qgis · Nov 3, 2016
diff --git a/‎ci/travis/linux/qt5/blacklist.txt
Lines changed: 1 addition & 1 deletion b/‎ci/travis/linux/qt5/blacklist.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/src/python/CMakeLists.txt
Lines changed: 3 additions & 1 deletion b/‎tests/src/python/CMakeLists.txt
Lines changed: 3 additions & 1 deletion
diff --git a/‎tests/src/python/qgis_wrapped_server.py
Lines changed: 57 additions & 3 deletions b/‎tests/src/python/qgis_wrapped_server.py
Lines changed: 57 additions & 3 deletions
diff --git a/‎tests/src/python/test_authmanager_endpoint.py renamed to ‎tests/src/python/test_authmanager_password_ows.py
Lines changed: 17 additions & 8 deletions b/‎tests/src/python/test_authmanager_endpoint.py renamed to ‎tests/src/python/test_authmanager_password_ows.py
Lines changed: 17 additions & 8 deletions
diff --git a/‎tests/src/python/test_authmanager_pki_ows.py
Lines changed: 210 additions & 0 deletions b/‎tests/src/python/test_authmanager_pki_ows.py
Lines changed: 210 additions & 0 deletions
diff --git a/‎tests/src/python/test_authmanager_pki_postgres.py
Lines changed: 233 additions & 0 deletions b/‎tests/src/python/test_authmanager_pki_postgres.py
Lines changed: 233 additions & 0 deletions
diff --git a/‎tests/src/python/test_qgsserver.py
Lines changed: 7 additions & 5 deletions b/‎tests/src/python/test_qgsserver.py
Lines changed: 7 additions & 5 deletions
diff --git a/‎tests/src/python/utilities.py
Lines changed: 3 additions & 3 deletions b/‎tests/src/python/utilities.py
Lines changed: 3 additions & 3 deletions
@@ -6,7 +6,7 @@ PyQgsMapUnitScale
 PyQgsPalLabelingServer
 PyQgsRelationEditWidget
 PyQgsServer
-PyQgsAuthManagerEndpointTest
+PyQgsAuthManagerPasswordOWSTest
 PyQgsServerAccessControl
 PyQgsSipCoverage
 PyQgsSpatialiteProvider
 
@@ -150,5 +150,7 @@ IF (WITH_SERVER)
   ADD_PYTHON_TEST(PyQgsServerAccessControl test_qgsserver_accesscontrol.py)
   ADD_PYTHON_TEST(PyQgsServerWFST test_qgsserver_wfst.py)
   ADD_PYTHON_TEST(PyQgsOfflineEditingWFS test_offline_editing_wfs.py)
-  ADD_PYTHON_TEST(PyQgsAuthManagerEndpointTest test_authmanager_endpoint.py)
+  ADD_PYTHON_TEST(PyQgsAuthManagerPasswordOWSTest test_authmanager_password_ows.py)
+  #ADD_PYTHON_TEST(PyQgsAuthManagerPKIOWSTest test_authmanager_pki_ows.py)
+  ADD_PYTHON_TEST(PyQgsAuthManagerPKIPostgresTest test_authmanager_pki_postgres.py)
 ENDIF (WITH_SERVER)
@@ -13,6 +13,21 @@
   * QGIS_SERVER_USERNAME (default ="username")
   * QGIS_SERVER_PASSWORD (default ="password")
 
+PKI authentication with HTTPS can be enabled with:
+
+  * QGIS_SERVER_PKI_CERTIFICATE (server certificate)
+  * QGIS_SERVER_PKI_KEY (server private key)
+  * QGIS_SERVER_PKI_AUTHORITY (root CA)
+  * QGIS_SERVER_PKI_USERNAME (valid username)
+
+ Sample run:
+
+ QGIS_SERVER_PKI_USERNAME=Gerardus QGIS_SERVER_PORT=47547 QGIS_SERVER_HOST=localhost \
+    QGIS_SERVER_PKI_KEY=/home/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_key.pem \
+    QGIS_SERVER_PKI_CERTIFICATE=/home/dev/QGIS/tests/testdata/auth_system/certs_keys/localhost_ssl_cert.pem \
+    QGIS_SERVER_PKI_AUTHORITY=/home/dev/QGIS/tests/testdata/auth_system/certs_keys/chains_subissuer-issuer-root_issuer2-root2.pem \
+    python /home/dev/QGIS/tests/src/python/qgis_wrapped_server.py
+
 .. note:: This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
@@ -31,12 +46,27 @@
 
 import os
 import sys
+import ssl
 import urllib.parse
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from qgis.server import QgsServer, QgsServerFilter
 
