Warning

This document is for an in-development version of Galaxy. You can alternatively view this page in the latest release if it exists or view the top of the latest release's documentation.

galaxy.authnz package

Contains implementations for authentication and authorization against an OpenID Connect (OIDC) Identity Provider (IdP).

This package follows “authorization code flow” authentication protocol to authenticate Galaxy users against third-party identity providers.

Additionally, this package implements functionalist’s to request temporary access credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).

class galaxy.authnz.IdentityProvider(provider, config, backend_config)[source]

Bases: object

OpenID Connect Identity Provider abstract interface.

__init__(provider, config, backend_config)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh(trans, token)[source]

authenticate(trans, idphint=None)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:: trans (GalaxyWebTransaction) – Galaxy web transaction.
Returns:: a redirect URI to the provider’s authentication endpoint

callback(state_token: str, authz_code: str, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:

state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

disconnect(provider, trans, disconnect_redirect_url=None, email=None, association_id=None)[source]

logout(trans, post_user_logout_href=None)[source]

Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.

Parameters:

trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.

decode_user_access_token(sa_session, access_token)[source]

Verifies and decodes an access token against this provider, returning the user and a dict containing the decoded token data.

Parameters:

sa_session (sqlalchemy.orm.scoping.scoped_session) – SQLAlchemy database handle.
access_token (string) – An OIDC access token

Returns:

A tuple containing the user and decoded jwt data

Return type:

Tuple[User, dict]

Submodules

galaxy.authnz.managers module

class galaxy.authnz.managers.AuthnzManager(app, oidc_config_file, oidc_backends_config_file)[source]

Bases: object

__init__(app, oidc_config_file, oidc_backends_config_file)[source]

Parameters:

app (galaxy.app.UniverseApplication)
config (string) – sets the path for OIDC configuration file (e.g., oidc_backends_config.xml).

get_allowed_idps()[source]

static can_user_assume_authn(trans, authn_id)[source]

refresh_expiring_oidc_tokens_for_provider(trans, auth)[source]

refresh_expiring_oidc_tokens(trans, user=None)[source]

authenticate(provider, trans, idphint=None)[source]

Parameters:

provider (string) – set the name of the identity provider to be used for authentication flow.
trans (GalaxyWebTransaction) – Galaxy web transaction.

Returns:

an identity provider specific authentication redirect URI.

callback(provider, state_token, authz_code, trans, login_redirect_url, idphint=None)[source]

create_user(provider, token, trans, login_redirect_url)[source]

match_access_token_to_user(sa_session, access_token)[source]

logout(provider, trans, post_user_logout_href=None)[source]

Log the user out of the identity provider.

Parameters:

provider (string) – set the name of the identity provider.
trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – (Optional) URL for identity provider to redirect to after logging user out.

Returns:

a tuple (success boolean, message, redirect URI)

disconnect(provider, trans, email=None, disconnect_redirect_url=None, idphint=None)[source]

galaxy.authnz.psa_authnz module

class galaxy.authnz.psa_authnz.Redirect(url: str)[source]

Bases: object

Implementation of the HttpResponseProtocol defined in social_core.strategy

__init__(url: str) → None[source]

class galaxy.authnz.psa_authnz.PSAAuthnz(provider, oidc_config, oidc_backend_config, app_config: GalaxyAppConfiguration)[source]

Bases: IdentityProvider

__init__(provider, oidc_config, oidc_backend_config, app_config: GalaxyAppConfiguration)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh_azure(user_authnz_token)[source]

refresh(trans, user_authnz_token)[source]

authenticate(trans, idphint=None) → HttpResponseProtocol[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:: trans (GalaxyWebTransaction) – Galaxy web transaction.
Returns:: a redirect URI to the provider’s authentication endpoint

callback(state_token, authz_code, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:

state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

disconnect(provider, trans, disconnect_redirect_url=None, email=None, association_id=None)[source]

logout(trans, post_user_logout_href=None)[source]

Logout from the identity provider.

For OIDC backends, constructs a logout URL using the end_session_endpoint. For non-OIDC backends, returns the fallback URL.

Parameters:

trans – Galaxy transaction object
post_user_logout_href – URL to redirect to after logout

Returns:

Logout redirect URI

decode_user_access_token(sa_session, access_token)[source]

Verifies and decodes an access token against this provider, returning the user and a dict containing the decoded token data.

This is used for API authentication with Bearer tokens. Only works for OIDC backends.

Parameters:

sa_session – SQLAlchemy database session
access_token – An OIDC access token

Returns:

A tuple containing the user and decoded jwt data, or (None, None) if token is for different provider

Return type:

Tuple[User, dict]

Raises:

Exception – If token is valid but user hasn’t logged in, or token validation fails
NotImplementedError – If backend is not OIDC-based

create_user(token, trans, login_redirect_url)[source]

Create a user from a stored token (deferred user creation).

This is used when require_create_confirmation is enabled. After the user confirms they want to create an account, this method completes the user creation process using the stored token from the authentication callback.

