Skip to content

Commit 2a12f01

Browse files
committed
[auth] Ensure ident cert cache is used
1 parent 2550218 commit 2a12f01

File tree

2 files changed

+64
-95
lines changed

2 files changed

+64
-95
lines changed

src/auth/pkipaths/qgsauthpkipathsmethod.cpp

Lines changed: 32 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -112,75 +112,60 @@ bool QgsAuthPkiPathsMethod::updateDataSourceUriItems( QStringList &connectionIte
112112

113113
QgsDebugMsg( QString( "Update URI items for authcfg: %1" ).arg( authcfg ) );
114114

115-
QString pkiTempFilePrefix = "tmppki_";
116-
117-
QgsAuthMethodConfig amConfig;
118-
if ( !QgsAuthManager::instance()->loadAuthenticationConfig( authcfg, amConfig, true ) )
119-
{
120-
QgsDebugMsg( QString( "Update URI items: FAILED to retrieve config for authcfg: %1" ).arg( authcfg ) );
121-
return false;
122-
}
123-
124-
if ( !amConfig.isValid() )
115+
QgsPkiConfigBundle * pkibundle = getPkiConfigBundle( authcfg );
116+
if ( !pkibundle || !pkibundle->isValid() )
125117
{
126-
QgsDebugMsg( QString( "Update URI items: FAILED retrieved invalid Auth method for authcfg: %1" ).arg( authcfg ) );
118+
QgsDebugMsg( "Update URI items FAILED: PKI bundle invalid" );
127119
return false;
128120
}
121+
QgsDebugMsg( "Update URI items: PKI bundle valid" );
129122

130-
// get client cent and key
131-
QSslCertificate clientCert = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).first;
132-
QSslKey clientKey = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).second;
133-
134-
// get common name of the client certificate
135-
QString commonName = QgsAuthCertUtils::resolvedCertName( clientCert, false );
136-
137-
// get CA
138-
QByteArray caCert = QgsAuthManager::instance()->getTrustedCaCertsPemText();
123+
QString pkiTempFileBase = "tmppki_%1.pem";
139124

140125
// save client cert to temp file
141-
QFile certFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
142-
if ( certFile.open( QIODevice::WriteOnly ) )
126+
QString certFilePath = QgsAuthCertUtils::pemTextToTempFile(
127+
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
128+
pkibundle->clientCert().toPem() );
129+
if ( certFilePath.isEmpty() )
143130
{
144-
certFile.write( clientCert.toPem() );
145-
}
146-
else
147-
{
148-
QgsDebugMsg( QString( "Update URI items: FAILED to save client cert temporary file" ) );
149131
return false;
150132
}
151133

152-
certFile.setPermissions( QFile::ReadUser | QFile::WriteUser );
153-
154-
// save key cert to temp file setting it's permission only read to the current user
155-
QFile keyFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
156-
if ( keyFile.open( QIODevice::WriteOnly ) )
134+
// save client cert key to temp file
135+
QString keyFilePath = QgsAuthCertUtils::pemTextToTempFile(
136+
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
137+
pkibundle->clientCertKey().toPem() );
138+
if ( keyFilePath.isEmpty() )
157139
{
158-
keyFile.write( clientKey.toPem() );
140+
return false;
159141
}
160-
else
142+
143+
// save CAs to temp file
144+
QString caFilePath = QgsAuthCertUtils::pemTextToTempFile(
145+
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
146+
QgsAuthManager::instance()->getTrustedCaCertsPemText() );
147+
if ( caFilePath.isEmpty() )
161148
{
162-
QgsDebugMsg( QString( "Update URI items: FAILED to save client key temporary file" ) );
163149
return false;
164150
}
165151

166-
keyFile.setPermissions( QFile::ReadUser );
152+
// get common name of the client certificate
153+
QString commonName = QgsAuthCertUtils::resolvedCertName( pkibundle->clientCert(), false );
167154