 QGIS_SERVER_PORT = int(os.environ.get('QGIS_SERVER_PORT', '8081'))
 QGIS_SERVER_HOST = os.environ.get('QGIS_SERVER_HOST', '127.0.0.1')
+# PKI authentication
+QGIS_SERVER_PKI_CERTIFICATE = os.environ.get('QGIS_SERVER_PKI_CERTIFICATE')
+QGIS_SERVER_PKI_KEY = os.environ.get('QGIS_SERVER_PKI_KEY')
+QGIS_SERVER_PKI_AUTHORITY = os.environ.get('QGIS_SERVER_PKI_AUTHORITY')
+QGIS_SERVER_PKI_USERNAME = os.environ.get('QGIS_SERVER_PKI_USERNAME')
+
+# Check if PKI - https is enabled
+https = (QGIS_SERVER_PKI_CERTIFICATE is not None and
+         os.path.isfile(QGIS_SERVER_PKI_CERTIFICATE) and
+         QGIS_SERVER_PKI_KEY is not None and
+         os.path.isfile(QGIS_SERVER_PKI_KEY) and
+         QGIS_SERVER_PKI_AUTHORITY is not None and
+         os.path.isfile(QGIS_SERVER_PKI_AUTHORITY) and
+         QGIS_SERVER_PKI_USERNAME)
 
 qgs_server = QgsServer()
 
@@ -66,8 +96,20 @@ def responseComplete(self):
 class Handler(BaseHTTPRequestHandler):
 
     def do_GET(self):
+        # For PKI: check the username from client certificate
+        if https:
+            try:
+                ssl.match_hostname(self.connection.getpeercert(), QGIS_SERVER_PKI_USERNAME)
+            except Exception as ex:
+                print("SSL Exception %s" % ex)
+                self.send_response(401)
+                self.end_headers()
+                self.wfile.write('UNAUTHORIZED')
+                return
         # CGI vars:
         for k, v in self.headers.items():
+            # Uncomment to print debug info about env vars passed into QGIS Server env
+            #print('Setting ENV var %s to %s' % ('HTTP_%s' % k.replace(' ', '-').replace('-', '_').replace(' ', '-').upper(), v))
             qgs_server.putenv('HTTP_%s' % k.replace(' ', '-').replace('-', '_').replace(' ', '-').upper(), v)
         qgs_server.putenv('SERVER_PORT', str(self.server.server_port))
         qgs_server.putenv('SERVER_NAME', self.server.server_name)
@@ -96,7 +138,19 @@ def do_POST(self):
 
 if __name__ == '__main__':
     server = HTTPServer((QGIS_SERVER_HOST, QGIS_SERVER_PORT), Handler)
-    print('Starting server on %s:%s, use <Ctrl-C> to stop' %
-          (QGIS_SERVER_HOST, server.server_port))
-    sys.stdout.flush()
+    if https:
+        server.socket = ssl.wrap_socket(server.socket,
+                                        certfile=QGIS_SERVER_PKI_CERTIFICATE,
+                                        keyfile=QGIS_SERVER_PKI_KEY,
+                                        ca_certs=QGIS_SERVER_PKI_AUTHORITY,
+                                        cert_reqs=ssl.CERT_REQUIRED,
+                                        server_side=True,
+                                        ssl_version=ssl.PROTOCOL_TLSv1)
+    message = 'Starting server on %s://%s:%s, use <Ctrl-C> to stop' % \
+              ('https' if https else 'http', QGIS_SERVER_HOST, server.server_port)
+    try:
+        print(message, flush=True)
+    except:
+        print(message)
+        sys.stdout.flush()
     server.serve_forever()
@@ -8,7 +8,7 @@
 configuration to access an HTTP Basic protected endpoint.
 
