Warning

This document is for an old release of Galaxy. You can alternatively view this page in the latest release if it exists or view the top of the latest release's documentation.

galaxy.security package

Galaxy Security

class galaxy.security.Action(action: str, description: str, model: typing_extensions.Literal[grant, restrict])[source]

Bases: object

__init__(action: str, description: str, model: typing_extensions.Literal[grant, restrict])[source]
action: str
description: str
model: typing_extensions.Literal[grant, restrict]
class galaxy.security.RBACAgent[source]

Bases: object

Class that handles galaxy security

permitted_actions = <galaxy.util.bunch.Bunch object>
get_action(name: str, default: Action | None = None) Action | None[source]

Get a permitted action by its dict key or action name

get_actions() List[Action][source]

Get all permitted actions as a list of Action objects

get_item_actions(action, item)[source]
guess_derived_permissions_for_datasets(datasets=None)[source]
can_access_dataset(roles, dataset)[source]
can_manage_dataset(roles, dataset)[source]
can_access_library(roles, library)[source]
can_add_library_item(roles, item)[source]
can_modify_library_item(roles, item)[source]
can_change_object_store_id(user, dataset)[source]
can_manage_library_item(roles, item)[source]
associate_components(**kwd)[source]
create_private_user_role(user)[source]
get_private_user_role(user)[source]
user_set_default_permissions(user, permissions=None, history=False, dataset=False)[source]
history_set_default_permissions(history, permissions=None, dataset=False, bypass_manage_permission=False)[source]
set_all_dataset_permissions(dataset, permissions, new=False)[source]
set_dataset_permission(dataset, permission)[source]
set_all_library_permissions(trans, dataset, permissions)[source]
set_library_item_permission(library_item, permission)[source]
library_is_public(library)[source]
make_library_public(library)[source]
get_accessible_libraries(trans, user)[source]
get_permitted_libraries(trans, user, actions)[source]
folder_is_public(library)[source]
make_folder_public(folder, count=0)[source]
dataset_is_public(dataset)[source]
make_dataset_public(dataset)[source]
get_permissions(library_dataset)[source]
get_all_roles(trans, cntrller)[source]
get_legitimate_roles(trans, item, cntrller)[source]
derive_roles_from_access(trans, item_id, cntrller, library=False, **kwd)[source]
get_component_associations(**kwd)[source]
components_are_associated(**kwd)[source]
convert_permitted_action_strings(permitted_action_strings)[source]

When getting permitted actions from an untrusted source like a form, ensure that they match our actual permitted actions.

galaxy.security.get_permitted_actions(filter=None)[source]

Utility method to return a subset of RBACAgent’s permitted actions

Submodules

galaxy.security.idencoding module

class galaxy.security.idencoding.IdEncodingHelper(**config)[source]

Bases: object

__init__(**config)[source]
encode_id(obj_id, kind=None, strict_integer=False)[source]
encode_dict_ids(a_dict, kind=None, skip_startswith=None)[source]

Encode all ids in dictionary. Ids are identified by (a) an ‘id’ key or (b) a key that ends with ‘_id’

encode_all_ids(rval, recursive=False)[source]

Encodes all integer values in the dict rval whose keys are ‘id’ or end with ‘_id’ excluding tool_id which are consumed and produced as is via the API.

decode_id(obj_id, kind=None, object_name: str | None = None)[source]
encode_guid(session_key)[source]
decode_guid(session_key: bytes | str) str[source]
get_new_guid()[source]
class galaxy.security.idencoding.IdAsLowercaseAlphanumEncodingHelper(security: IdEncodingHelper)[source]

Bases: object

Helper class to encode IDs as lowercase alphanumeric strings, and vice versa

__init__(security: IdEncodingHelper)[source]
encode_id(id: int) str[source]
decode_id(id: str) int[source]

galaxy.security.object_wrapper module

Classes for wrapping Objects and Sanitizing string output.

galaxy.security.object_wrapper.coerce(x, y)[source]
galaxy.security.object_wrapper.cmp(x, y)[source]
galaxy.security.object_wrapper.sanitize_lists_to_string(values, valid_characters={' ', '!', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '=', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '^', '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'}, character_map={'\t': '__tc__', '\n': '__cn__', '\r': '__cr__', '"': '__dq__', '#': '__pd__', "'": '__sq__', '<': '__lt__', '>': '__gt__', '[': '__ob__', ']': '__cb__', '{': '__oc__', '}': '__cc__'}, invalid_character='X')[source]
galaxy.security.object_wrapper.wrap_with_safe_string(value, no_wrap_classes=None)[source]

Recursively wrap values that should be wrapped.

class galaxy.security.object_wrapper.SafeStringWrapper(*arg, **kwd)[source]

Bases: object

Class that wraps and sanitizes any provided value’s attributes that will attempt to be cast into a string.

Attempts to mimic behavior of original class, including operands.

To ensure proper handling of e.g. subclass checks, the wrap_with_safe_string() method should be used.

