Warning

This document is for an in-development version of Galaxy. You can alternatively view this page in the latest release if it exists or view the top of the latest release's documentation.

galaxy.security package

Galaxy Security

class galaxy.security.Action(action: str, description: str, model: typing_extensions.Literal[grant, restrict])

Bases: object

__init__(action: str, description: str, model: typing_extensions.Literal[grant, restrict])

action: str

description: str

model: typing_extensions.Literal[grant, restrict]

class galaxy.security.RBACAgent

Bases: object

Class that handles galaxy security

permitted_actions = <galaxy.util.bunch.Bunch object>

get_action(name: str, default: Action | None = None) → Action | None

Get a permitted action by its dict key or action name

get_actions() → List[Action]

Get all permitted actions as a list of Action objects

get_item_actions(action, item)

guess_derived_permissions_for_datasets(datasets=None)

can_access_dataset(roles, dataset)

can_manage_dataset(roles, dataset)

can_access_library(roles, library)

can_add_library_item(roles, item)

can_modify_library_item(roles, item)

can_change_object_store_id(user, dataset)

can_manage_library_item(roles, item)

create_private_user_role(user)

get_private_user_role(user)

user_set_default_permissions(user, permissions=None, history=False, dataset=False)

history_set_default_permissions(history, permissions=None, dataset=False, bypass_manage_permission=False)

set_all_dataset_permissions(dataset, permissions, new=False)

set_dataset_permission(dataset, permission)

set_all_library_permissions(trans, dataset, permissions)

set_library_item_permission(library_item, permission)

library_is_public(library)

make_library_public(library)

get_accessible_libraries(trans, user)

get_permitted_libraries(trans, user, actions)

folder_is_public(library)

make_folder_public(folder, count=0)

dataset_is_public(dataset)

make_dataset_public(dataset)

get_permissions(library_dataset)

get_all_roles(trans, cntrller)

get_legitimate_roles(trans, item, cntrller)

derive_roles_from_access(trans, item_id, cntrller, library=False, **kwd)

get_component_associations(**kwd)

components_are_associated(**kwd)

convert_permitted_action_strings(permitted_action_strings)

When getting permitted actions from an untrusted source like a form, ensure that they match our actual permitted actions.

galaxy.security.get_permitted_actions(filter=None)

Utility method to return a subset of RBACAgent’s permitted actions

Submodules

galaxy.security.idencoding module

class galaxy.security.idencoding.IdEncodingHelper(**config)

Bases: object

__init__(**config)

encode_id(obj_id, kind=None, strict_integer=False)

encode_dict_ids(a_dict, kind=None, skip_startswith=None)

Encode all ids in dictionary. Ids are identified by (a) an ‘id’ key or (b) a key that ends with ‘_id’

encode_all_ids(rval, recursive=False)

Encodes all integer values in the dict rval whose keys are ‘id’ or end with ‘_id’ excluding tool_id which are consumed and produced as is via the API.

decode_id(obj_id, kind=None, object_name: str | None = None)

encode_guid(session_key)

decode_guid(session_key: bytes | str) → str

get_new_guid()

class galaxy.security.idencoding.IdAsLowercaseAlphanumEncodingHelper(security: IdEncodingHelper)

Bases: object

Helper class to encode IDs as lowercase alphanumeric strings, and vice versa

__init__(security: IdEncodingHelper)

encode_id(id: int) → str

decode_id(id: str) → int

galaxy.security.object_wrapper module

Classes for wrapping Objects and Sanitizing string output.

galaxy.security.object_wrapper.coerce(x, y)

galaxy.security.object_wrapper.cmp(x, y)

galaxy.security.object_wrapper.sanitize_lists_to_string(values, valid_characters={' ', '!', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '=', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '^', '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'}, character_map={'\t': '__tc__', '\n': '__cn__', '\r': '__cr__', '"': '__dq__', '#': '__pd__', "'": '__sq__', '<': '__lt__', '>': '__gt__', '[': '__ob__', ']': '__cb__', '{': '__oc__', '}': '__cc__'}, invalid_character='X')

galaxy.security.object_wrapper.wrap_with_safe_string(value, no_wrap_classes=None)

Recursively wrap values that should be wrapped.

class galaxy.security.object_wrapper.SafeStringWrapper(*arg, **kwd)

Bases: object

Class that wraps and sanitizes any provided value’s attributes that will attempt to be cast into a string.

Attempts to mimic behavior of original class, including operands.

To ensure proper handling of e.g. subclass checks, the wrap_with_safe_string() method should be used.

This wrapping occurs in a recursive/parasitic fashion, as all called attributes of the originally wrapped object will also be wrapped and sanitized, unless the attribute is of a type found in __DONT_SANITIZE_TYPES__ + __DONT_WRAP_TYPES__, where e.g. ~(strings will still be sanitized, but not wrapped), and e.g. integers will have neither.