 
-From build dir, run: ctest -R PyQgsAuthManagerEnpointTest -V
+From build dir, run: ctest -R PyQgsAuthManagerPasswordOWSTest -V
 
 .. note:: This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -22,7 +22,10 @@
 import tempfile
 import random
 import string
-import urllib
+try:
+    from urllib.parse import quote
+except:
+    from urllib import quote
 
 __author__ = 'Alessandro Pasotti'
 __date__ = '18/09/2016'
@@ -47,7 +50,7 @@
 try:
     QGIS_SERVER_ENDPOINT_PORT = os.environ['QGIS_SERVER_ENDPOINT_PORT']
 except:
-    QGIS_SERVER_ENDPOINT_PORT = '0' # Auto
+    QGIS_SERVER_ENDPOINT_PORT = '0'  # Auto
 
 
 QGIS_AUTH_DB_DIR_PATH = tempfile.mkdtemp()
@@ -84,11 +87,14 @@ def setUpClass(cls):
         cls.auth_config.setConfig('username', cls.username)
         cls.auth_config.setConfig('password', cls.password)
         assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
+        cls.hostname = '127.0.0.1'
+        cls.protocol = 'http'
 
         os.environ['QGIS_SERVER_HTTP_BASIC_AUTH'] = '1'
         os.environ['QGIS_SERVER_USERNAME'] = cls.username
         os.environ['QGIS_SERVER_PASSWORD'] = cls.password
         os.environ['QGIS_SERVER_PORT'] = str(cls.port)
+        os.environ['QGIS_SERVER_HOST'] = cls.hostname
         server_path = os.path.dirname(os.path.realpath(__file__)) + \
             '/qgis_wrapped_server.py'
         cls.server = subprocess.Popen([sys.executable, server_path],
@@ -98,7 +104,7 @@ def setUpClass(cls):
         cls.port = int(re.findall(b':(\d+)', line)[0])
         assert cls.port != 0
         # Wait for the server process to start
-        assert waitServer('http://127.0.0.1:%s' % cls.port), "Server is not responding! http://127.0.0.1:%s" % cls.port
+        assert waitServer('%s://%s:%s' % (cls.protocol, cls.hostname, cls.port)), "Server is not responding! '%s://%s:%s" % (cls.protocol, cls.hostname, cls.port)
 
     @classmethod
     def tearDownClass(cls):
@@ -125,13 +131,16 @@ def _getWFSLayer(cls, type_name, layer_name=None, authcfg=None):
         parms = {
             'srsname': 'EPSG:4326',
             'typename': type_name,
-            'url': 'http://127.0.0.1:%s/?map=%s' % (cls.port, cls.project_path),
+            'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
             'version': 'auto',
             'table': '',
         }
         if authcfg is not None:
             parms.update({'authcfg': authcfg})
-        uri = ' '.join([("%s='%s'" % (k, v.decode('utf-8'))) for k, v in list(parms.items())])
+        try: # Py2
+            uri = ' '.join([("%s='%s'" % (k, v.decode('utf-8'))) for k, v in list(parms.items())])
+        except AttributeError: # Py3
+            uri = ' '.join([("%s='%s'" % (k, v)) for k, v in list(parms.items())])
         wfs_layer = QgsVectorLayer(uri, layer_name, 'WFS')
         return wfs_layer
 
@@ -144,11 +153,11 @@ def _getWMSLayer(cls, layers, layer_name=None, authcfg=None):
             layer_name = 'wms_' + layers.replace(',', '')
         parms = {
             'crs': 'EPSG:4326',
-            'url': 'http://127.0.0.1:%s/?map=%s' % (cls.port, cls.project_path),
+            'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
             'format': 'image/png',
             # This is needed because of a really weird implementation in QGIS Server, that
             # replaces _ in the the real layer name with spaces
-            'layers': urllib.quote(layers.replace('_', ' ')),
+            'layers': quote(layers.replace('_', ' ')),
             'styles': '',
             'version': 'auto',
             #'sql': '',
 