168-
// save CA to tempo file
169-
QFile caFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
170-
if ( caFile.open( QIODevice::WriteOnly ) )
155+
// add uri parameters
156+
QString userparam = "user='" + commonName + "'";
157+
int userindx = connectionItems.indexOf( QRegExp( "^user='.*" ) );
158+
if ( userindx != -1 )
171159
{
172-
caFile.write( caCert );
160+
connectionItems.replace( userindx, userparam );
173161
}
174162
else
175163
{
176-
QgsDebugMsg( QString( "Update URI items: FAILED to save CAs to temporary file" ) );
177-
return false;
164+
connectionItems.append( userparam );
178165
}
179166

180-
caFile.setPermissions( QFile::ReadUser | QFile::WriteUser );
181-
182167
// add uri parameters
183-
QString certparam = "sslcert='" + certFile.fileName() + "'";
168+
QString certparam = "sslcert='" + certFilePath + "'";
184169
int sslcertindx = connectionItems.indexOf( QRegExp( "^sslcert='.*" ) );
185170
if ( sslcertindx != -1 )
186171
{
@@ -191,7 +176,7 @@ bool QgsAuthPkiPathsMethod::updateDataSourceUriItems( QStringList &connectionIte
191176
connectionItems.append( certparam );
192177
}
193178

194-
QString keyparam = "sslkey='" + keyFile.fileName() + "'";
179+
QString keyparam = "sslkey='" + keyFilePath + "'";
195180
int sslkeyindx = connectionItems.indexOf( QRegExp( "^sslkey='.*" ) );
196181
if ( sslkeyindx != -1 )
197182
{
@@ -202,7 +187,7 @@ bool QgsAuthPkiPathsMethod::updateDataSourceUriItems( QStringList &connectionIte
202187
connectionItems.append( keyparam );
203188
}
204189

205-
QString caparam = "sslrootcert='" + caFile.fileName() + "'";
190+
QString caparam = "sslrootcert='" + caFilePath + "'";
206191
int sslcaindx = connectionItems.indexOf( QRegExp( "^sslrootcert='.*" ) );
207192
if ( sslcaindx != -1 )
208193
{

src/auth/pkipkcs12/qgsauthpkcs12method.cpp

Lines changed: 32 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -112,75 +112,59 @@ bool QgsAuthPkcs12Method::updateDataSourceUriItems( QStringList &connectionItems
112112

113113
QgsDebugMsg( QString( "Update URI items for authcfg: %1" ).arg( authcfg ) );
114114

115-
QString pkiTempFilePrefix = "tmppki_";
116-
117-
QgsAuthMethodConfig amConfig;
118-
if ( !QgsAuthManager::instance()->loadAuthenticationConfig( authcfg, amConfig, true ) )
119-
{
120-
QgsDebugMsg( QString( "Update URI items: FAILED to retrieve config for authcfg: %1" ).arg( authcfg ) );
121-
return false;
122-
}
123-
124-
if ( !amConfig.isValid() )
115+
QgsPkiConfigBundle * pkibundle = getPkiConfigBundle( authcfg );
116+
if ( !pkibundle || !pkibundle->isValid() )
125117
{
126-
QgsDebugMsg( QString( "Update URI items: FAILED retrieved invalid Auth method for authcfg: %1" ).arg( authcfg ) );
118+
QgsDebugMsg( "Update URI items FAILED: PKI bundle invalid" );
127119
return false;
128120
}
121+
QgsDebugMsg( "Update URI items: PKI bundle valid" );
129122

130-
// get client cent and key
131-
QSslCertificate clientCert = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).first;
132-
QSslKey clientKey = QgsAuthManager::instance()->getCertIdentityBundle( amConfig.config( "certid" ) ).second;
133-
134-
// get common name of the client certificate
135-
QString commonName = QgsAuthCertUtils::resolvedCertName( clientCert, false );
136-
137-
// get CA
138-
QByteArray caCert = QgsAuthManager::instance()->getTrustedCaCertsPemText();
123+
QString pkiTempFileBase = "tmppki_%1.pem";
139124

