galaxy.authnz package

Contains implementations for authentication and authorization against an OpenID Connect (OIDC) Identity Provider (IdP).

This package follows “authorization code flow” authentication protocol to authenticate Galaxy users against third-party identity providers.

Additionally, this package implements functionalist’s to request temporary access credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).

class galaxy.authnz.IdentityProvider(provider, config)[source]

Bases: object

OpenID Connect Identity Provider abstract interface.

__init__(provider, config)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:
  • provider (string) – is the name of the identity provider (e.g., Google).
  • config (xml.etree.ElementTree.Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
authenticate(provider, trans)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:trans (GalaxyWebTransaction) – Galaxy web transaction.
Returns:a redirect URI to the provider’s authentication endpoint.
callback(state_token, authz_code, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers. This process maps state-token to a user :type state_token: string :param state_token: is an anti-forgery token which identifies

a Galaxy user to whom the given authorization code belongs to.
Parameters:
  • authz_code (string) – a very short-lived, single-use token to request a refresh token.
  • trans (GalaxyWebTransaction) – Galaxy web transaction.
Return boolean:

True: if callback is handled successfully. False: if processing callback fails, then Galaxy attempts re-authentication.

disconnect(provider, trans, disconnect_redirect_url=None)[source]

Submodules

galaxy.authnz.managers module

class galaxy.authnz.managers.AuthnzManager(app, oidc_config_file, oidc_backends_config_file)[source]

Bases: object

__init__(app, oidc_config_file, oidc_backends_config_file)[source]
Parameters:
authenticate(provider, trans)[source]
Parameters:
  • provider (string) – set the name of the identity provider to be used for authentication flow.
  • trans (GalaxyWebTransaction) – Galaxy web transaction.
Returns:

an identity provider specific authentication redirect URI.

callback(provider, state_token, authz_code, trans, login_redirect_url)[source]
disconnect(provider, trans, disconnect_redirect_url=None)[source]

galaxy.authnz.psa_authnz module

class galaxy.authnz.psa_authnz.PSAAuthnz(provider, oidc_config, oidc_backend_config)[source]

Bases: galaxy.authnz.IdentityProvider

__init__(provider, oidc_config, oidc_backend_config)[source]
authenticate(trans)[source]
callback(state_token, authz_code, trans, login_redirect_url)[source]
disconnect(provider, trans, disconnect_redirect_url=None, association_id=None)[source]
class galaxy.authnz.psa_authnz.Strategy(trans, storage, config, tpl=None)[source]

Bases: social_core.strategy.BaseStrategy

__init__(trans, storage, config, tpl=None)[source]
get_setting(name)[source]
session_get(name, default=None)[source]
session_set(name, value)[source]
session_pop(name)[source]
request_data(merge=True)[source]
request_host()[source]
build_absolute_uri(path=None)[source]
redirect(url)[source]
html(content)[source]
render_html(tpl=None, html=None, context=None)[source]
start()[source]
complete(*args, **kwargs)[source]
continue_pipeline(*args, **kwargs)[source]
class galaxy.authnz.psa_authnz.Storage[source]
user

alias of galaxy.model.UserAuthnzToken

nonce

alias of galaxy.model.PSANonce

association

alias of galaxy.model.PSAAssociation

code

alias of galaxy.model.PSACode

partial

alias of galaxy.model.PSAPartial

classmethod is_integrity_error(exception)[source]
galaxy.authnz.psa_authnz.contains_required_data(response=None, is_new=False, **kwargs)[source]

This function is called as part of authentication and authorization pipeline before user is authenticated or authorized (see AUTH_PIPELINE).

This function asserts if all the data required by Galaxy for a user is provided. It raises an exception if any of the required data is missing, and returns void if otherwise.

Parameters:
Return type:

void

Returns:

Raises an exception if any of the required arguments is missing, and pass if all are given.

galaxy.authnz.psa_authnz.allowed_to_disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]

Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. This function should raise an exception if disconnection is NOT permitted. Do NOT return any value (except an empty dictionary) if disconnect is allowed. Because, at least until PSA social_core v.1.5.0, any returned value (e.g., Boolean) will result in ignoring the rest of the disconnect pipeline. See the following condition in run_pipeline function: https://github.com/python-social-auth/social-core/blob/master/social_core/backends/base.py#L114 :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: empty dict

galaxy.authnz.psa_authnz.disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]

Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: void or empty dict. Any key-value pair inside the dictionary will be available inside PSA only, and will be passed to the next step in the disconnect pipeline. However, the key-value pair will not be returned as a result of calling the do_disconnect function. Additionally, returning any value except for a(n) (empty) dictionary, will break the disconnect pipeline, and that value will be returned as a result of calling the do_disconnect function.