galaxyproject · martenson · Apr 11, 2018 · Aug 7, 2017 · Aug 8, 2017 · Aug 8, 2017
diff --git a/config/galaxy.yml.sample b/config/galaxy.yml.sample
@@ -1405,6 +1405,15 @@ galaxy:
   # If OpenID is enabled, consumer cache directory to use.
   #openid_consumer_cache_path: database/openid_consumer_cache
 
+  # Enables and disables OpenID Connect (OIDC) support.
+  #enable_oidc: false
+
+  # Sets the path to OIDC configuration file.
+  #oidc_config_file: config/oidc_config.xml
+
+  # Sets the path to OIDC backends configuration file.
+  #oidc_backends_config_file: config/oidc_backends_config.xml
+
   # XML config file that allows the use of different authentication
   # providers (e.g. LDAP) instead or in addition to local authentication
   # (.sample is used if default does not exist).

diff --git a/config/oidc_backends_config.xml.sample b/config/oidc_backends_config.xml.sample
@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+<OIDC>
+    <provider name="Google">
+        <client_id> ... </client_id>
+        <client_secret> ... </client_secret>
+        <redirect_uri>http://localhost:8080/authnz/google/callback</redirect_uri>
+
+        <!-- <prompt>select_account</prompt> -->
+        <!--The value of this parameter (i.e., prompt) specifies whether the Google authorization server should prompt
+         a galaxy user for (re)authorization and consent. The possible values are: `none`, `consent`, and
+         `select_account`. HOWEVER, DO NOT USE `none`, because it will cause authentication failure for new users.
+         see the following page for more information:
+         https://developers.google.com/identity/protocols/OpenIDConnect#prompt
+
+         If you want the consent screen to be shown to the new users only, and re-authorization happen without
+         asking for user's consent, then remove this attribute.
+        -->
+    </provider>
+</OIDC>
diff --git a/config/oidc_config.xml.sample b/config/oidc_config.xml.sample
@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<!--
+Each Setter must have three attributes: Property, Value, and Type.
+
+- Property: sets the name of a Python Social Auth (PSA) configuration attribute that its value is set by the setter.
+
+- Value: sets a value for the property.
+
+- Type: sets the type of the value. Galaxy uses the specified type to cast the values of string type to their actual
+type. For instance, casts "False" -> False (string -> boolean). The value of the `Type` attribute should be a Python
+built-in type, which could be any of the following types: int; long; float; str; tuple; list; and dict.
+
+Note that the values of these attributes are case-sensitive.
+-->
+<OIDC>
+    <Setter Property="VERIFY_SSL" Value="False" Type="bool"/>
+    <Setter Property="REQUESTS_TIMEOUT" Value="3600" Type="float"/>
+    <!-- The unit of value is seconds -->
+    <Setter Property="ID_TOKEN_MAX_AGE" Value="3600" Type="float"/>
+    <!-- The unit of value is seconds -->
+</OIDC>
diff --git a/doc/source/admin/galaxy_options.rst b/doc/source/admin/galaxy_options.rst
@@ -2920,6 +2920,36 @@
 :Type: str
 
 
+~~~~~~~~~~~~~~~
+``enable_oidc``
+~~~~~~~~~~~~~~~
+
+:Description:
+    Enables and disables OpenID Connect (OIDC) support.
+:Default: ``false``
+:Type: bool
+
+
+~~~~~~~~~~~~~~~~~~~~
+``oidc_config_file``
+~~~~~~~~~~~~~~~~~~~~
+
+:Description:
+    Sets the path to OIDC configuration file.
+:Default: ``config/oidc_config.xml``
+:Type: str
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+``oidc_backends_config_file``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+:Description:
+    Sets the path to OIDC backends configuration file.
+:Default: ``config/oidc_backends_config.xml``
+:Type: str
+
+
 ~~~~~~~~~~~~~~~~~~~~
 ``auth_config_file``
 ~~~~~~~~~~~~~~~~~~~~

diff --git a/lib/galaxy/app.py b/lib/galaxy/app.py
@@ -183,6 +183,11 @@ def __init__(self, **kwargs):
                 )
                 self.heartbeat.daemon = True
                 self.application_stack.register_postfork_function(self.heartbeat.start)
+
+        if self.config.enable_oidc:
+            from galaxy.authnz import managers
+            self.authnz_manager = managers.AuthnzManager(self, self.config.oidc_config, self.config.oidc_backends_config)
+
         self.sentry_client = None
         if self.config.sentry_dsn:
 