This wrapping occurs in a recursive/parasitic fashion, as all called attributes of the originally wrapped object will also be wrapped and sanitized, unless the attribute is of a type found in __DONT_SANITIZE_TYPES__ + __DONT_WRAP_TYPES__, where e.g. ~(strings will still be sanitized, but not wrapped), and e.g. integers will have neither.

__init__(value, safe_string_wrapper_function=<function wrap_with_safe_string>)[source]
class galaxy.security.object_wrapper.CallableSafeStringWrapper(*arg, **kwd)[source]

Bases: SafeStringWrapper

galaxy.security.object_wrapper.pickle_SafeStringWrapper(safe_object)[source]

galaxy.security.passwords module

galaxy.security.passwords.hash_password(password)[source]

Hash a password, currently will use the PBKDF2 scheme.

galaxy.security.passwords.check_password(guess, hashed)[source]

Check a hashed password. Supports either PBKDF2 if the hash is prefixed with that string, or sha1 otherwise.

galaxy.security.passwords.hash_password_PBKDF2(password)[source]
galaxy.security.passwords.check_password_PBKDF2(guess, hashed)[source]
galaxy.security.passwords.pbkdf2_bin(data, salt, iterations=100000, keylen=24, hashfunc='sha256')[source]

Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations time and produces a key of keylen bytes. By default SHA-256 is used as hash function, a different hashlib hashfunc can be provided.

galaxy.security.ssh_util module

class galaxy.security.ssh_util.SSHKeys(private_key, public_key, private_key_file, public_key_file)[source]

Bases: tuple

private_key: bytes

Alias for field number 0

public_key: bytes

Alias for field number 1

private_key_file: str

Alias for field number 2

public_key_file: str

Alias for field number 3

galaxy.security.ssh_util.generate_ssh_keys() SSHKeys[source]

Returns a named tuple with private and public key and their paths.

galaxy.security.validate_user_input module

Utilities for validating inputs related to user objects.

The validate_* methods in this file return simple messages that do not contain user inputs - so these methods do not need to be escaped.

galaxy.security.validate_user_input.validate_email_str(email)[source]

Validates a string containing an email address.

galaxy.security.validate_user_input.validate_password_str(password)[source]
galaxy.security.validate_user_input.validate_publicname_str(publicname)[source]

Validates a string containing a public username.

galaxy.security.validate_user_input.validate_email(trans, email, user=None, check_dup=True, allow_empty=False, validate_domain=False)[source]

Validates the email format, also checks whether the domain is blocklisted in the disposable domains configuration.

galaxy.security.validate_user_input.validate_email_domain_name(domain: str) LiteralString[source]
galaxy.security.validate_user_input.extract_domain(email, base_only=False)[source]
galaxy.security.validate_user_input.validate_publicname(trans, publicname, user=None)[source]

Check that publicname respects the minimum and maximum string length, the allowed characters, and that the username is not taken already.

galaxy.security.validate_user_input.transform_publicname(publicname)[source]

Transform publicname to respect the minimum and maximum string length, and the allowed characters. FILL_CHAR is used to extend or replace characters.

galaxy.security.validate_user_input.validate_password(trans, password, confirm)[source]
galaxy.security.validate_user_input.validate_preferred_object_store_id(object_store: ObjectStore, preferred_object_store_id: str | None) str[source]

galaxy.security.vault module

exception galaxy.security.vault.InvalidVaultConfigException[source]

Bases: Exception

exception galaxy.security.vault.InvalidVaultKeyException[source]

Bases: Exception

class galaxy.security.vault.Vault[source]

Bases: ABC

A simple abstraction for reading/writing from external vaults.

abstract read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

abstract write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

abstract list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.NullVault[source]

Bases: Vault

read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.HashicorpVault(config)[source]

Bases: Vault

__init__(config)[source]
read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.DatabaseVault(sa_session, config)[source]

Bases: Vault

__init__(sa_session, config)[source]
read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.CustosVault(config)[source]

Bases: Vault

__init__(config)[source]
read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.UserVaultWrapper(vault: Vault, user)[source]

Bases: Vault

__init__(vault: Vault, user)[source]
read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyValidationWrapper(vault: Vault)[source]

Bases: Vault

A decorator to standardize and validate vault key paths

__init__(vault: Vault)[source]
static validate_key(key)[source]
normalize_key(key)[source]
read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyPrefixWrapper(vault: Vault, prefix: str)[source]

Bases: Vault

Adds a prefix to all vault keys, such as the galaxy instance id

__init__(vault: Vault, prefix: str)[source]
read_secret(key: str) str | None[source]

Reads a secret from the vault.

Parameters:

key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

Returns:

The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) None[source]

Write a secret to the vault.

Parameters:
  • key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor

  • value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) List[str][source]

Lists secrets at a given path.

Parameters:

key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.

Returns:

The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultFactory[source]

Bases: object

static load_vault_config(vault_conf_yml: str) dict | None[source]
static from_vault_type(app, vault_type: str | None, cfg: dict) Vault[source]
static from_app(app) Vault[source]