Open miceg opened 2 months ago
This is still an issue in QGIS 3.38.1.
QGIS version
3.38.1-Grenoble
QGIS code revision
3d4177afc6
Qt version
5.15.13
Python version
3.12.4
GDAL/OGR version
3.9.1
PROJ version
9.4.0
EPSG Registry database version
v11.004 (2024-02-24)
GEOS version
3.12.2-CAPI-1.18.2
SQLite version
3.45.1
PDAL version
2.6.3
PostgreSQL client version
16.2
SpatiaLite version
5.1.0
QWT version
6.2.0
QScintilla2 version
2.14.1
OS version
Windows 11 Version 2009
Active Python plugins
db_manager
0.1.20
grassprovider
2.12.99
MetaSearch
0.3.6
processing
2.12.99
What is the bug or the crash?
When opening the layer properties dialog on a PostgreSQL connection configured with
sslmode=verify-full
and using a self-signed or cloud-provider-signed certificate loaded into QGIS' certificate store, QGIS shows an authentication dialog with an error:Copying the server's CA certificates to that path (or
~/.postgresql/root.crt
on macOS) mitigates the issue, but this shouldn't be necessary – QGIS should be configuringlibpq
correctly!Other functionality with the layer seems to work correctly.
Steps to reproduce the issue
Set up a PostgreSQL server with self-signed or cloud-provider-signed certificates, which are not in QGIS/browser CA bundles.
Setup QGIS to connect to the server using
Basic
authentication andsslmode=verify-full
.I've got QGIS configured to store layer metadata and projects in PostgreSQL too – but that doesn't seem to be needed to reproduce the issue.
Add a table from that PostgreSQL connection as a layer to your QGIS project.
Right-click the layer, and press "layer properties".
You're now prompted for a user name and password, with that error message.
You can also press cancel here – it's not clear to me what context this is actually used in.
Versions
I'm also able to reproduce the issue with the same version of QGIS on macOS.
Supported QGIS version
New profile
Additional context
Possibly related: https://github.com/qgis/QGIS/issues/39648
PostgreSQL connections are insecure by default, and
sslmode=verify-full
is the only mode which is actually secure – so this should work out of the box. 😄It looks like
QgsAuthBasicMethod::updateDataSourceUriItems()
should add in all custom certificates to the connection configuration when using a BasicauthCfg
by exporting the certificates to a temporary file.If I look at the SQL log in debugging and development tools, I see this (some details redacted)
That log line comes from here, and stepping through the lines before it:
https://github.com/qgis/QGIS/blob/d69b60ba77d4062844063f0092ae72340b2f8516/src/providers/postgres/qgspostgresconn.cpp#L336-L356
mUri
is aQgsDataSourceUri
, somUri.connectionInfo(true)
referencesQgsDataSourceUri::connectionInfo()
.That only calls
updateDataSourceUriItems()
if!mAuthConfigId.isEmpty() && expandAuthCfg
, and the debugging output suggests that there is noauthCfg
at that point – it looks like something else has already expanded theauthCfg
into auser
andpassword
field, but dropped the certificate configs.The fact that the server certificate configs are included by
QgsBasicAuthMethod
(andQgsAuthIdentCertMethod
,QgsAuthPkcs12Method
andQgsAuthPkiPathsMethod
) seems very strange to me, and probably led to this bug.I think that this should be part of
QgsDataSourceUri
instead, because then it's consistent regardless of authentication provider.There may be other reasons for this, but this is what I got from spending a little bit of time reading the code (ie: only static analysis, no debugger).