From b8bd6b58e5cff647c0f96270873435fb2e85272b Mon Sep 17 00:00:00 2001 From: Gregory Cage Date: Wed, 24 Sep 2025 16:34:54 -0400 Subject: [PATCH 1/5] Add ORNL specific logic when loggin in from NOVA --- lib/galaxy/authnz/custos_authnz.py | 1 - lib/galaxy/authnz/psa_authnz.py | 1 - lib/galaxy/config/schemas/config_schema.yml | 14 ++++++++++++++ lib/galaxy/managers/configuration.py | 2 ++ lib/galaxy/webapps/galaxy/controllers/authnz.py | 11 +++++++++++ 5 files changed, 27 insertions(+), 2 deletions(-) diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py index d8fd3a6f5f..2a9a45789b 100644 --- a/lib/galaxy/authnz/custos_authnz.py +++ b/lib/galaxy/authnz/custos_authnz.py @@ -590,7 +590,6 @@ class OIDCAuthnzBase(IdentityProvider): custos_authnz_token = self._get_custos_authnz_token(sa_session, user_id, self.config.provider) user = custos_authnz_token.user if custos_authnz_token else None - self.refresh(sa_session, custos_authnz_token, 90) return user, decoded_jwt diff --git a/lib/galaxy/authnz/psa_authnz.py b/lib/galaxy/authnz/psa_authnz.py index 70451874d3..d8bb7fac16 100644 --- a/lib/galaxy/authnz/psa_authnz.py +++ b/lib/galaxy/authnz/psa_authnz.py @@ -329,7 +329,6 @@ class PSAAuthnz(IdentityProvider): user_id = decoded_jwt["unique_name"] authnz_token = self._get_authnz_token(sa_session, user_id, self.config["provider"]) user = authnz_token.user if authnz_token else None - self.refresh(sa_session, authnz_token, 90) return user, decoded_jwt @staticmethod diff --git a/lib/galaxy/config/schemas/config_schema.yml b/lib/galaxy/config/schemas/config_schema.yml index a6dbbd35a6..6f672c1fd1 100644 --- a/lib/galaxy/config/schemas/config_schema.yml +++ b/lib/galaxy/config/schemas/config_schema.yml @@ -4168,3 +4168,17 @@ mapping: Number of seconds before file source content listings are refreshed. Shorter times will result in more queries while browsing a file sources. Longer times will result in fewer requests to file sources but outdated contents might be displayed to the user. Currently only affects s3fs file sources. + + ornl_nova_redirect_url: + type: str + default: https://nova-test.ornl.gov + required: false + desc: | + ORNL Only. The url to return to when logging in through Galaxy via NOVA. + + ornl_nova_login_origin_cookie: + type: str + default: galaxy-nova-login + required: false + desc: | + ORNL Only. The name of the cookie to check whether the user was sent from NOVA to log in. \ No newline at end of file diff --git a/lib/galaxy/managers/configuration.py b/lib/galaxy/managers/configuration.py index 68f312a3df..d7bd20d918 100644 --- a/lib/galaxy/managers/configuration.py +++ b/lib/galaxy/managers/configuration.py @@ -233,6 +233,8 @@ class ConfigSerializer(base.ModelSerializer): "enable_help_forum_tool_panel_integration": _use_config, "disable_batch_input": _use_config, "llm_api_configured": lambda item, key, **context: bool(item.openai_api_key), + "ornl_nova_redirect_url": _defaults_to("https://nova-test.ornl.gov"), + "ornl_nova_login_origin_cookie": _defaults_to("galaxy-nova-login") } diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py index 32a7ce5813..44f6578c08 100644 --- a/lib/galaxy/webapps/galaxy/controllers/authnz.py +++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py @@ -91,6 +91,12 @@ class OIDC(JSAppLauncher): trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME) success, message, redirect_uri = trans.app.authnz_manager.authenticate(provider, trans, idphint) if success: + + # ORNL ONLY logic + nova_login = trans.get_cookie(trans.app.config.ornl_nova_login_origin_cookie) + if nova_login == "true": + return