@@ -0,0 +1,210 @@
+# -*- coding: utf-8 -*-
+"""
+Tests for auth manager WMS/WFS using QGIS Server through PKI
+enabled qgis_wrapped_server.py.
+
+This is an integration test for QGIS Desktop Auth Manager WFS and WMS provider
+and QGIS Server WFS/WMS that check if QGIS can use a stored auth manager auth
+configuration to access an HTTP Basic protected endpoint.
+
+
+From build dir, run: ctest -R PyQgsAuthManagerPKIOWSTest -V
+
+.. note:: This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+"""
+import os
+import sys
+import re
+import subprocess
+import tempfile
+import urllib
+import stat
+
+__author__ = 'Alessandro Pasotti'
+__date__ = '25/10/2016'
+__copyright__ = 'Copyright 2016, The QGIS Project'
+# This will get replaced with a git SHA1 when you do a git archive
+__revision__ = '$Format:%H$'
+
+from shutil import rmtree
+
+from utilities import unitTestDataPath, waitServer
+from qgis.core import (
+    QgsAuthManager,
+    QgsAuthMethodConfig,
+    QgsVectorLayer,
+    QgsRasterLayer,
+)
+
+from qgis.PyQt.QtNetwork import QSslCertificate
+
+from qgis.testing import (
+    start_app,
+    unittest,
+)
+
+try:
+    QGIS_SERVER_ENDPOINT_PORT = os.environ['QGIS_SERVER_ENDPOINT_PORT']
+except:
+    QGIS_SERVER_ENDPOINT_PORT = '0'  # Auto
+
+
+QGIS_AUTH_DB_DIR_PATH = tempfile.mkdtemp()
+
+os.environ['QGIS_AUTH_DB_DIR_PATH'] = QGIS_AUTH_DB_DIR_PATH
+
+qgis_app = start_app()
+
+
+class TestAuthManager(unittest.TestCase):
+
+    @classmethod
+    def setUpAuth(cls):
+        """Run before all tests and set up authentication"""
+        authm = QgsAuthManager.instance()
+        assert (authm.setMasterPassword('masterpassword', True))
+        cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem')
+        cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem')
+        cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem')
+        assert os.path.isfile(cls.sslcert)
+        assert os.path.isfile(cls.sslkey)
+        assert os.path.isfile(cls.sslrootcert_path)
+        os.chmod(cls.sslcert, stat.S_IRUSR)
+        os.chmod(cls.sslkey, stat.S_IRUSR)
+        os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
+        cls.auth_config = QgsAuthMethodConfig("PKI-Paths")
+        cls.auth_config.setConfig('certpath', cls.sslcert)
+        cls.auth_config.setConfig('keypath', cls.sslkey)
+        cls.auth_config.setName('test_pki_auth_config')
+        cls.username = 'Gerardus'
+        cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
+        assert cls.sslrootcert is not None
+        authm.storeCertAuthorities(cls.sslrootcert)
+        authm.rebuildCaCertsCache()
+        authm.rebuildTrustedCaCertsCache()
+        assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
+        assert cls.auth_config.isValid()
+
+        cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem')
+        cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem')
+        cls.server_rootcert = cls.sslrootcert_path
+        os.chmod(cls.server_cert, stat.S_IRUSR)
+        os.chmod(cls.server_key, stat.S_IRUSR)
+        os.chmod(cls.server_rootcert, stat.S_IRUSR)
+
+        os.environ['QGIS_SERVER_HOST'] = cls.hostname
+        os.environ['QGIS_SERVER_PORT'] = str(cls.port)
+        os.environ['QGIS_SERVER_PKI_KEY'] = cls.server_key
+        os.environ['QGIS_SERVER_PKI_CERTIFICATE'] = cls.server_cert
+        os.environ['QGIS_SERVER_PKI_USERNAME'] = cls.username
+        os.environ['QGIS_SERVER_PKI_AUTHORITY'] = cls.server_rootcert
+
+    @classmethod
+    def setUpClass(cls):
+        """Run before all tests:
+        Creates an auth configuration"""
+        cls.port = QGIS_SERVER_ENDPOINT_PORT
+        # Clean env just to be sure
+        env_vars = ['QUERY_STRING', 'QGIS_PROJECT_FILE']
+        for ev in env_vars:
+            try:
+                del os.environ[ev]
+            except KeyError:
+                pass
+        cls.testdata_path = unitTestDataPath('qgis_server')
+        cls.certsdata_path = os.path.join(unitTestDataPath('auth_system'), 'certs_keys')
+        cls.project_path = os.path.join(cls.testdata_path, "test_project.qgs")