__init__(value, safe_string_wrapper_function=<function wrap_with_safe_string>)

class galaxy.security.object_wrapper.CallableSafeStringWrapper(*arg, **kwd)

Bases: SafeStringWrapper

galaxy.security.object_wrapper.pickle_SafeStringWrapper(safe_object)

galaxy.security.passwords module

galaxy.security.passwords.hash_password(password)

Hash a password, currently will use the PBKDF2 scheme.

galaxy.security.passwords.check_password(guess, hashed)

Check a hashed password. Supports either PBKDF2 if the hash is prefixed with that string, or sha1 otherwise.

galaxy.security.passwords.hash_password_PBKDF2(password)

galaxy.security.passwords.check_password_PBKDF2(guess, hashed)

galaxy.security.passwords.pbkdf2_bin(data, salt, iterations=100000, keylen=24, hashfunc='sha256')

Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations time and produces a key of keylen bytes. By default SHA-256 is used as hash function, a different hashlib hashfunc can be provided.

galaxy.security.ssh_util module

class galaxy.security.ssh_util.SSHKeys(private_key, public_key, private_key_file, public_key_file)

Bases: NamedTuple

private_key: bytes

Alias for field number 0

public_key: bytes

Alias for field number 1

private_key_file: str

Alias for field number 2

public_key_file: str

Alias for field number 3

galaxy.security.ssh_util.generate_ssh_keys() → SSHKeys

Returns a named tuple with private and public key and their paths.

galaxy.security.validate_user_input module

Utilities for validating inputs related to user objects.

The validate_* methods in this file return simple messages that do not contain user inputs - so these methods do not need to be escaped.

galaxy.security.validate_user_input.is_valid_email_str(email)

Validates a string containing an email address and returns a boolean result.

galaxy.security.validate_user_input.validate_email_str(email)

Validates a string containing an email address.

galaxy.security.validate_user_input.validate_password_str(password)

galaxy.security.validate_user_input.validate_publicname_str(publicname)

Validates a string containing a public username.

galaxy.security.validate_user_input.validate_email(trans, email, user=None, check_dup=True, allow_empty=False, validate_domain=False)

Validates the email format. Checks whether the domain is blocklisted in the disposable domains configuration. Checks whether the email address is banned.

galaxy.security.validate_user_input.validate_email_domain_name(domain: str) → LiteralString

galaxy.security.validate_user_input.extract_domain(email, base_only=False)

galaxy.security.validate_user_input.validate_publicname(trans, publicname, user=None)

Check that publicname respects the minimum and maximum string length, the allowed characters, and that the username is not taken already.

galaxy.security.validate_user_input.transform_publicname(publicname)

Transform publicname to respect the minimum and maximum string length, and the allowed characters. FILL_CHAR is used to extend or replace characters.

galaxy.security.validate_user_input.validate_password(trans, password, confirm)

galaxy.security.validate_user_input.validate_preferred_object_store_id(trans, object_store: ObjectStore, preferred_object_store_id: str | None) → str

galaxy.security.validate_user_input.is_email_banned(email: str, filepath: str | None, canonical_email_rules: Dict | None) → bool

class galaxy.security.validate_user_input.EmailAddressNormalizer(canonical_email_rules: Dict | None)

Bases: object

IGNORE_CASE_RULE = 'ignore_case'

IGNORE_DOTS_RULE = 'ignore_dots'

SUB_ADDRESSING_RULE = 'sub_addressing'

SUB_ADDRESSING_DELIM = 'sub_addressing_delim'

SUB_ADDRESSING_DELIM_DEFAULT = '+'

ALL = 'all'

__init__(canonical_email_rules: Dict | None) → None

normalize(email: str) → str

Transform email to its canonical form.

galaxy.security.vault module

exception galaxy.security.vault.InvalidVaultConfigException

Bases: Exception

exception galaxy.security.vault.InvalidVaultKeyException

Bases: Exception

class galaxy.security.vault.Vault

Bases: ABC

A simple abstraction for reading/writing from external vaults.

abstract read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

abstract write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

abstract list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

delete_secret(key: str) → None

Eliminate a secret from the target vault.

Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

class galaxy.security.vault.NullVault

Bases: Vault

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.HashicorpVault(config)

Bases: Vault

__init__(config)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.DatabaseVault(sa_session, config)

Bases: Vault

__init__(sa_session, config)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

delete_secret(key: str) → None

Eliminate a secret from the target vault.

Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.CustosVault(config)

Bases: Vault

__init__(config)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.UserVaultWrapper(vault: Vault, user)

Bases: Vault

__init__(vault: Vault, user)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyValidationWrapper(vault: Vault)

Bases: Vault

A decorator to standardize and validate vault key paths

__init__(vault: Vault)

static validate_key(key)

normalize_key(key)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyPrefixWrapper(vault: Vault, prefix: str)

Bases: Vault

Adds a prefix to all vault keys, such as the galaxy instance id

__init__(vault: Vault, prefix: str)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultFactory

Bases: object

static load_vault_config(vault_conf_yml: str) → dict | None

static from_vault_type(app, vault_type: str | None, cfg: dict) → Vault

static from_app(app) → Vault

galaxy.security.vault.is_vault_configured(vault: Vault) → bool