diff --git a/lib/galaxy/authnz/__init__.py b/lib/galaxy/authnz/__init__.py
@@ -0,0 +1,68 @@
+"""
+Contains implementations for authentication and authorization against an
+OpenID Connect (OIDC) Identity Provider (IdP).
+
+This package follows "authorization code flow" authentication protocol to authenticate
+Galaxy users against third-party identity providers.
+
+Additionally, this package implements functionalist's to request temporary access
+credentials for cloud-based resource providers (e.g., Amazon AWS, Microsoft Azure).
+"""
+
+
+class IdentityProvider(object):
+    """
+    OpenID Connect Identity Provider abstract interface.
+    """
+
+    def __init__(self, provider, config):
+        """
+        Initialize the identity provider using the provided configuration,
+        and raise a ParseError (or any more related specific exception) in
+        case the configuration is malformed.
+
+        :type provider: string
+        :param provider: is the name of the identity provider (e.g., Google).
+
+        :type config: xml.etree.ElementTree.Element
+        :param config: Is the configuration element of the provider
+            from the configuration file (e.g., oidc_config.xml).
+            This element contains the all the provider-specific
+            configuration elements.
+        """
+        raise NotImplementedError()
+
+    def authenticate(self, provider, trans):
+        """Runs for authentication process. Checks the database if a
+        valid identity exists in the database; if yes, then the  user
+        is authenticated, if not, it generates a provider-specific
+        authentication flow and returns redirect URI to the controller.
+
+        :type trans: GalaxyWebTransaction
+        :param trans: Galaxy web transaction.
+
+        :return: a redirect URI to the provider's authentication
+            endpoint.
+        """
+        raise NotImplementedError()
+
+    def callback(self, state_token, authz_code, trans, login_redirect_url):
+        """
+        Handles authentication call-backs from identity providers.
+        This process maps `state-token` to a user
+        :type state_token: string
+        :param state_token: is an anti-forgery token which identifies
+            a Galaxy user to whom the given authorization code belongs to.
+        :type authz_code: string
+        :param authz_code: a very short-lived, single-use token to
+            request a refresh token.
+        :type trans: GalaxyWebTransaction
+        :param trans: Galaxy web transaction.
+        :return boolean:
+            True: if callback is handled successfully.
+            False: if processing callback fails, then Galaxy attempts re-authentication.
+        """
+        raise NotImplementedError()
+
+    def disconnect(self, provider, trans, disconnect_redirect_url=None):
+        raise NotImplementedError()
diff --git a/lib/galaxy/authnz/managers.py b/lib/galaxy/authnz/managers.py
@@ -0,0 +1,145 @@
+
+import importlib
+import logging
+import xml.etree.ElementTree as ET
+from xml.etree.ElementTree import ParseError
+
+from .psa_authnz import PSAAuthnz
+
+log = logging.getLogger(__name__)
+
+
+class AuthnzManager(object):
+
+    def __init__(self, app, oidc_config_file, oidc_backends_config_file):
+        """
+        :type app: galaxy.app.UniverseApplication
+        :param app:
+
+        :type config: string
+        :param config: sets the path for OIDC configuration
+            file (e.g., oidc_backends_config.xml).
+        """
+        self._parse_oidc_config(oidc_config_file)
+        self._parse_oidc_backends_config(oidc_backends_config_file)
+
+    def _parse_oidc_config(self, config_file):
+        self.oidc_config = {}
+        try:
+            tree = ET.parse(config_file)
+            root = tree.getroot()
+            if root.tag != 'OIDC':
+                raise ParseError("The root element in OIDC_Config xml file is expected to be `OIDC`, "
+                                 "found `{}` instead -- unable to continue.".format(root.tag))
+            for child in root:
+                if child.tag != 'Setter':
+                    log.error("Expect a node with `Setter` tag, found a node with `{}` tag instead; "
+                              "skipping this node.".format(child.tag))
+                    continue
+                if 'Property' not in child.attrib or 'Value' not in child.attrib or 'Type' not in child.attrib:
+                    log.error("Could not find the node attributes `Property` and/or `Value` and/or `Type`;"
+                              " found these attributes: `{}`; skipping this node.".format(child.attrib))
+                    continue
+                try:
+                    func = getattr(importlib.import_module('__builtin__'), child.get('Type'))
+                except AttributeError:
+                    log.error("The value of attribute `Type`, `{}`, is not a valid built-in type;"
+                              " skipping this node").format(child.get('Type'))
