Warning

This document is for an old release of Galaxy. You can alternatively view this page in the latest release if it exists or view the top of the latest release's documentation.

galaxy.authnz package

Contains implementations for authentication and authorization against an OpenID Connect (OIDC) Identity Provider (IdP).

This package follows “authorization code flow” authentication protocol to authenticate Galaxy users against third-party identity providers.

Additionally, this package implements functionalist’s to request temporary access credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).

class galaxy.authnz.IdentityProvider(provider, config, backend_config)[source]

Bases: object

OpenID Connect Identity Provider abstract interface.

__init__(provider, config, backend_config)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:
  • provider (string) – is the name of the identity provider (e.g., Google).

  • config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.

  • backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh(trans, token)[source]
authenticate(provider, trans)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:

trans (GalaxyWebTransaction) – Galaxy web transaction.

Returns:

a redirect URI to the provider’s authentication endpoint

callback(state_token: str, authz_code: str, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:
  • state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.

  • authz_code – a very short-lived, single-use token to request a refresh token.

  • trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

disconnect(provider, trans, disconnect_redirect_url=None)[source]
logout(trans, post_user_logout_href=None)[source]

Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.

Parameters:
  • trans (GalaxyWebTransaction) – Galaxy web transaction.

  • post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.

decode_user_access_token(sa_session, access_token)[source]

Verifies and decodes an access token against this provider, returning the user and a dict containing the decoded token data.

Parameters:
  • sa_session (sqlalchemy.orm.scoping.scoped_session) – SQLAlchemy database handle.

  • access_token (string) – An OIDC access token

Returns:

A tuple containing the user and decoded jwt data

Return type:

Tuple[User, dict]

Submodules

galaxy.authnz.custos_authnz module

exception galaxy.authnz.custos_authnz.InvalidAuthnzConfigException[source]

Bases: Exception

class galaxy.authnz.custos_authnz.CustosAuthnzConfiguration(provider: str, verify_ssl: bool | NoneType, url: str, label: str, client_id: str, client_secret: str, require_create_confirmation: bool, redirect_uri: str, ca_bundle: str | NoneType, pkce_support: bool, accepted_audiences: List[str], extra_params: dict | NoneType, authorization_endpoint: str | NoneType, token_endpoint: str | NoneType, end_session_endpoint: str | NoneType, well_known_oidc_config_uri: str | NoneType, iam_client_secret: str | NoneType, userinfo_endpoint: str | NoneType, credential_url: str | NoneType, issuer: str | NoneType, jwks_uri: str | NoneType)[source]

Bases: object

provider: str
verify_ssl: bool | None
url: str
label: str
client_id: str
client_secret: str
require_create_confirmation: bool
redirect_uri: str
ca_bundle: str | None
pkce_support: bool
accepted_audiences: List[str]
extra_params: dict | None
authorization_endpoint: str | None
token_endpoint: str | None
end_session_endpoint: str | None
well_known_oidc_config_uri: str | None
iam_client_secret: str | None
userinfo_endpoint: str | None
credential_url: str | None
issuer: str | None
jwks_uri: str | None
__init__(provider: str, verify_ssl: bool | None, url: str, label: str, client_id: str, client_secret: str, require_create_confirmation: bool, redirect_uri: str, ca_bundle: str | None, pkce_support: bool, accepted_audiences: List[str], extra_params: dict | None, authorization_endpoint: str | None, token_endpoint: str | None, end_session_endpoint: str | None, well_known_oidc_config_uri: str | None, iam_client_secret: str | None, userinfo_endpoint: str | None, credential_url: str | None, issuer: str | None, jwks_uri: str | None) None
class galaxy.authnz.custos_authnz.OIDCAuthnzBase(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: IdentityProvider

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:
  • provider (string) – is the name of the identity provider (e.g., Google).

  • config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.

  • backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh(trans, custos_authnz_token)[source]
authenticate(trans, idphint=None)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:

trans (GalaxyWebTransaction) – Galaxy web transaction.

Returns:

a redirect URI to the provider’s authentication endpoint

callback(state_token, authz_code, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:
  • state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.

  • authz_code – a very short-lived, single-use token to request a refresh token.

  • trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

create_user(token, trans, login_redirect_url)[source]
disconnect(provider, trans, email=None, disconnect_redirect_url=None)[source]
logout(trans, post_user_logout_href=None)[source]

Return a URL that will log the user out of the IDP. In OIDC this is called the ‘end_session_endpoint’.

Parameters:
  • trans (GalaxyWebTransaction) – Galaxy web transaction.

  • post_user_logout_href (string) – Optional URL to redirect to after logging out of IDP.

decode_user_access_token(sa_session, access_token)[source]

Verifies and decodes an access token against this provider, returning the user and a dict containing the decoded token data.

Parameters:
  • sa_session (sqlalchemy.orm.scoping.scoped_session) – SQLAlchemy database handle.

  • access_token (string) – An OIDC access token

Returns:

A tuple containing the user and decoded jwt data or [None, None] if the access token does not belong to this provider.

