format code

                self.application_stack.register_postfork_function(self.refresh_oidc_tokens_task.start)

                self.haltables.append(("RefreshOIDCTokensTask", self.refresh_oidc_tokens_task.shutdown))

            # If there is only a single external authentication provider in use

            # TODO: Future work will expand on this and provide an interface for

            # multiple auth providers allowing explicit authenticated association.

            "refresh_token": custos_authnz_token.refresh_token,

        }

        log.debug(f"Refreshing user token for {custos_authnz_token.external_user_id} via `{custos_authnz_token.provider}` identity provider")

        log.debug(

            f"Refreshing user token for {custos_authnz_token.external_user_id} via `{custos_authnz_token.provider}` identity provider"

        )

        token = oauth2_session.refresh_token(token_endpoint, **params)

        processed_token = self._process_token_after_refresh(token)

        with transaction(sa_session):

            sa_session.commit()

        log.debug(f"Refreshed user token for {custos_authnz_token.external_user_id} via `{custos_authnz_token.provider}` identity provider")

        log.debug(

            f"Refreshed user token for {custos_authnz_token.external_user_id} via `{custos_authnz_token.provider}` identity provider"

        )

        return True

        )

        return processed_token

    def _process_token(self, trans, oauth2_session, token, validate_nonce=True):

        processed_token = {}

        processed_token["access_token"] = token["access_token"]

import os

import random

import string

from datetime import datetime, timedelta

from datetime import (

    datetime,

    timedelta,

)

from cloudauthz import CloudAuthz

from cloudauthz.exceptions import CloudAuthzBaseException

    def refresh_expiring_oidc_tokens(self, sa_session):

        # Galaxy starts multiple RefreshOIDCTokensTask (one for each handler and workes). Until we found a better way

        # to deal with it, we check the server name here and only run refresh for one worker.

        if (self.app.config.server_name != self.app.config.base_server_name

                and self.app.config.server_name != f"{self.app.config.base_server_name}.1"):

        if (

            self.app.config.server_name != self.app.config.base_server_name

            and self.app.config.server_name != f"{self.app.config.base_server_name}.1"

        ):

            return

        all_users = sa_session.scalars(select(model.User)).all()

    def _validate_permissions(self, user, jwt, provider):

        # Get required scope if provided in config, else use the configured scope prefix

        required_scopes = [

            f"{self.oidc_backends_config[provider].get('required_scope', f'{self.app.config.oidc_scope_prefix}:*')}"]

            f"{self.oidc_backends_config[provider].get('required_scope', f'{self.app.config.oidc_scope_prefix}:*')}"

        ]

        self._assert_jwt_contains_scopes(user, jwt, required_scopes)

    def callback(self, provider, state_token, authz_code, trans, login_redirect_url, idphint=None):

        if int(user_authnz_token.extra_data["auth_time"]) + skip_old_tokens_threshold_seconds < int(time.time()):

            return False

        if int(user_authnz_token.extra_data["auth_time"]) + int(expires) / 2 <= int(time.time()):

            on_the_fly_config(sa_session)

            log.debug(f"Refreshing user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider")

            log.debug(

                f"Refreshing user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider"

            )

            if self.config["provider"] == "azure":

                self.refresh_azure(user_authnz_token)

            else:

                strategy = Strategy(None, sa_session, Storage, self.config)

                user_authnz_token.refresh_token(strategy)

            log.debug(

                f"Refreshed user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider")

                f"Refreshed user token for {user_authnz_token.uid} via `{user_authnz_token.provider}` identity provider"

            )

            return True

                 if the access token does not belong to this provider.

        :rtype: Tuple[User, dict]

        """

        well_known_oidc_config_uri = self.config["well_known_oidc_config_uri"] if self.config.get(

            "well_known_oidc_config_uri", None) else self._get_well_known_uri_from_url(self.config["provider"])

        well_known_oidc_config_uri = (

            self.config["well_known_oidc_config_uri"]

            if self.config.get("well_known_oidc_config_uri", None)

            else self._get_well_known_uri_from_url(self.config["provider"])

        )

        well_known_oidc_config = None

        try:

            well_known_oidc_config = requests.get(

            )

        except jwt.exceptions.PyJWKClientError:

            log.debug(

                f"Could not get signing keys for access token with provider: {self.config['provider']}. Ignoring...")

                f"Could not get signing keys for access token with provider: {self.config['provider']}. Ignoring..."

            )

            return None, None

        except jwt.exceptions.InvalidIssuerError:

            # An Invalid issuer means that the access token is not relevant to this provider.

    def get_chunk(self, trans, dataset: HasFileName, offset: int = 0, ck_size: Optional[int] = None) -> str:

        if not offset == -1:

            try:

                with pysam.AlignmentFile(dataset.get_file_name(user=trans.user if trans else None), "rb", check_sq=False) as bamfile:

                with pysam.AlignmentFile(

                    dataset.get_file_name(user=trans.user if trans else None), "rb", check_sq=False

                ) as bamfile:

                    if ck_size is None:

                        ck_size = 300  # 300 lines

                    if offset == 0: