam );
}
else
{
QgsDebugMsg( QString( "Update URI items: FAILED to save CAs to temporary file" ) );
return false;
connectionItems.append( userparam );
}

caFile.setPermissions( QFile::ReadUser | QFile::WriteUser );

// add uri parameters
QString certparam = "sslcert='" + certFile.fileName() + "'";
QString certparam = "sslcert='" + certFilePath + "'";
int sslcertindx = connectionItems.indexOf( QRegExp( "^sslcert='.*" ) );
if ( sslcertindx != -1 )
{
@@ -191,7 +176,7 @@ bool QgsAuthPkiPathsMethod::updateDataSourceUriItems( QStringList &connectionIte
connectionItems.append( certparam );
}

QString keyparam = "sslkey='" + keyFile.fileName() + "'";
QString keyparam = "sslkey='" + keyFilePath + "'";
int sslkeyindx = connectionItems.indexOf( QRegExp( "^sslkey='.*" ) );
if ( sslkeyindx != -1 )
{
@@ -202,7 +187,7 @@ bool QgsAuthPkiPathsMethod::updateDataSourceUriItems( QStringList &connectionIte
connectionItems.append( keyparam );
}

QString caparam = "sslrootcert='" + caFile.fileName() + "'";
QString caparam = "sslrootcert='" + caFilePath + "'";
int sslcaindx = connectionItems.indexOf( QRegExp( "^sslrootcert='.*" ) );
if ( sslcaindx != -1 )
{
@@ -112,75 +112,59 @@ bool QgsAuthPkcs12Method::updateDataSourceUriItems( QStringList &connectionItems

QgsDebugMsg( QString( "Update URI items for authcfg: %1" ).arg( authcfg ) );

QString pkiTempFilePrefix = "tmppki_";

QgsAuthMethodConfig amConfig;
if ( !QgsAuthManager::instance()->loadAuthenticationConfig( authcfg, amConfig, true ) )
{
QgsDebugMsg( QString( "Update URI items: FAILED to retrieve config for authcfg: %1" ).arg( authcfg ) );
return false;
}

if ( !amConfig.isValid() )
QgsPkiConfigBundle * pkibundle = getPkiConfigBundle( authcfg );
if ( !pkibundle || !pkibundle->isValid() )
{
QgsDebugMsg( QString( "Update URI items: FAILED retrieved invalid Auth method for authcfg: %1" ).arg( authcfg ) );
QgsDebugMsg( "Update URI items FAILED: PKI bundle invalid" );
return false;
}
QgsDebugMsg( "Update URI items: PKI bundle valid" );

// get client cent and key
QSslCertificate clientCert = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).first;
QSslKey clientKey = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).second;

// get common name of the client certificate
QString commonName = QgsAuthCertUtils::resolvedCertName( clientCert, false );

// get CA
QByteArray caCert = QgsAuthManager::instance()->getTrustedCaCertsPemText();
QString pkiTempFileBase = "tmppki_%1.pem";

// save client cert to temp file
QFile certFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
if ( certFile.open( QIODevice::WriteOnly ) )
{
certFile.write( clientCert.toPem() );
}
else
QString certFilePath = QgsAuthCertUtils::pemTextToTempFile(
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
pkibundle->clientCert().toPem() );
if ( certFilePath.isEmpty() )
{
QgsDebugMsg( QString( "Update URI items: FAILED to save client cert temporary file" ) );
return false;
}

certFile.setPermissions( QFile::ReadUser | QFile::WriteUser );

// save key cert to temp file setting it's permission only read to the current user
QFile keyFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
if ( keyFile.open( QIODevice::WriteOnly ) )
// save client cert key to temp file
QString keyFilePath = QgsAuthCertUtils::pemTextToTempFile(
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
pkibundle->clientCertKey().toPem() );
if ( keyFilePath.isEmpty() )
{
keyFile.write( clientKey.toPem() );
return false;
}
else

// save CAs to temp file
QString caFilePath = QgsAuthCertUtils::pemTextToTempFile(
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
QgsAuthManager::instance()->getTrustedCaCertsPemText() );
if ( caFilePath.isEmpty() )
{
QgsDebugMsg( QString( "Update URI items: FAILED to save client key temporary file" ) );
return false;
}

keyFile.setPermissions( QFile::ReadUser );
// get common name of the client certificate
QString commonName = QgsAuthCertUtils::resolvedCertName( pkibundle->clientCert(), false );

// save CA to tempo file
QFile caFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
if ( caFile.open( QIODevice::WriteOnly ) )
// add uri parameters
QString userparam = "user='" + commonName + "'";
int userindx = connectionItems.indexOf( QRegExp( "^user='.*" ) );
if ( userindx != -1 )
{
caFile.write( caCert );
connectionItems.replace( userindx, userparam );
}
else
{
QgsDebugMsg( QString( "Update URI items: FAILED to save CAs to temporary file" ) );
return false;
connectionItems.append( userparam );
}

caFile.setPermissions( QFile::ReadUser | QFile::WriteUser );

// add uri parameters
QString certparam = "sslcert='" + certFile.fileName() + "'";
QString certparam = "sslcert='" + certFilePath + "'";
int sslcertindx = connectionItems.indexOf( QRegExp( "^sslcert='.*" ) );
if ( sslcertindx != -1 )
{
@@ -191,7 +175,7 @@ bool QgsAuthPkcs12Method::updateDataSourceUriItems( QStringList &connectionItems
connectionItems.append( certparam );
}

QString keyparam = "sslkey='" + keyFile.fileName() + "'";
QString keyparam = "sslkey='" + keyFilePath + "'";
int sslkeyindx = connectionItems.indexOf( QRegExp( "^sslkey='.*" ) );
if ( sslkeyindx != -1 )
{
@@ -202,7 +186,7 @@ bool QgsAuthPkcs12Method::updateDataSourceUriItems( QStringList &connectionItems
connectionItems.append( keyparam );
}

QString caparam = "sslrootcert='" + caFile.fileName() + "'";
QString caparam = "sslrootcert='" + caFilePath + "'";
int sslcaindx = connectionItems.indexOf( QRegExp( "^sslrootcert='.*" ) );
if ( sslcaindx != -1 )
{

0 comments on commit 2a12f01

Please sign in to comment.
You can’t perform that action at this time.