+                    continue
+                self.oidc_config[child.get('Property')] = func(child.get('Value'))
+        except ImportError:
+            raise
+        except ParseError as e:
+            raise ParseError("Invalid configuration at `{}`: {} -- unable to continue.".format(config_file, e.message))
+
+    def _parse_oidc_backends_config(self, config_file):
+        self.oidc_backends_config = {}
+        try:
+            tree = ET.parse(config_file)
+            root = tree.getroot()
+            if root.tag != 'OIDC':
+                raise ParseError("The root element in OIDC config xml file is expected to be `OIDC`, "
+                                 "found `{}` instead -- unable to continue.".format(root.tag))
+            for child in root:
+                if child.tag != 'provider':
+                    log.error("Expect a node with `provider` tag, found a node with `{}` tag instead; "
+                              "skipping the node.".format(child.tag))
+                    continue
+                if 'name' not in child.attrib:
+                    log.error("Could not find a node attribute 'name'; skipping the node '{}'.".format(child.tag))
+                    continue
+                idp = child.get('name').lower()
+                if idp == 'google':
+                    self.oidc_backends_config[idp] = self._parse_google_config(child)
+            if len(self.oidc_backends_config) == 0:
+                raise ParseError("No valid provider configuration parsed.")
+        except ImportError:
+            raise
+        except ParseError as e:
+            raise ParseError("Invalid configuration at `{}`: {} -- unable to continue.".format(config_file, e.message))
+        # except Exception as e:
+        #     raise Exception("Malformed OIDC Configuration XML -- unable to continue. {}".format(e.message))
+
+    def _parse_google_config(self, config_xml):
+        rtv = {
+            'client_id': config_xml.find('client_id').text,
+            'client_secret': config_xml.find('client_secret').text,
+            'redirect_uri': config_xml.find('redirect_uri').text}
+        if config_xml.find('prompt') is not None:
+            rtv['prompt'] = config_xml.find('prompt').text
+        return rtv
+
+    def _get_authnz_backend(self, provider):
+        provider = provider.lower()
+        if provider in self.oidc_backends_config:
+            try:
+                return True, "", PSAAuthnz(provider, self.oidc_config, self.oidc_backends_config[provider])
+            except Exception as e:
+                log.exception('An error occurred when loading PSAAuthnz: ', str(e))
+                return False, str(e), None
+        else:
+            msg = 'The requested identity provider, `{}`, is not a recognized/expected provider'.format(provider)
+            log.debug(msg)
+            return False, msg, None
+
+    def authenticate(self, provider, trans):
+        """
+        :type provider: string
+        :param provider: set the name of the identity provider to be
+            used for authentication flow.
+        :type trans: GalaxyWebTransaction
+        :param trans: Galaxy web transaction.
+        :return: an identity provider specific authentication redirect URI.
+        """
+        try:
+            success, message, backend = self._get_authnz_backend(provider)
+            if success is False:
+                return False, message, None
+            return True, "Redirecting to the `{}` identity provider for authentication".format(provider), backend.authenticate(trans)
+        except Exception as e:
+            msg = 'An error occurred when authenticating a user on `{}` identity provider: {}'.format(provider, str(e))
+            log.exception(msg)
+            return False, msg, None
+
+    def callback(self, provider, state_token, authz_code, trans, login_redirect_url):
+        try:
+            success, message, backend = self._get_authnz_backend(provider)
+            if success is False:
+                return False, message, (None, None)
+            return True, message, backend.callback(state_token, authz_code, trans, login_redirect_url)
+        except Exception as e:
+            msg = 'An error occurred when handling callback from `{}` identity provider; {}'.format(provider, str(e))
+            log.exception(msg)
+            return False, msg, (None, None)
+
+    def disconnect(self, provider, trans, disconnect_redirect_url=None):
+        try:
+            success, message, backend = self._get_authnz_backend(provider)
+            if success is False:
+                return False, message, None
+            return backend.disconnect(provider, trans, disconnect_redirect_url)
+        except Exception as e:
+            msg = 'An error occurred when disconnecting authentication with `{}` identity provider for user `{}`; ' \
+                  '{}'.format(provider, trans.user.username, str(e))
+            log.exception(msg)
+            return False, msg, None