galaxy.security package

Galaxy Security

class galaxy.security.Action(action: str, description: str, model: typing_extensions.Literal[grant, restrict])[source]

Bases: object

__init__(action: str, description: str, model: typing_extensions.Literal[grant, restrict])[source]

action: str

description: str

model: typing_extensions.Literal[grant, restrict]

class galaxy.security.RBACAgent[source]

Bases: object

Class that handles galaxy security

permitted_actions = <galaxy.util.bunch.Bunch object>

get_action(name: str, default: Action | None = None) → Action | None[source]: Get a permitted action by its dict key or action name

get_actions() → List[Action][source]: Get all permitted actions as a list of Action objects

get_item_actions(action, item)[source]

guess_derived_permissions_for_datasets(datasets=None)[source]

can_access_dataset(roles, dataset)[source]

can_manage_dataset(roles, dataset)[source]

can_access_library(roles, library)[source]

can_add_library_item(roles, item)[source]

can_modify_library_item(roles, item)[source]

can_change_object_store_id(user, dataset)[source]

can_manage_library_item(roles, item)[source]

associate_components(**kwd)[source]

create_private_user_role(user)[source]

get_private_user_role(user)[source]

user_set_default_permissions(user, permissions=None, history=False, dataset=False)[source]

history_set_default_permissions(history, permissions=None, dataset=False, bypass_manage_permission=False)[source]

set_all_dataset_permissions(dataset, permissions, new=False)[source]

set_dataset_permission(dataset, permission)[source]

set_all_library_permissions(trans, dataset, permissions)[source]

set_library_item_permission(library_item, permission)[source]

library_is_public(library)[source]

make_library_public(library)[source]

get_accessible_libraries(trans, user)[source]

get_permitted_libraries(trans, user, actions)[source]

folder_is_public(library)[source]

make_folder_public(folder, count=0)[source]

dataset_is_public(dataset)[source]

make_dataset_public(dataset)[source]

get_permissions(library_dataset)[source]

get_all_roles(trans, cntrller)[source]

get_legitimate_roles(trans, item, cntrller)[source]

derive_roles_from_access(trans, item_id, cntrller, library=False, **kwd)[source]

get_component_associations(**kwd)[source]

components_are_associated(**kwd)[source]

convert_permitted_action_strings(permitted_action_strings)[source]: When getting permitted actions from an untrusted source like a form, ensure that they match our actual permitted actions.

galaxy.security.get_permitted_actions(filter=None)[source]: Utility method to return a subset of RBACAgent’s permitted actions

Submodules

galaxy.security.idencoding module

class galaxy.security.idencoding.IdEncodingHelper(**config)[source]

Bases: object

__init__(**config)[source]

encode_id(obj_id, kind=None, strict_integer=False)[source]

encode_dict_ids(a_dict, kind=None, skip_startswith=None)[source]: Encode all ids in dictionary. Ids are identified by (a) an ‘id’ key or (b) a key that ends with ‘_id’

encode_all_ids(rval, recursive=False)[source]: Encodes all integer values in the dict rval whose keys are ‘id’ or end with ‘_id’ excluding tool_id which are consumed and produced as is via the API.

decode_id(obj_id, kind=None, object_name: str | None = None)[source]

encode_guid(session_key)[source]

decode_guid(session_key: bytes | str) → str[source]

get_new_guid()[source]

class galaxy.security.idencoding.IdAsLowercaseAlphanumEncodingHelper(security: IdEncodingHelper)[source]

Bases: object

Helper class to encode IDs as lowercase alphanumeric strings, and vice versa

__init__(security: IdEncodingHelper)[source]

encode_id(id: int) → str[source]

decode_id(id: str) → int[source]

galaxy.security.object_wrapper module

Classes for wrapping Objects and Sanitizing string output.

galaxy.security.object_wrapper.coerce(x, y)[source]

galaxy.security.object_wrapper.cmp(x, y)[source]

galaxy.security.object_wrapper.sanitize_lists_to_string(values, valid_characters={' ', '!', '(', ')', '*', '+', ',', '-', '.', '/', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', ':', '=', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '^', '_', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'}, character_map={'\t': '__tc__', '\n': '__cn__', '\r': '__cr__', '"': '__dq__', '#': '__pd__', "'": '__sq__', '<': '__lt__', '>': '__gt__', '[': '__ob__', ']': '__cb__', '{': '__oc__', '}': '__cc__'}, invalid_character='X')[source]

galaxy.security.object_wrapper.wrap_with_safe_string(value, no_wrap_classes=None)[source]: Recursively wrap values that should be wrapped.

class galaxy.security.object_wrapper.SafeStringWrapper(*arg, **kwd)[source]

Bases: object

Class that wraps and sanitizes any provided value’s attributes that will attempt to be cast into a string.

Attempts to mimic behavior of original class, including operands.

To ensure proper handling of e.g. subclass checks, the wrap_with_safe_string() method should be used.

This wrapping occurs in a recursive/parasitic fashion, as all called attributes of the originally wrapped object will also be wrapped and sanitized, unless the attribute is of a type found in __DONT_SANITIZE_TYPES__ + __DONT_WRAP_TYPES__, where e.g. ~(strings will still be sanitized, but not wrapped), and e.g. integers will have neither.