Return type:

Tuple[User, dict]

class galaxy.authnz.custos_authnz.OIDCAuthnzBaseKeycloak(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: OIDCAuthnzBase

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:
  • provider (string) – is the name of the identity provider (e.g., Google).

  • config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.

  • backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

class galaxy.authnz.custos_authnz.OIDCAuthnzBaseCiLogon(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: OIDCAuthnzBase

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:
  • provider (string) – is the name of the identity provider (e.g., Google).

  • config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.

  • backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

class galaxy.authnz.custos_authnz.CustosAuthFactory[source]

Bases: object

static GetCustosBasedAuthProvider(provider, oidc_config, oidc_backend_config, idphint=None)[source]
class galaxy.authnz.custos_authnz.OIDCAuthnzBaseCustos(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Bases: OIDCAuthnzBase

__init__(provider, oidc_config, oidc_backend_config, idphint=None)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:
  • provider (string) – is the name of the identity provider (e.g., Google).

  • config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.

  • backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

galaxy.authnz.managers module

class galaxy.authnz.managers.AuthnzManager(app, oidc_config_file, oidc_backends_config_file)[source]

Bases: object

__init__(app, oidc_config_file, oidc_backends_config_file)[source]
Parameters:
get_allowed_idps()[source]
static can_user_assume_authn(trans, authn_id)[source]
static try_get_authz_config(sa_session, user_id, authz_id)[source]

It returns a cloudauthz config (see model.CloudAuthz) with the given ID; and raise an exception if either a config with given ID does not exist, or the configuration is defined for a another user than trans.user.

Parameters:

:rtype : model.CloudAuthz :return: a cloudauthz configuration.

refresh_expiring_oidc_tokens_for_provider(trans, auth)[source]
refresh_expiring_oidc_tokens(trans, user=None)[source]
authenticate(provider, trans, idphint=None)[source]
Parameters:
  • provider (string) – set the name of the identity provider to be used for authentication flow.

  • trans (GalaxyWebTransaction) – Galaxy web transaction.

Returns:

an identity provider specific authentication redirect URI.

callback(provider, state_token, authz_code, trans, login_redirect_url, idphint=None)[source]
create_user(provider, token, trans, login_redirect_url)[source]
match_access_token_to_user(sa_session, access_token)[source]
logout(provider, trans, post_user_logout_href=None)[source]

Log the user out of the identity provider.

Parameters:
  • provider (string) – set the name of the identity provider.

  • trans (GalaxyWebTransaction) – Galaxy web transaction.

  • post_user_logout_href (string) – (Optional) URL for identity provider to redirect to after logging user out.

Returns:

a tuple (success boolean, message, redirect URI)

disconnect(provider, trans, email=None, disconnect_redirect_url=None, idphint=None)[source]
get_cloud_access_credentials(cloudauthz, sa_session, user_id, request=None)[source]

This method leverages CloudAuthz (https://github.com/galaxyproject/cloudauthz) to request a cloud-based resource provider (e.g., Amazon AWS, Microsoft Azure) for temporary access credentials to a given resource.

It first checks if a cloudauthz config with the given ID (authz_id) is available and can be assumed by the user, and raises an exception if either is false. Otherwise, it then extends the cloudauthz configuration as required by the CloudAuthz library for the provider specified in the configuration. For instance, it adds on-the-fly values such as a valid OpenID Connect identity token, as required by CloudAuthz for AWS. Then requests temporary credentials from the CloudAuthz library using the updated configuration.

Parameters:
  • cloudauthz (CloudAuthz) – an instance of CloudAuthz to be used for getting temporary credentials.

  • sa_session (sqlalchemy.orm.scoping.scoped_session) – SQLAlchemy database handle.

  • user_id (int) – Decoded Galaxy user ID.

  • request (galaxy.web.framework.base.Request) – Encapsulated HTTP(S) request.

Return type:

dict

Returns:

a dictionary containing credentials to access a cloud-based resource provider. See CloudAuthz (https://github.com/galaxyproject/cloudauthz) for details on the content of this dictionary.

get_cloud_access_credentials_in_file(new_file_path, cloudauthz, sa_session, user_id, request=None)[source]

This method leverages CloudAuthz (https://github.com/galaxyproject/cloudauthz) to request a cloud-based resource provider (e.g., Amazon AWS, Microsoft Azure) for temporary access credentials to a given resource.

This method uses the get_cloud_access_credentials method to obtain temporary credentials, and persists them to a (temporary) file, and returns the file path.

Parameters:
  • new_file_path (str) – Where dataset files are saved on temporary storage. See app.config.new_file_path.

  • cloudauthz (CloudAuthz) – an instance of CloudAuthz to be used for getting temporary credentials.

  • sa_session (sqlalchemy.orm.scoping.scoped_session) – SQLAlchemy database handle.

  • user_id (int) – Decoded Galaxy user ID.

  • request (galaxy.web.framework.base.Request) – [Optional] Encapsulated HTTP(S) request.