+        cls.hostname = 'localhost'
+        cls.protocol = 'https'
+
+        cls.setUpAuth()
+
+        server_path = os.path.join(os.path.dirname(os.path.realpath(__file__)),
+                                   'qgis_wrapped_server.py')
+        cls.server = subprocess.Popen([sys.executable, server_path],
+                                      env=os.environ, stdout=subprocess.PIPE)
+        line = cls.server.stdout.readline()
+        cls.port = int(re.findall(b':(\d+)', line)[0])
+        assert cls.port != 0
+        # Wait for the server process to start
+        assert waitServer('%s://%s:%s' % (cls.protocol, cls.hostname, cls.port)), "Server is not responding! %s://%s:%s" % (cls.protocol, cls.hostname, cls.port)
+
+    @classmethod
+    def tearDownClass(cls):
+        """Run after all tests"""
+        cls.server.terminate()
+        rmtree(QGIS_AUTH_DB_DIR_PATH)
+        del cls.server
+
+    def setUp(self):
+        """Run before each test."""
+        pass
+
+    def tearDown(self):
+        """Run after each test."""
+        pass
+
+    @classmethod
+    def _getWFSLayer(cls, type_name, layer_name=None, authcfg=None):
+        """
+        WFS layer factory
+        """
+        if layer_name is None:
+            layer_name = 'wfs_' + type_name
+        parms = {
+            'srsname': 'EPSG:4326',
+            'typename': type_name,
+            'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
+            'version': 'auto',
+            'table': '',
+        }
+        if authcfg is not None:
+            parms.update({'authcfg': authcfg})
+        try: # Py2
+            uri = ' '.join([("%s='%s'" % (k, v.decode('utf-8'))) for k, v in list(parms.items())])
+        except AttributeError: # Py3
+            uri = ' '.join([("%s='%s'" % (k, v)) for k, v in list(parms.items())])
+        wfs_layer = QgsVectorLayer(uri, layer_name, 'WFS')
+        return wfs_layer
+
+    @classmethod
+    def _getWMSLayer(cls, layers, layer_name=None, authcfg=None):
+        """
+        WMS layer factory
+        """
+        if layer_name is None:
+            layer_name = 'wms_' + layers.replace(',', '')
+        parms = {
+            'crs': 'EPSG:4326',
+            'url': '%s://%s:%s/?map=%s' % (cls.protocol, cls.hostname, cls.port, cls.project_path),
+            'format': 'image/png',
+            # This is needed because of a really weird implementation in QGIS Server, that
+            # replaces _ in the the real layer name with spaces
+            'layers': urllib.quote(layers.replace('_', ' ')),
+            'styles': '',
+            'version': 'auto',
+            #'sql': '',
+        }
+        if authcfg is not None:
+            parms.update({'authcfg': authcfg})
+        uri = '&'.join([("%s=%s" % (k, v.replace('=', '%3D'))) for k, v in list(parms.items())])
+        wms_layer = QgsRasterLayer(uri, layer_name, 'wms')
+        return wms_layer
+
+    def testValidAuthAccess(self):
+        """
+        Access the protected layer with valid credentials
+        Note: cannot test invalid access in a separate test  because
+              it would fail the subsequent (valid) calls due to cached connections
+        """
+        wfs_layer = self._getWFSLayer('testlayer_èé', authcfg=self.auth_config.id())
+        self.assertTrue(wfs_layer.isValid())
+        wms_layer = self._getWMSLayer('testlayer_èé', authcfg=self.auth_config.id())
+        self.assertTrue(wms_layer.isValid())
+
+
+if __name__ == '__main__':
+    unittest.main()
@@ -0,0 +1,233 @@
+# -*- coding: utf-8 -*-
+"""
+Tests for auth manager PKI access to postgres.
+
+This is an integration test for QGIS Desktop Auth Manager postgres provider that
+checks if QGIS can use a stored auth manager auth configuration to access
+a PKI protected postgres.
+
+Configuration form the environment:
+
+    * QGIS_POSTGRES_SERVER_PORT (default: 55432)
+    * QGIS_POSTGRES_EXECUTABLE_PATH (default: /usr/lib/postgresql/9.4/bin)
+
+
+From build dir, run: ctest -R PyQgsAuthManagerPKIPostgresTest -V
+
+.. note:: This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+"""
+import os
+import time