__init__(value, safe_string_wrapper_function=<function wrap_with_safe_string>)[source]

class galaxy.security.object_wrapper.CallableSafeStringWrapper(*arg, **kwd)[source]: Bases: SafeStringWrapper

galaxy.security.object_wrapper.pickle_SafeStringWrapper(safe_object)[source]

galaxy.security.passwords module

galaxy.security.passwords.hash_password(password)[source]: Hash a password, currently will use the PBKDF2 scheme.

galaxy.security.passwords.check_password(guess, hashed)[source]: Check a hashed password. Supports either PBKDF2 if the hash is prefixed with that string, or sha1 otherwise.

galaxy.security.passwords.hash_password_PBKDF2(password)[source]

galaxy.security.passwords.check_password_PBKDF2(guess, hashed)[source]

galaxy.security.passwords.pbkdf2_bin(data, salt, iterations=100000, keylen=24, hashfunc='sha256')[source]: Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations time and produces a key of keylen bytes. By default SHA-256 is used as hash function, a different hashlib hashfunc can be provided.

galaxy.security.ssh_util module

class galaxy.security.ssh_util.SSHKeys(private_key, public_key, private_key_file, public_key_file)[source]

Bases: tuple

private_key: bytes: Alias for field number 0

public_key: bytes: Alias for field number 1

private_key_file: str: Alias for field number 2

public_key_file: str: Alias for field number 3

galaxy.security.ssh_util.generate_ssh_keys() → SSHKeys[source]: Returns a named tuple with private and public key and their paths.

galaxy.security.validate_user_input module

Utilities for validating inputs related to user objects.

The validate_* methods in this file return simple messages that do not contain user inputs - so these methods do not need to be escaped.

galaxy.security.validate_user_input.validate_email_str(email)[source]: Validates a string containing an email address.

galaxy.security.validate_user_input.validate_password_str(password)[source]

galaxy.security.validate_user_input.validate_publicname_str(publicname)[source]: Validates a string containing a public username.

galaxy.security.validate_user_input.validate_email(trans, email, user=None, check_dup=True, allow_empty=False, validate_domain=False)[source]: Validates the email format, also checks whether the domain is blocklisted in the disposable domains configuration.

galaxy.security.validate_user_input.validate_email_domain_name(domain: str) → LiteralString[source]

galaxy.security.validate_user_input.extract_domain(email, base_only=False)[source]

galaxy.security.validate_user_input.validate_publicname(trans, publicname, user=None)[source]: Check that publicname respects the minimum and maximum string length, the allowed characters, and that the username is not taken already.

galaxy.security.validate_user_input.transform_publicname(publicname)[source]: Transform publicname to respect the minimum and maximum string length, and the allowed characters. FILL_CHAR is used to extend or replace characters.

galaxy.security.validate_user_input.validate_password(trans, password, confirm)[source]

galaxy.security.validate_user_input.validate_preferred_object_store_id(trans, object_store: ObjectStore, preferred_object_store_id: str | None) → str[source]

galaxy.security.vault module

exception galaxy.security.vault.InvalidVaultConfigException[source]: Bases: Exception

exception galaxy.security.vault.InvalidVaultKeyException[source]: Bases: Exception

class galaxy.security.vault.Vault[source]

Bases: ABC

A simple abstraction for reading/writing from external vaults.

abstract read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

abstract write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

abstract list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

delete_secret(key: str) → None[source]

Eliminate a secret from the target vault.

Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

class galaxy.security.vault.NullVault[source]

Bases: Vault

read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.HashicorpVault(config)[source]

Bases: Vault

__init__(config)[source]

read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.DatabaseVault(sa_session, config)[source]

Bases: Vault

__init__(sa_session, config)[source]

read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

delete_secret(key: str) → None[source]

Eliminate a secret from the target vault.

Ideally the entry in the target source if removed, but by default the secret is simply overwritten with the empty string as its value.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.CustosVault(config)[source]

Bases: Vault

__init__(config)[source]

read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.UserVaultWrapper(vault: Vault, user)[source]

Bases: Vault

__init__(vault: Vault, user)[source]

read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyValidationWrapper(vault: Vault)[source]

Bases: Vault

A decorator to standardize and validate vault key paths

__init__(vault: Vault)[source]

static validate_key(key)[source]

normalize_key(key)[source]

read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultKeyPrefixWrapper(vault: Vault, prefix: str)[source]

Bases: Vault

Adds a prefix to all vault keys, such as the galaxy instance id

__init__(vault: Vault, prefix: str)[source]

read_secret(key: str) → str | None[source]

Reads a secret from the vault.

Parameters:: key – The key to read. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
Returns:: The string value stored at the key, such as ‘ace_editor’.

write_secret(key: str, value: str) → None[source]

Write a secret to the vault.

Parameters:

key – The key to write to. Typically a hierarchical path such as /galaxy/user/1/preferences/editor
value – The value to write, such as ‘vscode’

Returns:

list_secrets(key: str) → List[str][source]

Lists secrets at a given path.

Parameters:: key – The key prefix to list. e.g. /galaxy/user/1/preferences. A trailing slash is optional.
Returns:: The list of subkeys at path. e.g. [‘/galaxy/user/1/preferences/editor`, ‘/galaxy/user/1/preferences/storage`] Note that only immediate subkeys are returned.

class galaxy.security.vault.VaultFactory[source]

Bases: object

static load_vault_config(vault_conf_yml: str) → dict | None[source]

static from_vault_type(app, vault_type: str | None, cfg: dict) → Vault[source]

static from_app(app) → Vault[source]

galaxy.security.vault.is_vault_configured(vault: Vault) → bool[source]