Return type:

str

Returns:

The filename to which credentials are written.

galaxy.authnz.psa_authnz module

class galaxy.authnz.psa_authnz.PSAAuthnz(provider, oidc_config, oidc_backend_config)[source]

Bases: IdentityProvider

__init__(provider, oidc_config, oidc_backend_config)[source]

Initialize the identity provider using the provided configuration, and raise a ParseError (or any more related specific exception) in case the configuration is malformed.

Parameters:
  • provider (string) – is the name of the identity provider (e.g., Google).

  • config (lxml.etree.ElementTree._Element) – Is the configuration element of the provider from the configuration file (e.g., oidc_config.xml). This element contains the all the provider-specific configuration elements.

  • backend_config (lxml.etree.ElementTree._Element) – Is the configuration element of the backend of the provider from the configuration file (e.g., oidc_backends_config.xml). This element contains all the backend-specific configuration elements.

refresh_azure(user_authnz_token)[source]
refresh(trans, user_authnz_token)[source]
authenticate(trans)[source]

Runs for authentication process. Checks the database if a valid identity exists in the database; if yes, then the user is authenticated, if not, it generates a provider-specific authentication flow and returns redirect URI to the controller.

Parameters:

trans (GalaxyWebTransaction) – Galaxy web transaction.

Returns:

a redirect URI to the provider’s authentication endpoint

callback(state_token, authz_code, trans, login_redirect_url)[source]

Handles authentication call-backs from identity providers.

This process maps state-token to a user.

Parameters:
  • state_token – is an anti-forgery token which identifies a Galaxy user to whom the given authorization code belongs to.

  • authz_code – a very short-lived, single-use token to request a refresh token.

  • trans (GalaxyWebTransaction) – Galaxy web transaction.

Return type:

tuple

Returns:

a tuple of redirect_url and user.

disconnect(provider, trans, disconnect_redirect_url=None, association_id=None)[source]
class galaxy.authnz.psa_authnz.Strategy(request, session, storage, config, tpl=None)[source]

Bases: BaseStrategy

__init__(request, session, storage, config, tpl=None)[source]
get_setting(name)[source]

Return value for given setting name

session_get(name, default=None)[source]

Return session value for given key

session_set(name, value)[source]

Set session value for given key

session_pop(name)[source]

Pop session value for given key

request_data(merge=True)[source]

Return current request data (POST or GET)

request_host()[source]

Return current host value

build_absolute_uri(path=None)[source]

Build absolute URI with given (optional) path

redirect(url)[source]

Return a response redirect to the given URL

html(content)[source]

Return HTTP response with given content

render_html(tpl=None, html=None, context=None)[source]

Render given template or raw html with given context

start()[source]
complete(*args, **kwargs)[source]
continue_pipeline(*args, **kwargs)[source]
class galaxy.authnz.psa_authnz.Storage[source]

Bases: object

user

alias of UserAuthnzToken

nonce

alias of PSANonce

association

alias of PSAAssociation

code

alias of PSACode

partial

alias of PSAPartial

classmethod is_integrity_error(exception)[source]
galaxy.authnz.psa_authnz.on_the_fly_config(sa_session)[source]
galaxy.authnz.psa_authnz.contains_required_data(response=None, is_new=False, **kwargs)[source]

This function is called as part of authentication and authorization pipeline before user is authenticated or authorized (see AUTH_PIPELINE).

This function asserts if all the data required by Galaxy for a user is provided. It raises an exception if any of the required data is missing, and returns void if otherwise.

Parameters:
Return type:

void

Returns:

Raises an exception if any of the required arguments is missing, and pass if all are given.

galaxy.authnz.psa_authnz.verify(strategy=None, response=None, details=None, **kwargs)[source]
galaxy.authnz.psa_authnz.allowed_to_disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]

Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. This function should raise an exception if disconnection is NOT permitted. Do NOT return any value (except an empty dictionary) if disconnect is allowed. Because, at least until PSA social_core v.1.5.0, any returned value (e.g., Boolean) will result in ignoring the rest of the disconnect pipeline. See the following condition in run_pipeline function: https://github.com/python-social-auth/social-core/blob/master/social_core/backends/base.py#L114 :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: empty dict

galaxy.authnz.psa_authnz.disconnect(name=None, user=None, user_storage=None, strategy=None, backend=None, request=None, details=None, **kwargs)[source]

Disconnect is the process of disassociating a Galaxy user and a third-party authnz. In other words, it is the process of removing any access and/or ID tokens of a user. :param name: name of the backend (e.g., google-openidconnect) :type user: galaxy.model.User :type user_storage: galaxy.model.UserAuthnzToken :type strategy: galaxy.authnz.psa_authnz.Strategy :type backend: PSA backend object (e.g., social_core.backends.google_openidconnect.GoogleOpenIdConnect) :type request: webob.multidict.MultiDict :type details: dict :return: void or empty dict. Any key-value pair inside the dictionary will be available inside PSA only, and will be passed to the next step in the disconnect pipeline. However, the key-value pair will not be returned as a result of calling the do_disconnect function. Additionally, returning any value except for a(n) (empty) dictionary, will break the disconnect pipeline, and that value will be returned as a result of calling the do_disconnect function.