Warning
This document is for an in-development version of Galaxy. You can alternatively view this page in the latest release if it exists or view the top of the latest release's documentation.
galaxy.security package
Galaxy Security
- class galaxy.security.Action(action: str, description: str, model: typing_extensions.Literal[grant, restrict])[source]
Bases:
object
- model: typing_extensions.Literal[grant, restrict]
- class galaxy.security.RBACAgent[source]
Bases:
object
Class that handles galaxy security
- permitted_actions = <galaxy.util.bunch.Bunch object>
- get_action(name: str, default: Action | None = None) Action | None [source]
Get a permitted action by its dict key or action name
- galaxy.security.get_permitted_actions(filter=None)[source]
Utility method to return a subset of RBACAgent’s permitted actions
Submodules
galaxy.security.idencoding module
- class galaxy.security.idencoding.IdEncodingHelper(**config)[source]
Bases:
object
- encode_dict_ids(a_dict, kind=None, skip_startswith=None)[source]
Encode all ids in dictionary. Ids are identified by (a) an ‘id’ key or (b) a key that ends with ‘_id’
- class galaxy.security.idencoding.IdAsLowercaseAlphanumEncodingHelper(security: IdEncodingHelper)[source]
Bases:
object
Helper class to encode IDs as lowercase alphanumeric strings, and vice versa
- __init__(security: IdEncodingHelper)[source]
galaxy.security.object_wrapper module
Classes for wrapping Objects and Sanitizing string output.
- galaxy.security.object_wrapper.sanitize_lists_to_string(values, valid_characters={' ', '!', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '=', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '^', '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'}, character_map={'\t': '__tc__', '\n': '__cn__', '\r': '__cr__', '"': '__dq__', '#': '__pd__', "'": '__sq__', '<': '__lt__', '>': '__gt__', '[': '__ob__', ']': '__cb__', '{': '__oc__', '}': '__cc__'}, invalid_character='X')[source]
- galaxy.security.object_wrapper.wrap_with_safe_string(value, no_wrap_classes=None)[source]
Recursively wrap values that should be wrapped.
- class galaxy.security.object_wrapper.SafeStringWrapper(*arg, **kwd)[source]
Bases:
object
Class that wraps and sanitizes any provided value’s attributes that will attempt to be cast into a string.
Attempts to mimic behavior of original class, including operands.
To ensure proper handling of e.g. subclass checks, the wrap_with_safe_string() method should be used.
This wrapping occurs in a recursive/parasitic fashion, as all called attributes of the originally wrapped object will also be wrapped and sanitized, unless the attribute is of a type found in __DONT_SANITIZE_TYPES__ + __DONT_WRAP_TYPES__, where e.g. ~(strings will still be sanitized, but not wrapped), and e.g. integers will have neither.
- class galaxy.security.object_wrapper.CallableSafeStringWrapper(*arg, **kwd)[source]
Bases:
SafeStringWrapper
galaxy.security.passwords module
- galaxy.security.passwords.hash_password(password)[source]
Hash a password, currently will use the PBKDF2 scheme.
- galaxy.security.passwords.check_password(guess, hashed)[source]
Check a hashed password. Supports either PBKDF2 if the hash is prefixed with that string, or sha1 otherwise.
- galaxy.security.passwords.pbkdf2_bin(data, salt, iterations=100000, keylen=24, hashfunc='sha256')[source]
Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations time and produces a key of keylen bytes. By default SHA-256 is used as hash function, a different hashlib hashfunc can be provided.
galaxy.security.ssh_util module
galaxy.security.validate_user_input module
Utilities for validating inputs related to user objects.
The validate_* methods in this file return simple messages that do not contain user inputs - so these methods do not need to be escaped.
- galaxy.security.validate_user_input.validate_email_str(email)[source]
Validates a string containing an email address.
- galaxy.security.validate_user_input.validate_publicname_str(publicname)[source]
Validates a string containing a public username.
- galaxy.security.validate_user_input.validate_email(trans, email, user=None, check_dup=True, allow_empty=False, validate_domain=False)[source]
Validates the email format, also checks whether the domain is blocklisted in the disposable domains configuration.
- galaxy.security.validate_user_input.validate_publicname(trans, publicname, user=None)[source]
Check that publicname respects the minimum and maximum string length, the allowed characters, and that the username is not taken already.
galaxy.security.vault module
- class galaxy.security.vault.Vault[source]
Bases:
ABC
A simple abstraction for reading/writing from external vaults.
- abstract read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- abstract write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- abstract list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.
- delete_secret(key: str) None [source]
Eliminate a secret from the target vault.
Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- class galaxy.security.vault.NullVault[source]
Bases:
Vault
- read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.
- class galaxy.security.vault.HashicorpVault(config)[source]
Bases:
Vault
- read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.
- class galaxy.security.vault.DatabaseVault(sa_session, config)[source]
Bases:
Vault
- read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- delete_secret(key: str) None [source]
Eliminate a secret from the target vault.
Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.
- class galaxy.security.vault.CustosVault(config)[source]
Bases:
Vault
- read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.
- class galaxy.security.vault.UserVaultWrapper(vault: Vault, user)[source]
Bases:
Vault
- read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.
- class galaxy.security.vault.VaultKeyValidationWrapper(vault: Vault)[source]
Bases:
Vault
A decorator to standardize and validate vault key paths
- read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.
- class galaxy.security.vault.VaultKeyPrefixWrapper(vault: Vault, prefix: str)[source]
Bases:
Vault
Adds a prefix to all vault keys, such as the galaxy instance id
- read_secret(key: str) str | None [source]
Reads a secret from the vault.
- Parameters:
key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
- Returns:
The string value stored at the key, such as ‘ace_editor’.
- write_secret(key: str, value: str) None [source]
Write a secret to the vault.
- Parameters:
key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’
- Returns:
- list_secrets(key: str) List[str] [source]
Lists secrets at a given path.
- Parameters:
key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
- Returns:
The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.