Authenticate a message transport. More...

#include <qtransportauth_qws.h>

Inheritance diagram for QTransportAuth:

Classes
struct	Data

Public Types
enum	Properties { Trusted = 0x01, Connection = 0x02, UnixStreamSock = 0x04, SharedMemory = 0x08, MessageQueue = 0x10, UDP = 0x20, TCP = 0x40, UserDefined = 0x80, TransportType = 0xfc }

enum	Result { Pending = 0x00, TooSmall = 0x01, CacheMiss = 0x02, NoMagic = 0x03, NoSuchKey = 0x04, FailMatch = 0x05, OutOfDate = 0x06, Success = 0x1e, ErrMask = 0x1f, Allow = 0x20, Deny = 0x40, Ask = 0x60, StatusMask = 0xe0 }

Signals
void	authViolation (QTransportAuth::Data &)

void	policyCheck (QTransportAuth::Data &, const QString &)

Signals inherited from QObject
void	destroyed (QObject *=0)
	This signal is emitted immediately before the object obj is destroyed, and can not be blocked. More...

Public Functions
QAuthDevice *	authBuf (QTransportAuth::Data , QIODevice )
	Return a QIODevice pointer (to an internal QBuffer) which can be used to write data onto, for authorization on transport d. More...

bool	authFromMessage (QTransportAuth::Data &d, const char *msg, int msgLen)
	Check authorization on the msg, which must be of size msgLen, for the transport d. More...

bool	authorizeRequest (QTransportAuth::Data &d, const QString &request)

bool	authToMessage (QTransportAuth::Data &d, char hdr, const char msg, int msgLen)
	Add authentication header to the beginning of a message. More...

QTransportAuth::Data *	connectTransport (unsigned char, int)
	Record a new transport connection with properties and descriptor. More...

const unsigned char *	getClientKey (unsigned char progId)

QMutex *	getKeyFileMutex ()

void	invalidateClientKeyCache ()

bool	isDiscoveryMode () const

QString	keyFilePath () const

QString	logFilePath () const

QIODevice *	passThroughByClient (QWSClient *) const

QAuthDevice *	recvBuf (QTransportAuth::Data , QIODevice )
	Return a QIODevice pointer (to an internal QBuffer) which can be used to receive data after authorization on transport d. More...

void	registerPolicyReceiver (QObject *)
	Register pr as a policy handler object. More...

void	setKeyFilePath (const QString &)
	Set the full path to the key file. More...

void	setLogFilePath (const QString &)

void	setPackageRegistry (QObject *registry)

void	setProcessKey (const char *)
	Set the process key for this currently running Qt Extended process to the authdata. More...

void	setProcessKey (const char , const char )
	Apply key as the process key for the currently running application. More...

void	unregisterPolicyReceiver (QObject *)
	Unregister the pr from being a policy handler. More...

Public Functions inherited from QObject
bool	blockSignals (bool b)
	If block is true, signals emitted by this object are blocked (i.e., emitting a signal will not invoke anything connected to it). More...

const QObjectList &	children () const
	Returns a list of child objects. More...

bool	connect (const QObject sender, const char signal, const char *member, Qt::ConnectionType type=Qt::AutoConnection) const

bool	disconnect (const char signal=0, const QObject receiver=0, const char *member=0)

bool	disconnect (const QObject receiver, const char member=0)

void	dumpObjectInfo ()
	Dumps information about signal connections, etc. More...

void	dumpObjectTree ()
	Dumps a tree of children to the debug output. More...

QList< QByteArray >	dynamicPropertyNames () const
	Returns the names of all properties that were dynamically added to the object using setProperty(). More...

virtual bool	event (QEvent *)
	This virtual function receives events to an object and should return true if the event e was recognized and processed. More...

virtual bool	eventFilter (QObject , QEvent )
	Filters events if this object has been installed as an event filter for the watched object. More...

template<typename T >
T	findChild (const QString &aName=QString()) const
	Returns the child of this object that can be cast into type T and that is called name, or 0 if there is no such object. More...

template<typename T >
QList< T >	findChildren (const QString &aName=QString()) const
	Returns all children of this object with the given name that can be cast to type T, or an empty list if there are no such objects. More...

template<typename T >
QList< T >	findChildren (const QRegExp &re) const

bool	inherits (const char *classname) const
	Returns true if this object is an instance of a class that inherits className or a QObject subclass that inherits className; otherwise returns false. More...

void	installEventFilter (QObject *)
	Installs an event filter filterObj on this object. More...

bool	isWidgetType () const
	Returns true if the object is a widget; otherwise returns false. More...

void	killTimer (int id)
	Kills the timer with timer identifier, id. More...

virtual const QMetaObject *	metaObject () const
	Returns a pointer to the meta-object of this object. More...

void	moveToThread (QThread *thread)
	Changes the thread affinity for this object and its children. More...