+import signal
+import stat
+import subprocess
+import tempfile
+
+from shutil import rmtree
+
+from utilities import unitTestDataPath
+from qgis.core import (
+    QgsAuthManager,
+    QgsAuthMethodConfig,
+    QgsVectorLayer,
+    QgsDataSourceURI,
+    QgsWKBTypes,
+)
+
+
+from qgis.PyQt.QtNetwork import QSslCertificate
+
+from qgis.testing import (
+    start_app,
+    unittest,
+)
+
+
+__author__ = 'Alessandro Pasotti'
+__date__ = '25/10/2016'
+__copyright__ = 'Copyright 2016, The QGIS Project'
+# This will get replaced with a git SHA1 when you do a git archive
+__revision__ = '$Format:%H$'
+
+QGIS_POSTGRES_SERVER_PORT = os.environ.get('QGIS_POSTGRES_SERVER_PORT', '55432')
+QGIS_POSTGRES_EXECUTABLE_PATH = os.environ.get('QGIS_POSTGRES_EXECUTABLE_PATH', '/usr/lib/postgresql/9.4/bin')
+
+assert os.path.exists(QGIS_POSTGRES_EXECUTABLE_PATH)
+
+QGIS_AUTH_DB_DIR_PATH = tempfile.mkdtemp()
+
+# Postgres test path
+QGIS_PG_TEST_PATH = tempfile.mkdtemp()
+
+os.environ['QGIS_AUTH_DB_DIR_PATH'] = QGIS_AUTH_DB_DIR_PATH
+
+qgis_app = start_app()
+
+QGIS_POSTGRES_CONF_TEMPLATE = """
+hba_file = '%(tempfolder)s/pg_hba.conf'
+listen_addresses = '*'
+port = %(port)s
+max_connections = 100
+unix_socket_directories = '%(tempfolder)s'
+ssl = true
+ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH'	# allowed SSL ciphers
+ssl_cert_file = '%(server_cert)s'
+ssl_key_file = '%(server_key)s'
+ssl_ca_file = '%(sslrootcert_path)s'
+password_encryption = on
+"""
+
+QGIS_POSTGRES_HBA_TEMPLATE = """
+hostssl    all           all             0.0.0.0/0              cert clientcert=1
+hostssl    all           all             ::1/0                  cert clientcert=1
+host       all           all             127.0.0.1/32           trust
+host       all           all             ::1/32                 trust
+"""
+
+
+class TestAuthManager(unittest.TestCase):
+
+    @classmethod
+    def setUpAuth(cls):
+        """Run before all tests and set up authentication"""
+        authm = QgsAuthManager.instance()
+        assert (authm.setMasterPassword('masterpassword', True))
+        cls.pg_conf = os.path.join(cls.tempfolder, 'postgresql.conf')
+        cls.pg_hba = os.path.join(cls.tempfolder, 'pg_hba.conf')
+        # Client side
+        cls.sslrootcert_path = os.path.join(cls.certsdata_path, 'chains_subissuer-issuer-root_issuer2-root2.pem')
+        cls.sslcert = os.path.join(cls.certsdata_path, 'gerardus_cert.pem')
+        cls.sslkey = os.path.join(cls.certsdata_path, 'gerardus_key.pem')
+        assert os.path.isfile(cls.sslcert)
+        assert os.path.isfile(cls.sslkey)
+        assert os.path.isfile(cls.sslrootcert_path)
+        os.chmod(cls.sslcert, stat.S_IRUSR)
+        os.chmod(cls.sslkey, stat.S_IRUSR)
+        os.chmod(cls.sslrootcert_path, stat.S_IRUSR)
+        cls.auth_config = QgsAuthMethodConfig("PKI-Paths")
+        cls.auth_config.setConfig('certpath', cls.sslcert)
+        cls.auth_config.setConfig('keypath', cls.sslkey)
+        cls.auth_config.setName('test_pki_auth_config')
+        cls.username = 'Gerardus'
+        cls.sslrootcert = QSslCertificate.fromPath(cls.sslrootcert_path)
+        assert cls.sslrootcert is not None
+        authm.storeCertAuthorities(cls.sslrootcert)
+        authm.rebuildCaCertsCache()
+        authm.rebuildTrustedCaCertsCache()
+        authm.rebuildCertTrustCache()
+        assert (authm.storeAuthenticationConfig(cls.auth_config)[0])
+        assert cls.auth_config.isValid()
+
+        # Server side
+        cls.server_cert = os.path.join(cls.certsdata_path, 'localhost_ssl_cert.pem')
+        cls.server_key = os.path.join(cls.certsdata_path, 'localhost_ssl_key.pem')
+        cls.server_rootcert = cls.sslrootcert_path
+        os.chmod(cls.server_cert, stat.S_IRUSR)
+        os.chmod(cls.server_key, stat.S_IRUSR)
+        os.chmod(cls.server_rootcert, stat.S_IRUSR)
+
+        # Place conf in the data folder
+        with open(cls.pg_conf, 'w+') as f:
+            f.write(QGIS_POSTGRES_CONF_TEMPLATE % {
+                'port': cls.port,
+                'tempfolder': cls.tempfolder,
+                'server_cert': cls.server_cert,