Parameters:

token – JSON-encoded token from the initial authentication
trans – Galaxy transaction object
login_redirect_url – URL to redirect after user creation

Returns:

Tuple of (redirect_url, user)

class galaxy.authnz.psa_authnz.Strategy(request, session, storage, config, tpl=None)[source]

Bases: BaseStrategy

__init__(request, session, storage, config, tpl=None)[source]

get_setting(name)[source]: Return value for given setting name

session_get(name, default=None)[source]: Return session value for given key

session_set(name, value)[source]: Set session value for given key

session_pop(name)[source]: Pop session value for given key

request_data(merge=True)[source]: Return current request data (POST or GET)

request_host()[source]: Return current host value

build_absolute_uri(path=None)[source]: Build absolute URI with given (optional) path

redirect(url: str) → Redirect[source]: Return a response redirect to the given URL

html(content)[source]: Return HTTP response with given content

render_html(tpl=None, html=None, context=None)[source]: Render given template or raw html with given context

class galaxy.authnz.psa_authnz.Storage[source]

Bases: object

user: alias of UserAuthnzToken

nonce: alias of PSANonce

association: alias of PSAAssociation

code: alias of PSACode

partial: alias of PSAPartial

classmethod is_integrity_error(exception)[source]

galaxy.authnz.psa_authnz.on_the_fly_config(sa_session)[source]

galaxy.authnz.psa_authnz.contains_required_data(response=None, is_new=False, backend=None, **kwargs)[source]

This function is called as part of authentication and authorization pipeline before user is authenticated or authorized (see AUTH_PIPELINE).

This function asserts if all the data required by Galaxy for a user is provided. It raises an exception if any of the required data is missing, and returns void if otherwise.

For OIDC backends, verifies presence of id_token and iat claim. For OAuth2 backends, performs basic validation only.

Parameters:

response (dict) –
a dictionary containing decoded response from OIDC backend that contain the following keys among others:
- id_token; see: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
- access_token; see: https://tools.ietf.org/html/rfc6749#section-1.4
- refresh_token; see: https://tools.ietf.org/html/rfc6749#section-1.5
- token_type; see: https://tools.ietf.org/html/rfc6750#section-6.1.1
- scope; see: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
- expires_in; is the expiration time of the access and ID tokens in seconds since
  the response was generated.
is_new (bool) – has the user been authenticated?
backend – The PSA backend being used for authentication
kwargs –
may contain the following keys among others:
- uid: user ID
- user: Galaxy user; if user is already authenticated
- storage: an instance of Storage class.
- strategy: an instance of the Strategy class.
- state: the state code received from identity provider.
- details: details about the user’s third-party identity as requested in scope.

Return type:

void

Returns:

Raises an exception if any of the required arguments is missing, and pass if all are given.

galaxy.authnz.psa_authnz.verify(strategy=None, response=None, details=None, **kwargs)[source]

galaxy.authnz.psa_authnz.allowed_to_disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]: Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. This function should raise an exception if disconnection is NOT permitted. Do NOT return any value (except an empty dictionary) if disconnect is allowed. Because, at least until PSA social_core v.1.5.0, any returned value (e.g., Boolean) will result in ignoring the rest of the disconnect pipeline. See the following condition in run_pipeline function: https://github.com/python-social-auth/social-core/blob/master/social_core/backends/base.py#L114 :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: empty dict

galaxy.authnz.psa_authnz.disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]: Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: void or empty dict. Any key-value pair inside the dictionary will be available inside PSA only, and will be passed to the next step in the disconnect pipeline. However, the key-value pair will not be returned as a result of calling the do_disconnect function. Additionally, returning any value except for a(n) (empty) dictionary, will break the disconnect pipeline, and that value will be returned as a result of calling the do_disconnect function.

galaxy.authnz.psa_authnz.decode_access_token(social: UserAuthnzToken, backend, **kwargs)[source]

Auth pipeline step to decode the OIDC access token, if possible.

Note that some OIDC providers return an opaque access token, which cannot be decoded. This step only works for OIDC backends.

Returns the access token, making it available as a new argument “access_token” that can be used in future pipeline steps. If decoding the access token is not possible, access_token will be None.

Depends on “access_token” being present in social.extra_data, which should be handled by social_core.pipeline.social_auth.load_extra_data, so this step should be placed after load_extra_data in the pipeline.

galaxy.authnz.psa_authnz.associate_by_email_if_logged_in(strategy=None, backend=None, details=None, user=None, social=None, is_new=False, *args, **kwargs)[source]

Custom pipeline step to handle email-based account association.

This replaces social_core.pipeline.social_auth.associate_by_email with Galaxy-specific logic: - If user is currently logged in (passed from trans.user): auto-associate the OIDC identity

If identity email matches a different user’s account, store that info for notification

If user is NOT logged in but an account with that email exists: - If fixed_delegated_auth is enabled: auto-associate with existing user - Otherwise: prompt for confirmation
If no account exists: continue with user creation

Returns a dict with ‘user’ if association happened, or a redirect URL to stop the pipeline.

galaxy.authnz.psa_authnz.check_user_creation_confirmation(strategy=None, backend=None, details=None, response=None, is_new=False, user=None, **kwargs)[source]

Pipeline step to handle deferred user creation (require_create_confirmation).

This was a feature from custos where new users could be shown a confirmation page before their account is created. If require_create_confirmation is enabled and this is a new user (no existing Galaxy account), the pipeline is interrupted and the user is redirected to a confirmation page with the token stored for later.

This step should be placed before create_user in the pipeline.