QString	objectName () const

QObject *	parent () const
	Returns a pointer to the parent object. More...

QVariant	property (const char *name) const
	Returns the value of the object's name property. More...

Q_INVOKABLE	QObject (QObject *parent=0)
	Constructs an object with parent object parent. More...

void	removeEventFilter (QObject *)
	Removes an event filter object obj from this object. More...

void	setObjectName (const QString &name)

void	setParent (QObject *)
	Makes the object a child of parent. More...

bool	setProperty (const char *name, const QVariant &value)
	Sets the value of the object's name property to value. More...

void	setUserData (uint id, QObjectUserData *data)

bool	signalsBlocked () const
	Returns true if signals are blocked; otherwise returns false. More...

int	startTimer (int interval)
	Starts a timer and returns a timer identifier, or returns zero if it could not start a timer. More...

QThread *	thread () const
	Returns the thread in which the object lives. More...

QObjectUserData *	userData (uint id) const

virtual	~QObject ()
	Destroys the object, deleting all its child objects. More...

Static Public Functions
static const char *	errorString (const QTransportAuth::Data &)

static QTransportAuth *	getInstance ()
	Return a pointer to the instance of this process's QTransportAuth object. More...

Static Public Functions inherited from QObject
static bool	connect (const QObject sender, const char signal, const QObject receiver, const char member, Qt::ConnectionType=Qt::AutoConnection)
	Creates a connection of the given type from the signal in the sender object to the method in the receiver object. More...

static bool	connect (const QObject sender, const QMetaMethod &signal, const QObject receiver, const QMetaMethod &method, Qt::ConnectionType type=Qt::AutoConnection)

static bool	disconnect (const QObject sender, const char signal, const QObject receiver, const char member)
	Disconnects signal in object sender from method in object receiver. More...

static bool	disconnect (const QObject sender, const QMetaMethod &signal, const QObject receiver, const QMetaMethod &member)

static uint	registerUserData ()

static QString	tr (const char sourceText, const char comment=0, int n=-1)

static QString	trUtf8 (const char sourceText, const char comment=0, int n=-1)

Private Slots
void	bufferDestroyed (QObject *)

Private Functions
	QTransportAuth ()

	~QTransportAuth ()

Friends
class	QAuthDevice

Additional Inherited Members
Public Slots inherited from QObject
void	deleteLater ()
	Schedules this object for deletion. More...

Static Public Variables inherited from QObject
static const QMetaObject	staticMetaObject
	This variable stores the meta-object for the class. More...

Protected Functions inherited from QObject
virtual void	childEvent (QChildEvent *)
	This event handler can be reimplemented in a subclass to receive child events. More...

virtual void	connectNotify (const char *signal)
	This virtual function is called when something has been connected to signal in this object. More...

virtual void	customEvent (QEvent *)
	This event handler can be reimplemented in a subclass to receive custom events. More...

virtual void	disconnectNotify (const char *signal)
	This virtual function is called when something has been disconnected from signal in this object. More...

	QObject (QObjectPrivate &dd, QObject *parent=0)

int	receivers (const char *signal) const
	Returns the number of receivers connected to the signal. More...

QObject *	sender () const
	Returns a pointer to the object that sent the signal, if called in a slot activated by a signal; otherwise it returns 0. More...

int	senderSignalIndex () const

virtual void	timerEvent (QTimerEvent *)
	This event handler can be reimplemented in a subclass to receive timer events for the object. More...

Protected Variables inherited from QObject
QScopedPointer< QObjectData >	d_ptr

Static Protected Variables inherited from QObject
static const QMetaObject	staticQtMetaObject

Related Functions inherited from QObject
T	qFindChildqFindChildren (const QObject *obj, const QString &name)()

QList< T >	qFindChildrenqFindChildren (const QObject *obj, const QString &name)()

QList< T >	qFindChildrenqFindChildren (const QObject *obj, const QRegExp &regExp)()

T *	qobject_cast (QObject *object)

	QObjectList

void *	qt_find_obj_child (QObject parent, const char type, const QString &name)
	Returns a pointer to the object named name that inherits type and with a given parent. More...

Detailed Description

Authenticate a message transport.