+                'server_key': cls.server_key,
+                'sslrootcert_path': cls.sslrootcert_path,
+            })
+
+        with open(cls.pg_hba, 'w+') as f:
+            f.write(QGIS_POSTGRES_HBA_TEMPLATE)
+
+    @classmethod
+    def setUpClass(cls):
+        """Run before all tests:
+        Creates an auth configuration"""
+        cls.port = QGIS_POSTGRES_SERVER_PORT
+        cls.dbname = 'test_pki'
+        cls.tempfolder = QGIS_PG_TEST_PATH
+        cls.certsdata_path = os.path.join(unitTestDataPath('auth_system'), 'certs_keys')
+        cls.hostname = 'localhost'
+        cls.data_path = os.path.join(cls.tempfolder, 'data')
+        os.mkdir(cls.data_path)
+
+        cls.setUpAuth()
+        subprocess.check_call([os.path.join(QGIS_POSTGRES_EXECUTABLE_PATH, 'initdb'), '-D', cls.data_path])
+
+        cls.server = subprocess.Popen([os.path.join(QGIS_POSTGRES_EXECUTABLE_PATH, 'postgres'), '-D',
+                                       cls.data_path, '-c',
+                                       "config_file=%s" % cls.pg_conf],
+                                      env=os.environ,
+                                      stdout=subprocess.PIPE,
+                                      stderr=subprocess.PIPE)
+        # Wait max 10 secs for the server to start
+        end = time.time() + 10
+        while True:
+            line = cls.server.stderr.readline()
+            print(line)
+            if line.find(b"database system is ready to accept") != -1:
+                break
+            if time.time() > end:
+                raise Exception("Timeout connecting to postgresql")
+        # Create a DB
+        subprocess.check_call([os.path.join(QGIS_POSTGRES_EXECUTABLE_PATH, 'createdb'), '-h', 'localhost', '-p', cls.port, 'test_pki'])
+        # Inject test SQL from test path
+        test_sql = os.path.join(unitTestDataPath('provider'), 'testdata_pg.sql')
+        subprocess.check_call([os.path.join(QGIS_POSTGRES_EXECUTABLE_PATH, 'psql'), '-h', 'localhost', '-p', cls.port, '-f', test_sql, cls.dbname])
+        # Create a role
+        subprocess.check_call([os.path.join(QGIS_POSTGRES_EXECUTABLE_PATH, 'psql'), '-h', 'localhost', '-p', cls.port, '-c', 'CREATE ROLE "%s" WITH SUPERUSER LOGIN' % cls.username, cls.dbname])
+
+    @classmethod
+    def tearDownClass(cls):
+        """Run after all tests"""
+        cls.server.terminate()
+        os.kill(cls.server.pid, signal.SIGABRT)
+        del cls.server
+        time.sleep(2)
+        rmtree(QGIS_AUTH_DB_DIR_PATH)
+        rmtree(cls.tempfolder)
+
+    def setUp(self):
+        """Run before each test."""
+        pass
+
+    def tearDown(self):
+        """Run after each test."""
+        pass
+
+    @classmethod
+    def _getPostGISLayer(cls, type_name, layer_name=None, authcfg=None):
+        """
+        PG layer factory
+        """
+        if layer_name is None:
+            layer_name = 'pg_' + type_name
+        uri = QgsDataSourceURI()
+        uri.setWkbType(QgsWKBTypes.Point)
+        uri.setConnection("localhost", cls.port, cls.dbname, "", "", QgsDataSourceURI.SSLverifyFull, authcfg)
+        uri.setKeyColumn('pk')
+        uri.setSrid('EPSG:4326')
+        uri.setDataSource('qgis_test', 'someData', "geom", "", "pk")
+        # Note: do not expand here!
+        layer = QgsVectorLayer(uri.uri(False), layer_name, 'postgres')
+        return layer
+
+    def testValidAuthAccess(self):
+        """
+        Access the protected layer with valid credentials
+        """
+        pg_layer = self._getPostGISLayer('testlayer_èé', authcfg=self.auth_config.id())
+        self.assertTrue(pg_layer.isValid())
+
+    def testInvalidAuthAccess(self):
+        """
+        Access the protected layer with not valid credentials
+        """
+        pg_layer = self._getPostGISLayer('testlayer_èé')
+        self.assertFalse(pg_layer.isValid())
+
+if __name__ == '__main__':
+    unittest.main()
@@ -459,11 +459,13 @@ def _img_diff_error(self, response, headers, image, max_diff=10, max_size_diff=Q
                 report, encoded_rendered_file.strip(), tempfile.gettempdir(), image
             )
 
