galaxy.security package

Galaxy Security

class galaxy.security.Action(action: str, description: str, model: typing_extensions.Literal[grant, restrict])

Bases: object

__init__(action: str, description: str, model: typing_extensions.Literal[grant, restrict])

action: str

description: str

model: typing_extensions.Literal[grant, restrict]

class galaxy.security.RBACAgent

Bases: object

Class that handles galaxy security

permitted_actions = <galaxy.util.bunch.Bunch object>

get_action(name: str, default: Action | None = None) → Action | None

Get a permitted action by its dict key or action name

get_actions() → List[Action]

Get all permitted actions as a list of Action objects

get_item_actions(action, item)

guess_derived_permissions_for_datasets(datasets=None)

can_access_dataset(roles, dataset)

can_manage_dataset(roles, dataset)

can_access_library(roles, library)

can_add_library_item(roles, item)

can_modify_library_item(roles, item)

can_change_object_store_id(user, dataset)

can_manage_library_item(roles, item)

create_private_user_role(user)

get_private_user_role(user)

user_set_default_permissions(user, permissions=None, history=False, dataset=False)

history_set_default_permissions(history, permissions=None, dataset=False, bypass_manage_permission=False)

set_all_dataset_permissions(dataset, permissions, new=False)

set_dataset_permission(dataset, permission)

set_all_library_permissions(trans, dataset, permissions)

set_library_item_permission(library_item, permission)

library_is_public(library)

make_library_public(library)

get_accessible_libraries(trans, user)

get_permitted_libraries(trans, user, actions)

folder_is_public(library)

make_folder_public(folder, count=0)

dataset_is_public(dataset)

make_dataset_public(dataset)

get_permissions(library_dataset)

get_all_roles(trans, cntrller)

get_legitimate_roles(trans, item, cntrller)

derive_roles_from_access(trans, item_id, cntrller, library=False, **kwd)

get_component_associations(**kwd)

components_are_associated(**kwd)

convert_permitted_action_strings(permitted_action_strings)

When getting permitted actions from an untrusted source like a form, ensure that they match our actual permitted actions.

galaxy.security.get_permitted_actions(filter=None)

Utility method to return a subset of RBACAgent’s permitted actions

Submodules

galaxy.security.idencoding module

class galaxy.security.idencoding.IdEncodingHelper(**config)

Bases: object

__init__(**config)

encode_id(obj_id, kind=None, strict_integer=False)

encode_dict_ids(a_dict, kind=None, skip_startswith=None)

Encode all ids in dictionary. Ids are identified by (a) an ‘id’ key or (b) a key that ends with ‘_id’

encode_all_ids(rval, recursive=False)

Encodes all integer values in the dict rval whose keys are ‘id’ or end with ‘_id’ excluding tool_id which are consumed and produced as is via the API.

decode_id(obj_id, kind=None, object_name: str | None = None)

encode_guid(session_key)

decode_guid(session_key: bytes | str) → str

get_new_guid()

class galaxy.security.idencoding.IdAsLowercaseAlphanumEncodingHelper(security: IdEncodingHelper)

Bases: object

Helper class to encode IDs as lowercase alphanumeric strings, and vice versa

__init__(security: IdEncodingHelper)

encode_id(id: int) → str

decode_id(id: str) → int

galaxy.security.object_wrapper module

Classes for wrapping Objects and Sanitizing string output.

galaxy.security.object_wrapper.coerce(x, y)

galaxy.security.object_wrapper.cmp(x, y)

galaxy.security.object_wrapper.sanitize_lists_to_string(values, valid_characters={' ', '!', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '=', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '^', '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'}, character_map={'\t': '__tc__', '\n': '__cn__', '\r': '__cr__', '"': '__dq__', '#': '__pd__', "'": '__sq__', '<': '__lt__', '>': '__gt__', '[': '__ob__', ']': '__cb__', '{': '__oc__', '}': '__cc__'}, invalid_character='X')

galaxy.security.object_wrapper.wrap_with_safe_string(value, no_wrap_classes=None)

Recursively wrap values that should be wrapped.

class galaxy.security.object_wrapper.SafeStringWrapper(*arg, **kwd)

Bases: object

Class that wraps and sanitizes any provided value’s attributes that will attempt to be cast into a string.

Attempts to mimic behavior of original class, including operands.

To ensure proper handling of e.g. subclass checks, the wrap_with_safe_string() method should be used.

This wrapping occurs in a recursive/parasitic fashion, as all called attributes of the originally wrapped object will also be wrapped and sanitized, unless the attribute is of a type found in __DONT_SANITIZE_TYPES__ + __DONT_WRAP_TYPES__, where e.g. ~(strings will still be sanitized, but not wrapped), and e.g. integers will have neither.