Warning: This function is not part of the public interface.

For performance reasons, message authentication is tied to an individual message transport instance. For example in connection oriented transports the authentication cookie can be cached against the connection avoiding the overhead of authentication on every message.

For each process there is one instance of the QTransportAuth object. For server processes it can determine the SXE Program Identity and provide access to policy data to determine if the message should be forwarded for action. If not actioned, the message may be treated as being from a flawed or malicious process.

Retrieve the instance with the getInstance() method. The constructor is disabled and instances of QTransportAuth should never be constructed by calling classes.

To make the Authentication easier to use a proxied QIODevice is provided which uses an internal QBuffer.

In the server code first get a pointer to a QTransportAuth::Data object using the connectTransport() method:

QTransportAuth::Data *conData;
QTransportAuth *a = QTransportAuth::getInstance();
conData = a->connectTransport(
    QTransportAuth::Trusted | QTransportAuth::UnixStreamSock,
    socketDescriptor );

Here it is asserted that the transport is trusted. See the assumptions listed in the SXE documentation

Then proxy in the authentication device:

// mySocket can be any QIODevice subclass
AuthDevice *ad = a->recvBuf( d, mySocket );
// proxy in the auth device where the socket would have gone
connect( ad, SIGNAL(readyRead()), this, SLOT(mySocketReadyRead()));

In the client code it is similar. Use the connectTransport() method just the same then proxy in the authentication device instead of the socket in write calls:

AuthDevice *ad = a->authBuf( d, mySocket );
ad->write( someData );

Definition at line 69 of file qtransportauth_qws.h.

Enumerations

◆ Properties

enum QTransportAuth::Properties

Enumerator
Trusted
Connection
UnixStreamSock
SharedMemory
MessageQueue
UDP
TCP
UserDefined
TransportType

Definition at line 96 of file qtransportauth_qws.h.

                     {
         Trusted = 0x01,
         Connection = 0x02,
         UnixStreamSock = 0x04,
         SharedMemory = 0x08,
         MessageQueue = 0x10,
         UDP = 0x20,
         TCP = 0x40,
         UserDefined = 0x80,
         TransportType = 0xfc
     };

◆ Result

enum QTransportAuth::Result

Enumerator
Pending
TooSmall
CacheMiss
NoMagic
NoSuchKey
FailMatch
OutOfDate
Success
ErrMask
Allow
Deny
Ask
StatusMask

Definition at line 75 of file qtransportauth_qws.h.

                 {
         // Error codes
         Pending = 0x00,
         TooSmall = 0x01,
         CacheMiss = 0x02,
         NoMagic = 0x03,
         NoSuchKey = 0x04,
         FailMatch = 0x05,
         OutOfDate = 0x06,
         // reserved for expansion
         Success = 0x1e,
         ErrMask = 0x1f,
 
         // Verification codes
         Allow = 0x20,
         Deny = 0x40,
         Ask = 0x60,
         // reserved
         StatusMask = 0xe0
     };

Constructors and Destructors

◆ QTransportAuth()

QTransportAuth::QTransportAuth ( )

private

Warning: This function is not part of the public interface. Construct a new QTransportAuth

Definition at line 198 of file qtransportauth_qws.cpp.

                                : QObject(*new QTransportAuthPrivate)
 {
     // qDebug( "creating transport auth" );
 }

◆ ~QTransportAuth()

QTransportAuth::~QTransportAuth ( )

private

Warning: This function is not part of the public interface. Destructor

Definition at line 207 of file qtransportauth_qws.cpp.

 {
     // qDebug( "deleting transport auth" );
 }

Functions

◆ authBuf()

QAuthDevice * QTransportAuth::authBuf	(	QTransportAuth::Data *	data,
		QIODevice *	iod
	)

Return a QIODevice pointer (to an internal QBuffer) which can be used to write data onto, for authorization on transport d.

The return QIODevice will act as a pass-through.

The data written to the return QIODevice will be forwarded on to the returned QIODevice. In the case of a QTcpSocket, this will cause it to send out the data with the authentication information on it.

This will be called in the client process to generate outgoing authenticated requests.

The returned QIODevice will take ownership of data which will be deleted when the QIODevice is delected.

See also: setTargetDevice()

Definition at line 493 of file qtransportauth_qws.cpp.

Referenced by QWSDisplay::Data::init(), and QWSDisplay::Data::reinit().

