diff options
author | Hannah von Reth <vonreth@kde.org> | 2022-05-10 16:55:31 +0300 |
---|---|---|
committer | Hannah von Reth <vonreth@kde.org> | 2022-05-13 14:08:30 +0300 |
commit | fd0c73ec06d8a90f04dc17ea5e9e551e577c47b0 (patch) | |
tree | 7b3f73ba921be387718b03a0b202a3282450c4a9 /src/libsync | |
parent | b59083540e1b38fb75d5d14d6ed3153bdce702f2 (diff) |
Remove legacy ssl error handler
Diffstat (limited to 'src/libsync')
-rw-r--r-- | src/libsync/abstractnetworkjob.h | 2 | ||||
-rw-r--r-- | src/libsync/account.cpp | 108 | ||||
-rw-r--r-- | src/libsync/account.h | 16 |
3 files changed, 0 insertions, 126 deletions
diff --git a/src/libsync/abstractnetworkjob.h b/src/libsync/abstractnetworkjob.h index 411ea1efd..d33f15a23 100644 --- a/src/libsync/abstractnetworkjob.h +++ b/src/libsync/abstractnetworkjob.h @@ -40,8 +40,6 @@ OWNCLOUDSYNC_EXPORT QDebug operator<<(QDebug debug, const OCC::AbstractNetworkJo namespace OCC { -class AbstractSslErrorHandler; - using HeaderMap = QMap<QByteArray, QByteArray>; /** diff --git a/src/libsync/account.cpp b/src/libsync/account.cpp index 2b18fa52d..3dc44d18a 100644 --- a/src/libsync/account.cpp +++ b/src/libsync/account.cpp @@ -169,8 +169,6 @@ void Account::setCredentials(AbstractCredentials *cred) if (jar) { _am->setCookieJar(jar); } - connect(_am.data(), &QNetworkAccessManager::sslErrors, - this, &Account::slotHandleSslErrors); connect(_am.data(), &QNetworkAccessManager::proxyAuthenticationRequired, this, &Account::proxyAuthenticationRequired); connect(_credentials.data(), &AbstractCredentials::fetched, @@ -232,8 +230,6 @@ void Account::resetAccessManager() _am->setCustomTrustedCaCertificates(approvedCerts()); _am->setCookieJar(jar); // takes ownership of the old cookie jar - connect(_am.data(), &QNetworkAccessManager::sslErrors, this, - &Account::slotHandleSslErrors); connect(_am.data(), &QNetworkAccessManager::proxyAuthenticationRequired, this, &Account::proxyAuthenticationRequired); } @@ -283,11 +279,6 @@ void Account::resetRejectedCertificates() _rejectedCertificates.clear(); } -void Account::setSslErrorHandler(AbstractSslErrorHandler *handler) -{ - _sslErrorHandler.reset(handler); -} - void Account::setUrl(const QUrl &url) { _url = url; @@ -314,105 +305,6 @@ void Account::setCredentialSetting(const QString &key, const QVariant &value) } } -void Account::slotHandleSslErrors(QPointer<QNetworkReply> reply, const QList<QSslError> &errors) -{ - // Copy info out of reply ASAP - if (reply.isNull()) { - return; - } - - const QString urlString = reply->url().toString(); - const auto sslConfiguration = reply->sslConfiguration(); - - qCDebug(lcAccount) << "SSL diagnostics for url " << urlString; - QList<QSslError> filteredErrors; - QList<QSslError> ignoredErrors; - for (const auto &error : qAsConst(errors)) { - if (error.error() == QSslError::UnableToGetLocalIssuerCertificate) { - // filter out this "error" - qCDebug(lcAccount) << "- Info for " << error.certificate() << ": " << error.errorString() - << ". Local SSL certificates are known and always accepted."; - ignoredErrors << error; - } else { - qCDebug(lcAccount) << "- Error for " << error.certificate() << ": " - << error.errorString() << "(" << int(error.error()) << ")" - << "\n"; - filteredErrors << error; - } - } - - // ask the _sslErrorHandler what to do with filteredErrors - const auto handleErrors = [&urlString, &sslConfiguration, this](const QList<QSslError> &filteredErrors) -> QList<QSslError> { - if (filteredErrors.isEmpty()) { - return {}; - } - bool allPreviouslyRejected = true; - for (const auto &error : qAsConst(filteredErrors)) { - if (!_rejectedCertificates.contains(error.certificate())) { - allPreviouslyRejected = false; - break; - } - } - - // If all certs have previously been rejected by the user, don't ask again. - if (allPreviouslyRejected) { - qCInfo(lcAccount) << "SSL diagnostics for url " << urlString - << ": certificates not trusted by user decision, returning."; - return {}; - } - - if (_sslErrorHandler.isNull()) { - qCWarning(lcAccount) << Q_FUNC_INFO << " called without a valid SSL error handler for account" << url() - << "(" << urlString << ")"; - return {}; - } - - // SslDialogErrorHandler::handleErrors will run an event loop that might execute - // the deleteLater() of the QNAM before we have the chance of unwinding our stack. - // Keep a ref here on our stackframe to make sure that it doesn't get deleted before - // handleErrors returns. - QSharedPointer<QNetworkAccessManager> qnamLock = _am; - QList<QSslCertificate> approvedCerts; - if (_sslErrorHandler->handleErrors(filteredErrors, sslConfiguration, &approvedCerts, sharedFromThis())) { - if (!approvedCerts.isEmpty()) { - addApprovedCerts(approvedCerts); - emit wantsAccountSaved(this); - - // all ssl certs are known and accepted. We can ignore the problems right away. - qCDebug(lcAccount) << "Certs are known and trusted! This is not an actual error."; - } - return filteredErrors; - } else { - // Mark all involved certificates as rejected, so we don't ask the user again. - for (const auto &error : qAsConst(filteredErrors)) { - if (!_rejectedCertificates.contains(error.certificate())) { - _rejectedCertificates.insert(error.certificate()); - } - } - } - return {}; - }; - - // FIXME: outdated comment - // Call `handleErrors` NOW, BEFORE checking if the scoped `reply` pointer. The lambda might take - // a long time to complete: if a dialog is shown, the user could be "slow" to click it away, and - // the reply might have been deleted at that point. So if we'd do this call inside the if below, - // the object inside the reply guarded pointer could there, but might be gone *after* we finish - // with `ignoreSslErrors`. Even when the scenario with a deleted reply happens, the handling is - // still needed: the `handleErrors` call will also set the default CA certificates through - // `QSslSocket::addDefaultCaCertificates()`, so future requests/replies can use those - // user-approved certificates. - auto moreIgnoredErrors = handleErrors(filteredErrors); - - // always apply the filter when we leave the scope - if (reply) { - // Warning: Do *not* use ignoreSslErrors() (without args) here: - // it permanently ignores all SSL errors for this host, even - // certificate changes. - reply->ignoreSslErrors(ignoredErrors + moreIgnoredErrors); - } -} - void Account::slotCredentialsFetched() { emit credentialsFetched(_credentials.data()); diff --git a/src/libsync/account.h b/src/libsync/account.h index f4bd141d0..84f0d0be1 100644 --- a/src/libsync/account.h +++ b/src/libsync/account.h @@ -55,17 +55,6 @@ class SimpleNetworkJob; /** - * @brief Reimplement this to handle SSL errors from libsync - * @ingroup libsync - */ -class AbstractSslErrorHandler -{ -public: - virtual ~AbstractSslErrorHandler() {} - virtual bool handleErrors(const QList<QSslError> &, const QSslConfiguration &conf, QList<QSslCertificate> *, AccountPtr) = 0; -}; - -/** * @brief The Account class represents an account on an ownCloud Server * @ingroup libsync * @@ -172,9 +161,6 @@ public: // the next unknown certificate is encountered. void resetRejectedCertificates(); - // pluggable handler - void setSslErrorHandler(AbstractSslErrorHandler *handler); - // To be called by credentials only, for storing username and the like QVariant credentialSetting(const QString &key) const; void setCredentialSetting(const QString &key, const QVariant &value); @@ -236,7 +222,6 @@ public: public slots: /// Used when forgetting credentials void clearAMCache(); - void slotHandleSslErrors(QPointer<QNetworkReply>, const QList<QSslError> &); signals: /// Triggered by handleInvalidCredentials() @@ -283,7 +268,6 @@ private: QSet<QSslCertificate> _approvedCerts; Capabilities _capabilities; QString _serverVersion; - QScopedPointer<AbstractSslErrorHandler> _sslErrorHandler; QuotaInfo *_quotaInfo; QSharedPointer<AccessManager> _am; QScopedPointer<AbstractCredentials> _credentials; |