galaxy.authnz package

Contains implementations for authentication and authorization against an OpenID Connect (OIDC) Identity Provider (IdP).

This package follows “authorization code flow” authentication protocol to authenticate Galaxy users against third-party identity providers.

Additionally, this package implements functionalist’s to request temporary access credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).

class galaxy.authnz.IdentityProvider(provider, config, backend_config)[source]

Bases: object

OpenID Connect Identity Provider abstract interface.

__init__(provider, config, backend_config)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh(trans, token)[source]

authenticate(trans, idphint=None)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:: trans (GalaxyWebTransaction) – Galaxy web transaction.
Returns:: a redirect URI to the provider’s authentication endpoint

callback(state_token: str, authz_code: str, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:

state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

disconnect(provider, trans, disconnect_redirect_url=None, email=None, association_id=None)[source]

logout(trans, post_user_logout_href=None)[source]

Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.

Parameters:

trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.

decode_user_access_token(sa_session, access_token)[source]

Verifies and decodes an access token against this provider, returning the user and a dict containing the decoded token data.

Parameters:

sa_session (sqlalchemy.orm.scoping.scoped_session) – SQLAlchemy database handle.
access_token (string) – An OIDC access token

Returns:

A tuple containing the user and decoded jwt data

Return type:

Tuple[User, dict]

Submodules

galaxy.authnz.custos_authnz module

exception galaxy.authnz.custos_authnz.InvalidAuthnzConfigException[source]: Bases: Exception

class galaxy.authnz.custos_authnz.CustosAuthnzConfiguration(provider: str, verify_ssl: bool | NoneType, url: str, label: str, client_id: str, client_secret: str, require_create_confirmation: bool, redirect_uri: str, ca_bundle: str | NoneType, pkce_support: bool, accepted_audiences: List[str], extra_params: dict | NoneType, extra_scopes: List[str], authorization_endpoint: str | NoneType, token_endpoint: str | NoneType, end_session_endpoint: str | NoneType, well_known_oidc_config_uri: str | NoneType, iam_client_secret: str | NoneType, userinfo_endpoint: str | NoneType, credential_url: str | NoneType, issuer: str | NoneType, jwks_uri: str | NoneType)[source]

Bases: object

provider: str

verify_ssl: bool | None

url: str

label: str

client_id: str

client_secret: str

require_create_confirmation: bool

redirect_uri: str

ca_bundle: str | None

pkce_support: bool

accepted_audiences: List[str]

extra_params: dict | None

extra_scopes: List[str]

authorization_endpoint: str | None

token_endpoint: str | None

end_session_endpoint: str | None

well_known_oidc_config_uri: str | None

iam_client_secret: str | None

userinfo_endpoint: str | None

credential_url: str | None

issuer: str | None

jwks_uri: str | None

__init__(provider: str, verify_ssl: bool | None, url: str, label: str, client_id: str, client_secret: str, require_create_confirmation: bool, redirect_uri: str, ca_bundle: str | None, pkce_support: bool, accepted_audiences: List[str], extra_params: dict | None, extra_scopes: List[str], authorization_endpoint: str | None, token_endpoint: str | None, end_session_endpoint: str | None, well_known_oidc_config_uri: str | None, iam_client_secret: str | None, userinfo_endpoint: str | None, credential_url: str | None, issuer: str | None, jwks_uri: str | None) → None

class galaxy.authnz.custos_authnz.OIDCAuthnzBase(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: IdentityProvider

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh(trans, custos_authnz_token)[source]

authenticate(trans, idphint=None)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:: trans (GalaxyWebTransaction) – Galaxy web transaction.
Returns:: a redirect URI to the provider’s authentication endpoint

callback(state_token, authz_code, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:

state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

create_user(token, trans, login_redirect_url)[source]

disconnect(provider, trans, disconnect_redirect_url=None, email=None, association_id=None)[source]

logout(trans, post_user_logout_href=None)[source]

Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.

Parameters:

trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.

decode_user_access_token(sa_session, access_token)[source]

Verifies and decodes an access token against this provider, returning the user and a dict containing the decoded token data.

Parameters:

sa_session (sqlalchemy.orm.scoping.scoped_session) – SQLAlchemy database handle.
access_token (string) – An OIDC access token

Returns:

A tuple containing the user and decoded jwt data or [None, None] if the access token does not belong to this provider.

Return type:

Tuple[User, dict]

class galaxy.authnz.custos_authnz.OIDCAuthnzBaseKeycloak(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: OIDCAuthnzBase

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

class galaxy.authnz.custos_authnz.OIDCAuthnzBaseCiLogon(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: OIDCAuthnzBase

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

class galaxy.authnz.custos_authnz.CustosAuthFactory[source]

Bases: object

static GetCustosBasedAuthProvider(provider, oidc_config, oidc_backend_config, idphint=None)[source]

class galaxy.authnz.custos_authnz.OIDCAuthnzBaseCustos(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: OIDCAuthnzBase

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

galaxy.authnz.managers module

class galaxy.authnz.managers.AuthnzManager(app, oidc_config_file, oidc_backends_config_file)[source]

Bases: object

__init__(app, oidc_config_file, oidc_backends_config_file)[source]

Parameters:

app (galaxy.app.UniverseApplication) –
config (string) – sets the path for OIDC configuration file (e.g., oidc_backends_config.xml).

get_allowed_idps()[source]

static can_user_assume_authn(trans, authn_id)[source]

refresh_expiring_oidc_tokens_for_provider(trans, auth)[source]

refresh_expiring_oidc_tokens(trans, user=None)[source]

authenticate(provider, trans, idphint=None)[source]

Parameters:

provider (string) – set the name of the identity provider to be used for authentication flow.
trans (GalaxyWebTransaction) – Galaxy web transaction.

