[Qgis-developer] Port Password Helper plugin into core

Tue Mar 14 14:46:00 PDT 2017

Hi Tom,

On Fri, Mar 10, 2017 at 2:11 AM, Tom Chadwin <tom.chadwin at nnpa.org.uk>
wrote:

> Sorry to threadjack, but a related question: Larry I think mentioned maybe
> removing the Python bindings for the auth system. Is that still the
> intention? Nyall has implemented FTP upload in qgis2web (other connection
> types such as SCP, SFTP can be developed using this framework). However,
> securely saving the password would be a real benefit. The auth system would
> be the most secure way to achieve this, obviously. If the Python bindings
> are to be removed, there's no point in using them to allow password saving.
>

Note: master password saving/restoring (as noted in this thread) is
different than the connection credentials stored/retrieved in the auth
system.

What Python bindings will be removed is still open for discussion. I will
soon be submitting a QEP for Qt5 updates/refactoring of the QGIS auth
system, as well as security hardening.

However, there always needs to exist within the auth system GUI bindings a
simple means for plugins to offer their users a way of selecting and
utilizing auth system configurations. This is already supported with the
QgsAuthConfigSelect widget [0]. In this way, a plugin author just needs to
include the auth system widgets in their plugin's layout (if defining
connections are key to the plugin's functionality). Then, all that the
plugin needs to store/retrieve is the 'authcfg' token that represents an
auth system configuration.

The problem comes in when a plugin *prefers* to utilize a different HTTP
(or other connection) library instead of interacting with
QgsNetworkAccessManager. In these cases, the plugin needs access to not
only the auth configuration, but also its actual saved credentials, to pass
to the Python library/package. This could be allowed, if the user
specifically authorizes a plugin to do so (API for this does not yet exist).

Another approach, instead of (or in addition to) creating an "authorized
plugins cache," is to harden the auth system to always disallow access to
credentials from plugins, then offer drop in wrappers for common Python
connection libs, supporting QgsNetworkAccessManager and the QGIS auth
system. Indeed, Alessandro Pasotti has already done this for 'httplib2'
[0]; and, it could be done for 'requests'.

Note: this latter approach also allows the plugin to inherit the QGIS app's
proxy settings associated with QgsNetworkAccessManager, as well as any auth
system enhancements applied to the QgsNetworkAccessManager class (some are
planned).

In summary, right now, with QGIS >= 2.14, you can easily use
QgsAuthConfigSelect widget in your plugins, then pass the authcfg into the
httplib2 wrapper, getting support for QgsNetworkAccessManager and the QGIS
auth system without then need to expose credentials to Python. Then, the
core auth system classes manage the master password, auth configuration
setup and credential expansion. This type of plugin auth configuration
integration will likely never be removed from the bindings.

Thread definitely hijacked :^) Any further discussion should be in the
upcoming auth system QEP.

[0]
https://github.com/qgis/QGIS/blob/master/src/gui/auth/qgsauthconfigselect.h
[1]
https://github.com/boundlessgeo/qgis-geoserver-plugin/blob/master/geoserverexplorer/geoserver/networkaccessmanager.py

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
----------------------------------
Boundless Desktop and QGIS Support/Development
Boundless Spatial - http://boundlessgeo.com
lshaffer at boundlessgeo.com

>
> -----
> Buy Pie Spy: Adventures in British pastry 2010-11 on Amazon
> --
> View this message in context: http://osgeo-org.1560.x6.
> nabble.com/Port-Password-Helper-plugin-into-core-tp5311418p5311718.html
> Sent from the QGIS - Developer mailing list archive at Nabble.com.
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20170314/044b2b52/attachment.html>