140125
// save client cert to temp file
141-
QFile certFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
142-
if ( certFile.open( QIODevice::WriteOnly ) )
143-
{
144-
certFile.write( clientCert.toPem() );
145-
}
146-
else
126+
QString certFilePath = QgsAuthCertUtils::pemTextToTempFile(
127+
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
128+
pkibundle->clientCert().toPem() );
129+
if ( certFilePath.isEmpty() )
147130
{
148-
QgsDebugMsg( QString( "Update URI items: FAILED to save client cert temporary file" ) );
149131
return false;
150132
}
151133

152-
certFile.setPermissions( QFile::ReadUser | QFile::WriteUser );
153-
154-
// save key cert to temp file setting it's permission only read to the current user
155-
QFile keyFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
156-
if ( keyFile.open( QIODevice::WriteOnly ) )
134+
// save client cert key to temp file
135+
QString keyFilePath = QgsAuthCertUtils::pemTextToTempFile(
136+
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
137+
pkibundle->clientCertKey().toPem() );
138+
if ( keyFilePath.isEmpty() )
157139
{
158-
keyFile.write( clientKey.toPem() );
140+
return false;
159141
}
160-
else
142+
143+
// save CAs to temp file
144+
QString caFilePath = QgsAuthCertUtils::pemTextToTempFile(
145+
pkiTempFileBase.arg( QUuid::createUuid().toString() ),
146+
QgsAuthManager::instance()->getTrustedCaCertsPemText() );
147+
if ( caFilePath.isEmpty() )
161148
{
162-
QgsDebugMsg( QString( "Update URI items: FAILED to save client key temporary file" ) );
163149
return false;
164150
}
165151

166-
keyFile.setPermissions( QFile::ReadUser );
152+
// get common name of the client certificate
153+
QString commonName = QgsAuthCertUtils::resolvedCertName( pkibundle->clientCert(), false );
167154

168-
// save CA to tempo file
169-
QFile caFile( QDir::tempPath() + QDir::separator() + pkiTempFilePrefix + QUuid::createUuid() + ".pem" );
170-
if ( caFile.open( QIODevice::WriteOnly ) )
155+
// add uri parameters
156+
QString userparam = "user='" + commonName + "'";
157+
int userindx = connectionItems.indexOf( QRegExp( "^user='.*" ) );
158+
if ( userindx != -1 )
171159
{
172-
caFile.write( caCert );
160+
connectionItems.replace( userindx, userparam );
173161
}
174162
else
175163
{
176-
QgsDebugMsg( QString( "Update URI items: FAILED to save CAs to temporary file" ) );
177-
return false;
164+
connectionItems.append( userparam );
178165
}
179166

180-
caFile.setPermissions( QFile::ReadUser | QFile::WriteUser );
181-
182-
// add uri parameters
183-
QString certparam = "sslcert='" + certFile.fileName() + "'";
167+
QString certparam = "sslcert='" + certFilePath + "'";
184168
int sslcertindx = connectionItems.indexOf( QRegExp( "^sslcert='.*" ) );
185169
if ( sslcertindx != -1 )
186170
{
@@ -191,7 +175,7 @@ bool QgsAuthPkcs12Method::updateDataSourceUriItems( QStringList &connectionItems
191175
connectionItems.append( certparam );
192176
}
193177

194-
QString keyparam = "sslkey='" + keyFile.fileName() + "'";
178+
QString keyparam = "sslkey='" + keyFilePath + "'";
195179
int sslkeyindx = connectionItems.indexOf( QRegExp( "^sslkey='.*" ) );
196180
if ( sslkeyindx != -1 )
197181
{
@@ -202,7 +186,7 @@ bool QgsAuthPkcs12Method::updateDataSourceUriItems( QStringList &connectionItems
202186
connectionItems.append( keyparam );
203187
}
204188

205-
QString caparam = "sslrootcert='" + caFile.fileName() + "'";
189+
QString caparam = "sslrootcert='" + caFilePath + "'";
206190
int sslcaindx = connectionItems.indexOf( QRegExp( "^sslrootcert='.*" ) );
207191
if ( sslcaindx != -1 )
208192
{

0 commit comments

Comments
 (0)