 {
     return new QAuthDevice( iod, data, QAuthDevice::Send );
 }

◆ authFromMessage()

bool QTransportAuth::authFromMessage	(	QTransportAuth::Data &	d,
		const char *	msg,
		int	msgLen
	)

Check authorization on the msg, which must be of size msgLen, for the transport d.

If able to determine authorization, return the program identity of the message source in the reference progId, and return true.

Otherwise return false.

If data is being received on a socket, it may be that more data is yet needed before authentication can proceed.

Also the message may not be an authenticated at all.

In these cases the method returns false to indicate authorization could not be determined:

The message is too small to carry the authentication data (status TooSmall is set on the d transport )
The 4 magic bytes are missing from the message start (status NoMagic is set on the d transport )
The message is too small to carry the auth + claimed payload (status TooSmall is set on the d transport )

If however the authentication header (preceded by the magic bytes) and any authenticated payload is received the method will determine the authentication status, and return true.

In the following cases as well as returning true it will also emit an authViolation():

If the program id claimed by the message is not found in the key file (status NoSuchKey is set on the d transport )
The authentication token failed against the claimed program id:
- in the case of trusted transports, the secret did not match
- in the case of untrusted transports the HMAC code did not match
(status FailMatch is set on the d transport )

In these cases the authViolation( QTransportAuth::Data d ) signal is emitted and the error string can be obtained from the status like this:

QTransportAuth::Result r = d.status & QTransportAuth::ErrMask;

qWarning( "error: %s", QTransportAuth::errorStrings[r] );

Definition at line 1294 of file qtransportauth_qws.cpp.

 {
     if ( msgLen < QSXE_MAGIC_BYTES )
     {
         d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::TooSmall;
         return false;
     }
     // if no magic bytes, exit straight away
     int m;
     const unsigned char *mptr = reinterpret_cast<const unsigned char *>(msg);
     for ( m = 0; m < QSXE_MAGIC_BYTES; ++m )
     {
         if ( *mptr++ != magic[m] )
         {
             d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::NoMagic;
             return false;
         }
     }
 
     if ( msgLen < AUTH_SPACE(1) )
     {
         d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::TooSmall;
         return false;
     }
 
     // At this point we know the header is at least long enough to contain valid auth
     // data, however the data may be spoofed.  If it is not verified then the status will
     // be set to uncertified so the spoofed data will not be relied on.  However we want to
     // know the program id which is being reported (even if it might be spoofed) for
     // policy debugging purposes.  So set it here, rather than after verification.
     d.progId = msg[QSXE_PROG_IDX];
 
 #ifdef QTRANSPORTAUTH_DEBUG
     char authhdr[QSXE_HEADER_LEN*2+1];
     hexstring( authhdr, reinterpret_cast<const unsigned char *>(msg), QSXE_HEADER_LEN );
     qDebug( "%d SERVER authFromMessage(): message header is %s",
             getpid(), authhdr );
 #endif
 
     unsigned char authLen = (unsigned char)(msg[ QSXE_LEN_IDX ]);
 
     if ( msgLen < AUTH_SPACE(authLen) )
     {
         d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::TooSmall;
         return false;
     }
 
     bool isCached = d_func()->keyCache.contains( d.progId );
     const unsigned char *clientKey = d_func()->getClientKey( d.progId );
     if ( clientKey == NULL )
     {
         d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::NoSuchKey;
         return false;
     }
 
 #ifdef QTRANSPORTAUTH_DEBUG
     char keydisplay[QSXE_KEY_LEN*2+1];
     hexstring( keydisplay, clientKey, QSXE_KEY_LEN );
     qDebug( "\t\tauthFromMessage(): message %s against prog id %u and key %s\n",
             AUTH_DATA(msg), ((unsigned int)d.progId), keydisplay );
 #endif
 
     const unsigned char *auth_tok;
     unsigned char digest[QSXE_KEY_LEN];
     bool multi_tok = false;
 
     bool need_to_recheck=false;
     do
     {
         if ( !d.trusted())
         {
             hmac_md5( AUTH_DATA(msg), authLen, clientKey, QSXE_KEY_LEN, digest );
             auth_tok = digest;
         }
         else
         {
             auth_tok = clientKey;
             multi_tok = true;  // 1 or more keys are in the clientKey
         }
         while( true )
         {
             if ( memcmp( auth_tok, magic, QSXE_MAGIC_BYTES ) == 0
                     && memcmp( auth_tok + QSXE_MAGIC_BYTES, magic, QSXE_MAGIC_BYTES ) == 0 )
                 break;
             if ( memcmp( msg + QSXE_KEY_IDX, auth_tok, QSXE_KEY_LEN ) == 0 )
             {
                 d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::Success;
                 return true;
             }
             if ( !multi_tok )
                 break;
             auth_tok += QSXE_KEY_LEN;
         }
         //the keys cached on d.progId may not contain the binary key because the cache entry was made
         //before the binary had first started, must search for client key again.
         if ( isCached )
         {
             d_func()->keyCache.remove(d.progId);
             isCached = false;
 