__init__(value, safe_string_wrapper_function=<function wrap_with_safe_string>)

class galaxy.security.object_wrapper.CallableSafeStringWrapper(*arg, **kwd)

Bases: SafeStringWrapper

galaxy.security.object_wrapper.pickle_SafeStringWrapper(safe_object)

galaxy.security.passwords module

galaxy.security.passwords.hash_password(password)

Hash a password, currently will use the PBKDF2 scheme.

galaxy.security.passwords.check_password(guess, hashed)

Check a hashed password. Supports either PBKDF2 if the hash is prefixed with that string, or sha1 otherwise.

galaxy.security.passwords.hash_password_PBKDF2(password)

galaxy.security.passwords.check_password_PBKDF2(guess, hashed)

galaxy.security.passwords.pbkdf2_bin(data, salt, iterations=100000, keylen=24, hashfunc='sha256')

Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations time and produces a key of keylen bytes. By default SHA-256 is used as hash function, a different hashlib hashfunc can be provided.

galaxy.security.ssh_util module

class galaxy.security.ssh_util.SSHKeys(private_key, public_key, private_key_file, public_key_file)

Bases: NamedTuple

private_key: bytes

Alias for field number 0

public_key: bytes

Alias for field number 1

private_key_file: str

Alias for field number 2

public_key_file: str

Alias for field number 3

galaxy.security.ssh_util.generate_ssh_keys() → SSHKeys

Returns a named tuple with private and public key and their paths.

galaxy.security.validate_user_input module

Utilities for validating inputs related to user objects.

The validate_* methods in this file return simple messages that do not contain user inputs - so these methods do not need to be escaped.

galaxy.security.validate_user_input.is_valid_email_str(email)

Validates a string containing an email address and returns a boolean result.

galaxy.security.validate_user_input.validate_email_str(email)

Validates a string containing an email address.

galaxy.security.validate_user_input.validate_password_str(password)

galaxy.security.validate_user_input.validate_publicname_str(publicname)

Validates a string containing a public username.

galaxy.security.validate_user_input.validate_email(trans, email, user=None, check_dup=True, allow_empty=False, validate_domain=False)

Validates the email format. Checks whether the domain is blocklisted in the disposable domains configuration. Checks whether the email address is banned.

galaxy.security.validate_user_input.validate_email_domain_name(domain: str) → LiteralString

galaxy.security.validate_user_input.extract_domain(email, base_only=False)

galaxy.security.validate_user_input.validate_publicname(trans, publicname, user=None)

Check that publicname respects the minimum and maximum string length, the allowed characters, and that the username is not taken already.

galaxy.security.validate_user_input.transform_publicname(publicname)

Transform publicname to respect the minimum and maximum string length, and the allowed characters. FILL_CHAR is used to extend or replace characters.

galaxy.security.validate_user_input.validate_password(trans, password, confirm)

galaxy.security.validate_user_input.validate_preferred_object_store_id(trans, object_store: ObjectStore, preferred_object_store_id: str | None) → str

galaxy.security.validate_user_input.is_email_banned(email: str, filepath: str | None, canonical_email_rules: Dict | None) → bool

class galaxy.security.validate_user_input.EmailAddressNormalizer(canonical_email_rules: Dict | None)

Bases: object

IGNORE_CASE_RULE = 'ignore_case'

IGNORE_DOTS_RULE = 'ignore_dots'

SUB_ADDRESSING_RULE = 'sub_addressing'

SUB_ADDRESSING_DELIM = 'sub_addressing_delim'

SUB_ADDRESSING_DELIM_DEFAULT = '+'

ALL = 'all'

__init__(canonical_email_rules: Dict | None) → None

normalize(email: str) → str

Transform email to its canonical form.

galaxy.security.vault module

exception galaxy.security.vault.InvalidVaultConfigException

Bases: Exception

exception galaxy.security.vault.InvalidVaultKeyException

Bases: Exception

class galaxy.security.vault.Vault

Bases: ABC

A simple abstraction for reading/writing from external vaults.

abstract read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

abstract write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

abstract list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

delete_secret(key: str) → None

Eliminate a secret from the target vault.

Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

class galaxy.security.vault.NullVault

Bases: Vault

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.HashicorpVault(config)

Bases: Vault

__init__(config)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.DatabaseVault(sa_session, config)

Bases: Vault

__init__(sa_session, config)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

delete_secret(key: str) → None

Eliminate a secret from the target vault.

Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.CustosVault(config)

Bases: Vault

__init__(config)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.UserVaultWrapper(vault: Vault, user)

Bases: Vault

__init__(vault: Vault, user)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyValidationWrapper(vault: Vault)

Bases: Vault

A decorator to standardize and validate vault key paths

__init__(vault: Vault)

static validate_key(key)

normalize_key(key)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyPrefixWrapper(vault: Vault, prefix: str)

Bases: Vault

Adds a prefix to all vault keys, such as the galaxy instance id

__init__(vault: Vault, prefix: str)

read_secret(key: str) → str | None

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None

Write a secret to the vault.

Parameters:

• key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

• value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultFactory

Bases: object

static load_vault_config(vault_conf_yml: str) → dict | None

static from_vault_type(app, vault_type: str | None, cfg: dict) → Vault

static from_app(app) → Vault

galaxy.security.vault.is_vault_configured(vault: Vault) → bool