Returns:

an identity provider specific authentication redirect URI.

callback(provider, state_token, authz_code, trans, login_redirect_url, idphint=None)[source]

create_user(provider, token, trans, login_redirect_url)[source]

match_access_token_to_user(sa_session, access_token)[source]

logout(provider, trans, post_user_logout_href=None)[source]

Log the user out of the identity provider.

Parameters:

provider (string) – set the name of the identity provider.
trans (GalaxyWebTransaction) – Galaxy web transaction.
post_user_logout_href (string) – (Optional) URL for identity provider to redirect to after logging user out.

Returns:

a tuple (success boolean, message, redirect URI)

disconnect(provider, trans, email=None, disconnect_redirect_url=None, idphint=None)[source]

galaxy.authnz.psa_authnz module

class galaxy.authnz.psa_authnz.PSAAuthnz(provider, oidc_config, oidc_backend_config)[source]

Bases: IdentityProvider

__init__(provider, oidc_config, oidc_backend_config)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:

provider (string) – is the name of the identity provider (e.g., Google).
config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.
backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh_azure(user_authnz_token)[source]

refresh(trans, user_authnz_token)[source]

authenticate(trans, idphint=None)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:: trans (GalaxyWebTransaction) – Galaxy web transaction.
Returns:: a redirect URI to the provider’s authentication endpoint

callback(state_token, authz_code, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:

state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.
authz_code – a very short-lived, single-use token to request a refresh token.
trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

disconnect(provider, trans, disconnect_redirect_url=None, email=None, association_id=None)[source]

class galaxy.authnz.psa_authnz.Strategy(request, session, storage, config, tpl=None)[source]

Bases: BaseStrategy

__init__(request, session, storage, config, tpl=None)[source]

get_setting(name)[source]: Return value for given setting name

session_get(name, default=None)[source]: Return session value for given key

session_set(name, value)[source]: Set session value for given key

session_pop(name)[source]: Pop session value for given key

request_data(merge=True)[source]: Return current request data (POST or GET)

request_host()[source]: Return current host value

build_absolute_uri(path=None)[source]: Build absolute URI with given (optional) path

redirect(url)[source]: Return a response redirect to the given URL

html(content)[source]: Return HTTP response with given content

render_html(tpl=None, html=None, context=None)[source]: Render given template or raw html with given context

class galaxy.authnz.psa_authnz.Storage[source]

Bases: object

user: alias of UserAuthnzToken

nonce: alias of PSANonce

association: alias of PSAAssociation

code: alias of PSACode

partial: alias of PSAPartial

classmethod is_integrity_error(exception)[source]

galaxy.authnz.psa_authnz.on_the_fly_config(sa_session)[source]

galaxy.authnz.psa_authnz.contains_required_data(response=None, is_new=False, **kwargs)[source]

This function is called as part of authentication and authorization pipeline before user is authenticated or authorized (see AUTH_PIPELINE).

This function asserts if all the data required by Galaxy for a user is provided. It raises an exception if any of the required data is missing, and returns void if otherwise.

Parameters:

response (dict) –
a dictionary containing decoded response from OIDC backend that contain the following keys among others:
- id_token; see: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
- access_token; see: https://tools.ietf.org/html/rfc6749#section-1.4
- refresh_token; see: https://tools.ietf.org/html/rfc6749#section-1.5
- token_type; see: https://tools.ietf.org/html/rfc6750#section-6.1.1
- scope; see: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
- expires_in; is the expiration time of the access and ID tokens in seconds since
  the response was generated.
is_new (bool) – has the user been authenticated?
kwargs –
may contain the following keys among others:
- uid: user ID
- user: Galaxy user; if user is already authenticated
- backend: the backend that is used for user authentication.
- storage: an instance of Storage class.
- strategy: an instance of the Strategy class.
- state: the state code received from identity provider.
- details: details about the user’s third-party identity as requested in scope.

Return type:

void

Returns:

Raises an exception if any of the required arguments is missing, and pass if all are given.

galaxy.authnz.psa_authnz.verify(strategy=None, response=None, details=None, **kwargs)[source]

galaxy.authnz.psa_authnz.allowed_to_disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]: Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. This function should raise an exception if disconnection is NOT permitted. Do NOT return any value (except an empty dictionary) if disconnect is allowed. Because, at least until PSA social_core v.1.5.0, any returned value (e.g., Boolean) will result in ignoring the rest of the disconnect pipeline. See the following condition in run_pipeline function: https://github.com/python-social-auth/social-core/blob/master/social_core/backends/base.py#L114 :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: empty dict

galaxy.authnz.psa_authnz.disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]: Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: void or empty dict. Any key-value pair inside the dictionary will be available inside PSA only, and will be passed to the next step in the disconnect pipeline. However, the key-value pair will not be returned as a result of calling the do_disconnect function. Additionally, returning any value except for a(n) (empty) dictionary, will break the disconnect pipeline, and that value will be returned as a result of calling the do_disconnect function.