 #ifdef QTRANSPORTAUTH_DEBUG
             qDebug() << "QTransportAuth::authFromMessage(): key not found in set of keys cached"
                      << "against prog Id =" << d.progId << ". Re-obtaining client key. ";
 #endif
             clientKey = d_func()->getClientKey( d.progId );
             if ( clientKey == NULL )
             {
                 d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::NoSuchKey;
                 return false;
             }
             need_to_recheck = true;
         }
         else
         {
             need_to_recheck = false;
         }
     } while( need_to_recheck );
 
     d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::FailMatch;
     qWarning() << "QTransportAuth::authFromMessage():failed authentication";
     FAREnforcer::getInstance()->logAuthAttempt( QDateTime::currentDateTime() );
     emit authViolation( d );
     return false;
 }

◆ authorizeRequest()

bool QTransportAuth::authorizeRequest	(	QTransportAuth::Data &	d,
		const QString &	request
	)

Definition at line 534 of file qtransportauth_qws.cpp.

Referenced by QAuthDevice::authorizeMessage(), and QAuthDevice::recvReadyRead().

 {
     bool isAuthorized = true;
 
     if ( !request.isEmpty() && request != QLatin1String("Unknown") )
     {
         d.status &= QTransportAuth::ErrMask;  // clear the status
         emit policyCheck( d, request );
         isAuthorized = (( d.status & QTransportAuth::StatusMask ) == QTransportAuth::Allow );
     }
 #if defined(SXE_DISCOVERY)
     if (isDiscoveryMode()) {
 #ifndef QT_NO_TEXTSTREAM
         if (!logFilePath().isEmpty()) {
             QFile log( logFilePath() );
             if (!log.open(QIODevice::WriteOnly | QIODevice::Append)) {
                 qWarning("Could not write to log in discovery mode: %s",
                          qPrintable(logFilePath()));
             } else {
                 QTextStream ts( &log );
                 ts << d.progId << '\t' << ( isAuthorized ? "Allow" : "Deny" ) << '\t' << request << endl;
             }
         }
 #endif
         isAuthorized = true;
     }
 #endif
     if ( !isAuthorized )
     {
         qWarning( "%s - denied: for Program Id %u [PID %d]"
                 , qPrintable(request), d.progId, d.processId );
 
         char linkTarget[BUF_SIZE]="";
         char exeLink[BUF_SIZE]="";
         char cmdlinePath[BUF_SIZE]="";
         char cmdline[BUF_SIZE]="";
 
         //get executable from /proc/pid/exe
         snprintf( exeLink, BUF_SIZE, "/proc/%d/exe", d.processId );
         if ( -1 == ::readlink( exeLink, linkTarget, BUF_SIZE - 1 ) )
         {
             qWarning( "SXE:- Error encountered in retrieving executable link target from /proc/%u/exe : %s",
                 d.processId, strerror(errno) );
             snprintf( linkTarget, BUF_SIZE, "%s", linkTarget );
         }
 
         //get cmdline from proc/pid/cmdline
         snprintf( cmdlinePath, BUF_SIZE, "/proc/%d/cmdline", d.processId );
         int  cmdlineFd = QT_OPEN( cmdlinePath, O_RDONLY );
         if ( cmdlineFd == -1 )
         {
             qWarning( "SXE:- Error encountered in opening /proc/%u/cmdline: %s",
                 d.processId, strerror(errno) );
             snprintf( cmdline, BUF_SIZE, "%s", "Unknown" );
         }
         else
         {
             if ( -1 == QT_READ(cmdlineFd, cmdline, BUF_SIZE - 1 ) )
             {
                 qWarning( "SXE:- Error encountered in reading /proc/%u/cmdline : %s",
                     d.processId, strerror(errno) );
                 snprintf( cmdline, BUF_SIZE, "%s", "Unknown" );
             }
             QT_CLOSE( cmdlineFd );
         }
 
         syslog( LOG_ERR | LOG_LOCAL6, "%s // PID:%u // ProgId:%u // Exe:%s // Request:%s // Cmdline:%s",
                 "<SXE Breach>", d.processId, d.progId, linkTarget, qPrintable(request), cmdline);
     }
 
     return isAuthorized;
 }

◆ authToMessage()

bool QTransportAuth::authToMessage	(	QTransportAuth::Data &	d,
		char *	hdr,
		const char *	msg,
		int	msgLen
	)

Add authentication header to the beginning of a message.

Note that the per-process auth cookie is used.

Warning: This function is not part of the public interface. This key should be rewritten in the binary image of the executable at install time to make it unique.

For this to be secure some mechanism (eg MAC kernel or other permissions) must prevent other processes from reading the key.

The buffer must have AUTH_SPACE(0) bytes spare at the beginning for the authentication header to be added.

Returns true if header successfully added. Will fail if the per-process key has not yet been set with setProcessKey()

Definition at line 1199 of file qtransportauth_qws.cpp.

 {
     // qDebug( "authToMessage(): prog id %u", d.progId );
     // only authorize connection oriented transports once, unless key has changed
     if ( d.connection() && ((d.status & QTransportAuth::ErrMask) != QTransportAuth::Pending) &&
         d_func()->authKey.progId == d.progId )
         return false;
     d.progId = d_func()->authKey.progId;
     // If Unix socket credentials are being used the key wont be set
     if ( !d_func()->keyInitialised )
         return false;
     unsigned char digest[QSXE_KEY_LEN];
     char *msgPtr = hdr;
     // magic always goes on the beginning
     for ( int m = 0; m < QSXE_MAGIC_BYTES; ++m )
         *msgPtr++ = magic[m];
     hdr[ QSXE_LEN_IDX ] = (unsigned char)msgLen;
     if ( !d.trusted())
     {
         // Use HMAC
         int rc = hmac_md5( (unsigned char *)msg, msgLen, d_func()->authKey.key, QSXE_KEY_LEN, digest );
         if ( rc == -1 )
             return false;
         memcpy( hdr + QSXE_KEY_IDX, digest, QSXE_KEY_LEN );
     }
     else
     {
         memcpy( hdr + QSXE_KEY_IDX, d_func()->authKey.key, QSXE_KEY_LEN );
     }
 
     hdr[ QSXE_PROG_IDX ] = d_func()->authKey.progId;
 
 #ifdef QTRANSPORTAUTH_DEBUG
     char keydisplay[QSXE_KEY_LEN*2+1];
     hexstring( keydisplay, d_func()->authKey.key, QSXE_KEY_LEN );
 
     qDebug( "%d CLIENT Auth to message %s against prog id %u and key %s\n",
             getpid(), msg, d_func()->authKey.progId, keydisplay );
 #endif
 
     // TODO implement sequence to prevent replay attack, not required
     // for trusted transports
     hdr[ QSXE_SEQ_IDX ] = 1;  // dummy sequence
 
     d.status = ( d.status & QTransportAuth::StatusMask ) | QTransportAuth::Success;
     return true;
 }

◆ authViolation

void QTransportAuth::authViolation ( QTransportAuth::Data & )

signal

◆ bufferDestroyed

void QTransportAuth::bufferDestroyed ( QObject * cli )

privateslot

Definition at line 521 of file qtransportauth_qws.cpp.

 {
     Q_D(QTransportAuth);
     if ( cli == NULL ) return;
 
     if ( d->buffersByClient.contains( cli ))
     {
         d->buffersByClient.remove( cli );
         // qDebug( "@@@@@@@ client %p removed @@@@@@@@@", cli );
     }
     // qDebug( "           client count %d", d->buffersByClient.count() );
 }

◆ connectTransport()

QTransportAuth::Data * QTransportAuth::connectTransport	(	unsigned char	properties,
		int	descriptor
	)

Record a new transport connection with properties and descriptor.

The calling code is responsible for destroying the returned data when the tranport connection is closed.

Definition at line 288 of file qtransportauth_qws.cpp.

Referenced by QWSServerPrivate::_q_newConnection(), QWSDisplay::Data::init(), and QWSDisplay::Data::reinit().

 {
     Data *data = new Data(properties, descriptor);
     data->status = Pending;
     return data;
 }

◆ errorString()

const char * QTransportAuth::errorString ( const QTransportAuth::Data & d )

static

Definition at line 157 of file qtransportauth_qws.cpp.

 {
     if (( d.status & ErrMask ) == Success )
         return "success";
     int e = d.status & ErrMask;
     if ( e > OutOfDate )
         return "unknown";
     return errorStrings[e];
 }

◆ getClientKey()

const unsigned char * QTransportAuth::getClientKey ( unsigned char progId )

Definition at line 498 of file qtransportauth_qws.cpp.

 {
     Q_D(QTransportAuth);
     return d->getClientKey( progId );
 }

◆ getInstance()

QTransportAuth * QTransportAuth::getInstance ( )

static

Return a pointer to the instance of this process's QTransportAuth object.

Definition at line 359 of file qtransportauth_qws.cpp.

Referenced by QWSServerPrivate::_q_newConnection(), QAuthDevice::authorizeMessage(), QWSDisplay::Data::init(), FAREnforcer::logAuthAttempt(), qws_write_command(), QWSClient::readMoreCommand(), QAuthDevice::recvReadyRead(), QWSDisplay::Data::reinit(), QAuthDevice::setClient(), and QAuthDevice::writeData().

 {
     static QTransportAuth theInstance;
 
     return &theInstance;
 }

◆ getKeyFileMutex()

QMutex * QTransportAuth::getKeyFileMutex ( )

Definition at line 510 of file qtransportauth_qws.cpp.

 {
     Q_D(QTransportAuth);
     return &d->keyfileMutex;
 }

◆ invalidateClientKeyCache()

void QTransportAuth::invalidateClientKeyCache ( )

Definition at line 504 of file qtransportauth_qws.cpp.

 {
     Q_D(QTransportAuth);
     d->invalidateClientKeyCache();
 }

◆ isDiscoveryMode()

bool QTransportAuth::isDiscoveryMode ( ) const

Definition at line 405 of file qtransportauth_qws.cpp.

Referenced by authorizeRequest(), and FAREnforcer::logAuthAttempt().

 {
 #if defined(SXE_DISCOVERY)
     static bool checked = false;
     static bool yesItIs = false;
 
     if ( checked ) return yesItIs;
 
     yesItIs = ( getenv( "SXE_DISCOVERY_MODE" ) != 0 );
     if ( yesItIs )
     {
         qWarning("SXE Discovery mode on, ALLOWING ALL requests and logging to %s",
                  qPrintable(logFilePath()));
         QFile::remove( logFilePath() );
     }
     checked = true;
     return yesItIs;
 #else
     return false;
 #endif
 }

◆ keyFilePath()

QString QTransportAuth::keyFilePath ( ) const

Definition at line 381 of file qtransportauth_qws.cpp.

 {
     Q_D(const QTransportAuth);
     return d->m_keyFilePath;
 }

◆ logFilePath()

QString QTransportAuth::logFilePath ( ) const

Definition at line 393 of file qtransportauth_qws.cpp.

Referenced by authorizeRequest(), isDiscoveryMode(), and FAREnforcer::logAuthAttempt().

 {
     Q_D(const QTransportAuth);
     return d->m_logFilePath;
 }

◆ passThroughByClient()

QIODevice * QTransportAuth::passThroughByClient ( QWSClient * client ) const

Warning: This function is not part of the public interface. Return the authorizer device mapped to this client. Note that this could probably all be void* instead of QWSClient* for generality. Until the need for that rears its head its QWSClient* to save the casts.

OK the need has arrived, but the public API is frozen.

Definition at line 435 of file qtransportauth_qws.cpp.

Referenced by qws_write_command(), and QWSClient::readMoreCommand().

 {
     Q_D(const QTransportAuth);
 
     if ( client == 0 ) return 0;
     if ( d->buffersByClient.contains( client ))
     {
         return d->buffersByClient[client];
     }
     // qWarning( "buffer not found for client %p", client );
     return 0;
 }

◆ policyCheck

void QTransportAuth::policyCheck	(	QTransportAuth::Data &	,
		const QString &
	)

signal

Referenced by authorizeRequest(), and registerPolicyReceiver().

◆ recvBuf()

QAuthDevice * QTransportAuth::recvBuf	(	QTransportAuth::Data *	data,
		QIODevice *	iod
	)

Return a QIODevice pointer (to an internal QBuffer) which can be used to receive data after authorization on transport d.

Warning: This function is not part of the public interface.

The return QIODevice will act as a pass-through.

The data will be consumed from iod and forwarded on to the returned QIODevice which can be connected to readyRead() signal handlers in place of the original QIODevice iod.

This will be called in the server process to handle incoming authenticated requests.

The returned QIODevice will take ownership of data which will be deleted when the QIODevice is delected.

See also: setTargetDevice()

Definition at line 470 of file qtransportauth_qws.cpp.

Referenced by QWSServerPrivate::_q_newConnection().

 {
     return new QAuthDevice( iod, data, QAuthDevice::Receive );
 }

◆ registerPolicyReceiver()

void QTransportAuth::registerPolicyReceiver ( QObject * pr )

Register pr as a policy handler object.

The object pointed to by pr should have a slot as follows

policyCheck( QTransportAuth::Data &, const QString & )

All requests received by this server will then generate a call to this slot, and may be processed for policy compliance.

Definition at line 262 of file qtransportauth_qws.cpp.

 {
     // not every policy receiver needs setup - no error if this fails
     QMetaObject::invokeMethod( pr, "setupPolicyCheck" );
 
     connect( this, SIGNAL(policyCheck(QTransportAuth::Data&,QString)),
              pr, SLOT(policyCheck(QTransportAuth::Data&,QString)), Qt::DirectConnection );
 }

◆ setKeyFilePath()

void QTransportAuth::setKeyFilePath ( const QString & path )

Set the full path to the key file.

Since this is normally relative to Qtopia::qpeDir() this needs to be set within the Qt Extended framework.

The keyfile should be protected by file permissions or by MAC rules such that it can only be read/written by the "qpe" server process

Definition at line 375 of file qtransportauth_qws.cpp.

 {
     Q_D(QTransportAuth);
     d->m_keyFilePath = path;
 }

◆ setLogFilePath()

void QTransportAuth::setLogFilePath ( const QString & path )

Definition at line 387 of file qtransportauth_qws.cpp.

 {
     Q_D(QTransportAuth);
     d->m_logFilePath = path;
 }

◆ setPackageRegistry()

void QTransportAuth::setPackageRegistry ( QObject * registry )

Definition at line 399 of file qtransportauth_qws.cpp.

 {
     Q_D(QTransportAuth);
     d->m_packageRegistry = registry;
 }

◆ setProcessKey() [1/2]

void QTransportAuth::setProcessKey ( const char * authdata )

Set the process key for this currently running Qt Extended process to the authdata.

authdata should be sizeof(struct AuthCookie) in length and contain the key and program id. Use this method when setting or changing the SXE identity of the current program.

Definition at line 218 of file qtransportauth_qws.cpp.

Referenced by setProcessKey().

 {
     Q_D(QTransportAuth);
     ::memcpy(&d->authKey, authdata, sizeof(struct AuthCookie));
     QFile proc_key( QLatin1String("/proc/self/lids_key") );
     // where proc key exists use that instead
     if ( proc_key.open( QIODevice::ReadOnly ))
     {
         qint64 kb = proc_key.read( (char*)&d->authKey.key, QSXE_KEY_LEN );
 #ifdef QTRANSPORTAUTH_DEBUG
         qDebug( "Using %li bytes of /proc/%i/lids_key\n", (long int)kb, getpid() );
 #else
         Q_UNUSED( kb );
 #endif
     }
     d->keyInitialised = true;
 }

◆ setProcessKey() [2/2]

void QTransportAuth::setProcessKey	(	const char *	key,
		const char *	prog
	)

Apply key as the process key for the currently running application.

prog is current ignored

Deprecated function

Definition at line 244 of file qtransportauth_qws.cpp.

 {
     Q_UNUSED(prog);
     setProcessKey( key );
 #ifdef QTRANSPORTAUTH_DEBUG
     char displaybuf[QSXE_KEY_LEN*2+1];
     hexstring( displaybuf, (const unsigned char *)key, QSXE_KEY_LEN );
     qDebug() << "key" << displaybuf << "set";
 #endif
 }

◆ unregisterPolicyReceiver()

void QTransportAuth::unregisterPolicyReceiver ( QObject * pr )

Unregister the pr from being a policy handler.

No more policyCheck signals are received by this object.

Definition at line 275 of file qtransportauth_qws.cpp.

 {
     disconnect( pr );
     // not every policy receiver needs tear down - no error if this fails
     QMetaObject::invokeMethod( pr, "teardownPolicyCheck" );
 }

Friends and Related Functions

◆ QAuthDevice

friend class QAuthDevice

friend

Definition at line 171 of file qtransportauth_qws.h.

Referenced by authBuf(), and recvBuf().

The documentation for this class was generated from the following files:

/src/gui/embedded/qtransportauth_qws.h
/src/gui/embedded/qtransportauth_qws.cpp

Classes

Public Types

Signals

Public Functions

Static Public Functions

Private Slots

Private Functions

Friends

Additional Inherited Members