-        with open(os.path.join(tempfile.gettempdir(), image + "_result_diff.png"), "rb") as diff_file:
-            encoded_diff_file = base64.b64encode(diff_file.read())
-            message += "\nDiff:\necho '%s' | base64 -d > %s/%s_result_diff.png" % (
-                encoded_diff_file.strip(), tempfile.gettempdir(), image
-            )
+        # If the failure is in image sizes the diff file will not exists.
+        if os.path.exists(os.path.join(tempfile.gettempdir(), image + "_result_diff.png")):
+            with open(os.path.join(tempfile.gettempdir(), image + "_result_diff.png"), "rb") as diff_file:
+                encoded_diff_file = base64.b64encode(diff_file.read())
+                message += "\nDiff:\necho '%s' | base64 -d > %s/%s_result_diff.png" % (
+                    encoded_diff_file.strip(), tempfile.gettempdir(), image
+                )
 
         self.assertTrue(test, message)
 
 
@@ -19,9 +19,9 @@
 import platform
 import tempfile
 try:
-    from urllib2 import urlopen, HTTPError
+    from urllib2 import urlopen, HTTPError, URLError
 except ImportError:
-    from urllib.request import urlopen, HTTPError
+    from urllib.request import urlopen, HTTPError, URLError
 
 from qgis.PyQt.QtCore import QDir
 
@@ -833,7 +833,7 @@ def waitServer(url, timeout=10):
         try:
             urlopen(url, timeout=1)
             return True
-        except HTTPError:
+        except (HTTPError, URLError):
             return True
         except Exception as e:
             if now() > end: