User authentication using OpenID Connect protocol

config/galaxy.ini.sample

@@ -1134,6 +1134,11 @@ use_interactive = True
 #openid_config_file = config/openid_conf.xml
 #openid_consumer_cache_path = database/openid_consumer_cache
 
+# Sets OAuth2.0 the path to client secret file. Note that this file should be
+# on a path inaccessible to public.
+#enable_oauth2 = True
+#oauth2_config_file = config/oauth2_config.xml
+
 # XML config file that allows the use of different authentication providers
 # (e.g. LDAP) instead or in addition to local authentication (.sample is used
 # if default does not exist).

config/oauth2_config.xml.sample

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<OAuth2.0>
+    <provider name="Google">
+        <!-- Keep the client_secret file on a path inaccessible to public.  -->
+        <client_secret_file>./oauth2/client_secret.json</client_secret_file>
+        <redirect_uri>https://usegalaxy.org/oauth2callback/google</redirect_uri>
+    </provider>
+</OAuth2.0>

lib/galaxy/app.py

@@ -172,6 +172,9 @@ def __init__(self, **kwargs):
                 )
                 self.heartbeat.daemon = True
                 self.application_stack.register_postfork_function(self.heartbeat.start)
+        if self.config.enable_oauth2:
+            from galaxy import authnz
+            self.authnz_manager = authnz.AuthnzManager(self.config.oauth2_config)
         self.sentry_client = None
         if self.config.sentry_dsn:
 

lib/galaxy/authnz/__init__.py

@@ -0,0 +1,138 @@
+"""
+Contains implementations for authentication and authorization against third-party
+OAuth2.0 authorization servers and OpenID Connect Identity providers.
+
+This package follows "authorization code flow" authentication protocol to authenticate
+Galaxy users against third-party identity providers.
+
+Additionally, this package implements functionalist's to request temporary access
+credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).
+"""
+
+import logging
+import xml.etree.ElementTree as ET
+from xml.etree.ElementTree import ParseError
+
+log = logging.getLogger(__name__)
+
+
+class IdentityProvider(object):
+    """
+    OpenID Connect Identity Provider abstract interface.
+    """
+
+    def __init__(self, config):
+        """
+        Initialize the identity provider using the provided configuration,
+        and raise a ParseError (or any more related specific exception) in
+        case the configuration is malformed.
+
+        :type config: xml.etree.ElementTree.Element
+        :param config: Is the configuration element of the provider
+            from the configuration file (e.g., OAuth2_config.xml).
+            This element contains the all the provider-specific
+            configuration elements.
+        """
+        raise NotImplementedError()
+
+    def authenticate(self, trans):
+        """Runs for authentication process. Checks the database if a
+        valid identity exists in the database; if yes, then the  user
+        is authenticated, if not, it generates a provider-specific
+        authentication flow and returns redirect URI to the controller.
+
+        :type trans: GalaxyWebTransaction
+        :param trans: Galaxy web transaction.
+
+        :return: a redirect URI to the provider's authentication
+            endpoint.
+        """
+        raise NotImplementedError()
+
+    def callback(self, state_token, authz_code, trans):
+        """
+        Handles authentication call-backs from identity providers.
+        This process maps `state-token` to a user
+        :type state_token: string
+        :param state_token: is an anti-forgery token which identifies
+            a Galaxy user to whom the given authorization code belongs to.
+        :type authz_code: string
+        :param authz_code: a very short-lived, single-use token to
+            request a refresh token.
+        :type trans: GalaxyWebTransaction
+        :param trans: Galaxy web transaction.
+        :return boolean:
+            True: if callback is handled successfully.
+            False: if processing callback fails, then Galaxy attempts re-authentication.
+        """
+        raise NotImplementedError()
+
+
+class AuthnzManager(object):
+
+    def __init__(self, config):
+        """
+        :type config: string
+        :param config: sets the path for OAuth2.0 configuration
+            file (e.g., OAuth2_config.xml).
+        """
+        self._parse_config(config)
+
+    def _parse_config(self, config):
+        self.providers = {}
+        try:
+            tree = ET.parse(config)
+            root = tree.getroot()
+            if root.tag != 'OAuth2.0':
+                raise ParseError("The root element in OAuth2.0 config xml file is expected to be `OAuth2.0`, "
+                                 "found `{}` instead -- unable to continue.".format(root.tag))
+            for child in root:
+                if child.tag != 'provider':
+                    log.error("Expect a node with `provider` tag, found a node with `{}` tag instead; "
+                              "skipping the node.".format(child.tag))
+                    continue
+                if 'name' not in child.attrib:
+                    log.error("Could not find a node attribute 'name'; skipping the node '{}'.".format(child.tag))
+                    continue
+                provider = child.get('name')
+                try:
+                    if provider == 'Google':
+                        from .oidc_idp_google import OIDCIdPGoogle
+                        self.providers[provider] = OIDCIdPGoogle(child)
+                except ParseError:
+                    log.error("Could not initialize `{}` identity provider; skipping this node.".format(provider))
+                    continue
+            if len(self.providers) == 0:
+                raise ParseError("No valid provider configuration parsed.")
+        except ImportError:
+            raise
+        except ParseError as e:
+            raise ParseError("Invalid configuration at `{}`: {} -- unable to continue.".format(config, e.message))
+        except Exception:
+            raise ParseError("Malformed OAuth2.0 Configuration XML -- unable to continue.")
+
+    def authenticate(self, provider, trans):
+        """
+        :type provider: string
+        :param provider: set the name of the identity provider to be
+            used for authentication flow.
+        :type trans: GalaxyWebTransaction
+        :param trans: Galaxy web transaction.
+        :return: an identity provider specific authentication redirect URI.
+        """
+        if provider in self.providers:
+            try:
+                return self.providers[provider].authenticate(trans)
+            except:
+                raise
+        else:
+            log.error("The provider '{}' is not a recognized and expected provider.".format(provider))
+
+    def callback(self, provider, state_token, authz_code, trans):
+        if provider in self.providers:
+            try:
+                return self.providers[provider].callback(state_token, authz_code, trans)
+            except:
+                raise
+        else:
+            raise NameError("The provider '{}' is not a recognized and expected provider.".format(provider))

lib/galaxy/authnz/oidc_idp_google.py

@@ -0,0 +1,136 @@
+"""
+Contains implementations for authentication and authorization against Google identity provider.
+
+This package follows "authorization code flow" authentication protocol to authenticate
+Galaxy users against third-party identity providers.
+
+"""
+
+import logging
+import httplib2
+import hashlib
+import json
+from xml.etree.ElementTree import ParseError
+from datetime import datetime
+from datetime import timedelta
+from ..authnz import IdentityProvider
+from oauth2client import client, GOOGLE_TOKEN_URI, GOOGLE_REVOKE_URI
+
+
+log = logging.getLogger(__name__)
+
+
+class OIDCIdPGoogle(IdentityProvider):
+    def __init__(self, config):
+        client_secret_file = config.find('client_secret_file')
+        if client_secret_file is None:
+            log.error("Did not find `client_secret_file` key in the configuration; skipping the node '{}'."
+                      .format(config.get('name')))
+            raise ParseError
+        redirect_uri = config.find('redirect_uri')
+        if redirect_uri is None:
+            log.error("Did not find `redirect_uri` key in the configuration; skipping the node '{}'."
+                      .format(config.get('name')))
+            raise ParseError
+        self.provider = 'Google'
+        self.client_secret_file = client_secret_file.text
+        self.redirect_uri = redirect_uri.text
+
+    def _redirect_uri(self, trans):
+        # Prepare authentication flow.
+        flow = client.flow_from_clientsecrets(
+            self.client_secret_file,
+            scope=['openid', 'email', 'profile'],
+            redirect_uri=self.redirect_uri)
+        flow.params['access_type'] = 'offline'  # This asks google to send back a `refresh token`.
+        flow.params['prompt'] = 'consent'
+
+        # Include the following parameter only if we need 'incremental authorization',
+        # however, current application scenario does not seem to require it.
+        # flow.params['include_granted_scopes'] = "true"
+
+        # A anti-forgery state token. This token will be sent back from Google upon user authentication.
+        state_token = hashlib.sha256(str(trans.user.username)).hexdigest()
+        flow.params['state'] = state_token
+        user_oauth2 = trans.app.model.UserOAuth2(trans.user.id, self.provider, state_token)
+        trans.sa_session.add(user_oauth2)
+        trans.sa_session.flush()
+        return flow.step1_get_authorize_url()
+
+    def _refresh_access_token(self, trans, authn_record):  # TODO: handle `Bad Request` error
+        with open(self.client_secret_file) as file:
+            client_secret = json.load(file)['web']
+            credentials = client.OAuth2Credentials(
+                None, client_secret['client_id'], client_secret['client_secret'],
+                authn_record.refresh_token, None, GOOGLE_TOKEN_URI, None, revoke_uri=GOOGLE_REVOKE_URI)
+        credentials.refresh(httplib2.Http())
+        access_token = credentials.get_access_token()
+        authn_record.id_token = credentials.id_token_jwt
+        authn_record.access_token = access_token['access_token']
+        authn_record.expiration_date = datetime.now() + timedelta(seconds=access_token['expires_in'])
+        trans.sa_session.commit()
+        trans.sa_session.flush()
+
+    def authenticate(self, trans):
+        query_result = trans.sa_session.query(
+            trans.app.model.UserOAuth2).filter(
+            trans.app.model.UserOAuth2.table.c.user_id == trans.user.id).filter(
+            trans.app.model.UserOAuth2.table.c.provider == self.provider)
+        if query_result.count() == 1:
+            authn_record = query_result.first()
+            if authn_record.expiration_date is not None \
+                    and authn_record.expiration_date < datetime.now() + timedelta(minutes=15):
+                self._refresh_access_token(trans, authn_record)
+        elif query_result.count() > 1:
+            log.critical(
+                "Found `{}` records for user `{}` authentication against `{}` identity provider; at most one "
+                "record should exist. Now deleting all the `{}` records and prompt re-authentication.".format(
+                    query_result.count(), trans.user.username, self.provider, query_result.count()))
+            for record in query_result:
+                trans.sa_session.delete(record)
+            trans.sa_session.flush()
+        return self._redirect_uri(trans)
+
+    def callback(self, state_token, authz_code, trans):
+        query_result = trans.sa_session.query(trans.app.model.UserOAuth2).filter(
+            trans.app.model.UserOAuth2.table.c.provider == self.provider).filter(
+            trans.app.model.UserOAuth2.table.c.state_token == state_token)
+        if query_result.count() > 1:
+            log.critical(
+                "Found `{}` records for user `{}` authentication against `{}` identity provider; at most one "
+                "record should exist. Now deleting all the `{}` records and prompt re-authentication.".format(
+                    query_result.count(), trans.user.username, self.provider, query_result.count()))
+            for record in query_result:
+                trans.sa_session.delete(record)
+            trans.sa_session.flush()
+            return False  # results in re-authentication.
+        if query_result.count() == 0:
+            log.critical("Found `0` records for user `{}` authentication against `{}` identity provider; "
+                         "an improperly initiated authentication flow. Now prompting re-authentication."
+                         .format(trans.user.username, self.provider))
+            return False  # results in re-authentication.
+            # A callback should follow a request from Galaxy; and if a request was (successfully) made by Galaxy,
+            # the a record in the `galaxy_user_oauth2` table with valid `user_id`, `provider`, and `state_token`
+            # should exist (see _redirect_uri function). Since such record does not exist, Galaxy should not
+            # trust the token, and does not attempt to associate with a user. Alternatively, we could linearly scan
+            # the users table and find a username which creates a `state_token` matching the received `state_token`,
+            # but it is safer to retry authentication instead.
+        # Prepare authentication flow.
+        flow = client.flow_from_clientsecrets(
+            self.client_secret_file,
+            scope=['openid', 'email', 'profile'],
+            redirect_uri=self.redirect_uri)
+        # Exchanges an authorization code for OAuth2Credentials.
+        # The credentials object holds refresh and access tokens
+        # that authorize access to a single user's data.
+        credentials = flow.step2_exchange(authz_code)
+        access_token_info = credentials.get_access_token()
+        user_oauth_record = query_result.first()
+        user_oauth_record.id_token = credentials.id_token_jwt
+        user_oauth_record.refresh_token = credentials.refresh_token
+        user_oauth_record.expiration_date = datetime.now() + timedelta(seconds=access_token_info.expires_in)
+        user_oauth_record.access_token = access_token_info.access_token
+        trans.sa_session.flush()
+        log.debug("User `{}` authentication against `Google` identity provider is successfully saved."
+                  .format(trans.user.username))
+        return True

lib/galaxy/config.py

@@ -155,6 +155,9 @@ def __init__(self, **kwargs):
         self.tool_data_path = resolve_path(kwargs.get("tool_data_path", "tool-data"), os.getcwd())
         self.builds_file_path = resolve_path(kwargs.get("builds_file_path", os.path.join(self.tool_data_path, 'shared', 'ucsc', 'builds.txt')), self.root)
         self.len_file_path = resolve_path(kwargs.get("len_file_path", os.path.join(self.tool_data_path, 'shared', 'ucsc', 'chrom')), self.root)
+        # Galaxy OAuth2.0 settings.
+        self.enable_oauth2 = kwargs.get("enable_oauth2", False)
+        self.oauth2_config = kwargs.get("oauth2_config_file", None)
         # The value of migrated_tools_config is the file reserved for containing only those tools that have been eliminated from the distribution
         # and moved to the tool shed.
         self.integrated_tool_panel_config = resolve_path(kwargs.get('integrated_tool_panel_config', 'integrated_tool_panel.xml'), self.root)

lib/galaxy/dependencies/pinned-requirements.txt

@@ -80,4 +80,8 @@ pysam==0.8.4+gx5
 chronos-python==0.38.0
 
 # GenomeSpace dependencies
-python-genomespaceclient==0.1.8
+python-genomespaceclient==0.1.8
+
+# OpendID Connect & OAuth2.0
+httplib2==0.10.3
+oauth2client==4.1.2

lib/galaxy/model/__init__.py

@@ -4984,6 +4984,17 @@ def __init__(self, user=None, session=None, openid=None):
         self.openid = openid
 
 
+class UserOAuth2(object):
+    def __init__(self, user_id, provider, state_token, id_token=None, refresh_token=None, expiration_date=None, access_token=None):
+        self.user_id = user_id
+        self.provider = provider
+        self.state_token = state_token
+        self.id_token = id_token
+        self.refresh_token = refresh_token
+        self.expiration_date = expiration_date
+        self.access_token = access_token
+
+
 class Page(object, Dictifiable):
     dict_element_visible_keys = ['id', 'title', 'latest_revision_id', 'slug', 'published', 'importable', 'deleted']
 

lib/galaxy/model/mapping.py

@@ -90,6 +90,17 @@
     Column("openid", TEXT, index=True, unique=True),
     Column("provider", TrimmedString(255)))
 
+model.UserOAuth2.table = Table(
+    "galaxy_user_oauth2", metadata,
+    Column("id", Integer, primary_key=True),
+    Column("user_id", Integer, ForeignKey("galaxy_user.id"), nullable=False, index=True),
+    Column("provider", String, nullable=False),
+    Column("state_token", String, nullable=False, index=True),
+    Column("id_token", String),
+    Column("refresh_token", String),
+    Column("expiration_date", DateTime),
+    Column("access_token", String))
+
 model.PasswordResetToken.table = Table(
     "password_reset_token", metadata,
     Column("token", String(32), primary_key=True, unique=True, index=True),
@@ -1577,6 +1588,11 @@ def simple_mapping(model, **kwds):
         order_by=desc(model.UserOpenID.table.c.update_time))
 ))
 
+mapper(model.UserOAuth2, model.UserOAuth2.table, properties=dict(
+    user=relation(model.User,
+        primaryjoin=(model.UserOAuth2.table.c.user_id == model.User.table.c.id))
+))
+
 mapper(model.ValidationError, model.ValidationError.table)
 
 simple_mapping(model.HistoryDatasetAssociation,