trans.response.send_redirect(url_for(redirect_uri)) + return {"redirect_uri": redirect_uri} else: raise exceptions.AuthenticationFailed(message) @@ -149,6 +155,11 @@ class OIDC(JSAppLauncher): trans.set_cookie(value=provider, name=PROVIDER_COOKIE_NAME) # Clear the login next cookie back to default. trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME) + + # ORNL ONLY logic + nova_login = trans.get_cookie(trans.app.config.ornl_nova_login_origin_cookie) + if nova_login == "true": + return trans.response.send_redirect(url_for(trans.app.config.ornl_nova_redirect_url)) return trans.response.send_redirect(url_for(redirect_url)) @web.expose -- GitLab From 6b0bb4bb3635126f6447e61a350e6e6d29bb3855 Mon Sep 17 00:00:00 2001 From: Gregory Cage Date: Fri, 26 Sep 2025 11:43:57 -0400 Subject: [PATCH 2/5] Generalize external login redirect cookie --- lib/galaxy/config/schemas/config_schema.yml | 14 ++++---------- lib/galaxy/managers/configuration.py | 3 +-- lib/galaxy/webapps/galaxy/controllers/authnz.py | 10 +++++----- 3 files changed, 10 insertions(+), 17 deletions(-) diff --git a/lib/galaxy/config/schemas/config_schema.yml b/lib/galaxy/config/schemas/config_schema.yml index 6f672c1fd1..f1e4016e68 100644 --- a/lib/galaxy/config/schemas/config_schema.yml +++ b/lib/galaxy/config/schemas/config_schema.yml @@ -4169,16 +4169,10 @@ mapping: queries while browsing a file sources. Longer times will result in fewer requests to file sources but outdated contents might be displayed to the user. Currently only affects s3fs file sources. - ornl_nova_redirect_url: + external_login_redirect_cookie: type: str - default: https://nova-test.ornl.gov + default: "galaxy-external-login-redirect" required: false desc: | - ORNL Only. The url to return to when logging in through Galaxy via NOVA. - - ornl_nova_login_origin_cookie: - type: str - default: galaxy-nova-login - required: false - desc: | - ORNL Only. The name of the cookie to check whether the user was sent from NOVA to log in. \ No newline at end of file + The name of a cookie to check after Galaxy has been logged into via an external third party. If present, Galaxy + will redirect to the url contained in the cookie. \ No newline at end of file diff --git a/lib/galaxy/managers/configuration.py b/lib/galaxy/managers/configuration.py index d7bd20d918..71060fae8a 100644 --- a/lib/galaxy/managers/configuration.py +++ b/lib/galaxy/managers/configuration.py @@ -233,8 +233,7 @@ class ConfigSerializer(base.ModelSerializer): "enable_help_forum_tool_panel_integration": _use_config, "disable_batch_input": _use_config, "llm_api_configured": lambda item, key, **context: bool(item.openai_api_key), - "ornl_nova_redirect_url": _defaults_to("https://nova-test.ornl.gov"), - "ornl_nova_login_origin_cookie": _defaults_to("galaxy-nova-login") + "external_login_redirect_cookie": _defaults_to("galaxy-external-login-redirect") } diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py index 44f6578c08..9db77a03bf 100644 --- a/lib/galaxy/webapps/galaxy/controllers/authnz.py +++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py @@ -93,8 +93,8 @@ class OIDC(JSAppLauncher): if success: # ORNL ONLY logic - nova_login = trans.get_cookie(trans.app.config.ornl_nova_login_origin_cookie) - if nova_login == "true": + external_login = trans.get_cookie(trans.app.config.external_login_redirect_cookie) + if external_login: return trans.response.send_redirect(url_for(redirect_uri)) return {"redirect_uri": redirect_uri} @@ -157,9 +157,9 @@ class OIDC(JSAppLauncher): trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME) # ORNL ONLY logic - nova_login = trans.get_cookie(trans.app.config.ornl_nova_login_origin_cookie) - if nova_login == "true": - return trans.response.send_redirect(url_for(trans.app.config.ornl_nova_redirect_url)) + external_login = trans.get_cookie(trans.app.config.external_login_redirect_cookie) + if external_login and (external_login.find("https://") == 0 or external_login.find("http://") == 0): + return trans.response.send_redirect(url_for(external_login)) return trans.response.send_redirect(url_for(redirect_url)) @web.expose -- GitLab From 4100b116ae0b5c9c7eb91a932694845cf12b5291 Mon Sep 17 00:00:00 2001 From: Gregory Cage Date: Tue, 30 Sep 2025 12:39:31 -0400 Subject: [PATCH 3/5] Set External Redirect Cookie in Galaxy --- lib/galaxy/webapps/galaxy/controllers/authnz.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py index 9db77a03bf..05642e9109 100644 --- a/lib/galaxy/webapps/galaxy/controllers/authnz.py +++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py @@ -77,7 +77,7 @@ class OIDC(JSAppLauncher): @web.json @web.expose - def login(self, trans, provider, idphint=None, next=None): + def login(self, trans, provider, idphint=None, next=None, external_redirect=None): if not trans.app.config.enable_oidc: msg = "Login to Galaxy using third-party identities is not enabled on this Galaxy instance." log.debug(msg) @@ -93,8 +93,8 @@ class OIDC(JSAppLauncher): if success: # ORNL ONLY logic - external_login = trans.get_cookie(trans.app.config.external_login_redirect_cookie) - if external_login: + if external_redirect: + trans.set_cookie(value=external_redirect, name=trans.app.config.external_login_redirect_cookie) return trans.response.send_redirect(url_for(redirect_uri)) return {"redirect_uri": redirect_uri} -- GitLab From 47050bbe7f12140252eb100ee38fb937d81eb76f Mon Sep 17 00:00:00 2001 From: Gregory Cage Date: Wed, 1 Oct 2025 12:05:03 -0400 Subject: [PATCH 4/5] Clear External Redirect Cookie after logging in via OAUTH --- lib/galaxy/webapps/galaxy/controllers/authnz.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/galaxy/webapps/galaxy/controllers/authnz.py b/lib/galaxy/webapps/galaxy/controllers/authnz.py index 05642e9109..a0c0274729 100644 --- a/lib/galaxy/webapps/galaxy/controllers/authnz.py +++ b/lib/galaxy/webapps/galaxy/controllers/authnz.py @@ -91,8 +91,6 @@ class OIDC(JSAppLauncher): trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME) success, message, redirect_uri = trans.app.authnz_manager.authenticate(provider, trans, idphint) if success: - - # ORNL ONLY logic if external_redirect: trans.set_cookie(value=external_redirect, name=trans.app.config.external_login_redirect_cookie) return trans.response.send_redirect(url_for(redirect_uri)) @@ -156,9 +154,9 @@ class OIDC(JSAppLauncher): # Clear the login next cookie back to default. trans.set_cookie(value="/", name=LOGIN_NEXT_COOKIE_NAME) - # ORNL ONLY logic external_login = trans.get_cookie(trans.app.config.external_login_redirect_cookie) if external_login and (external_login.find("https://") == 0 or external_login.find("http://") == 0): + trans.set_cookie(value="", name=trans.app.config.external_login_redirect_cookie) return trans.response.send_redirect(url_for(external_login)) return trans.response.send_redirect(url_for(redirect_url)) -- GitLab From d64bc93ec321230d62b53fa2fde3118e6873df08 Mon Sep 17 00:00:00 2001 From: Gregory Cage Date: Wed, 8 Oct 2025 12:04:59 -0400 Subject: [PATCH 5/5] Bump version --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bc8d4048ed..dba5349fec 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -9,8 +9,8 @@ variables: CONTAINER_GALAXY_URL: "${NDIP_DOCKER_REPOSITORY}/${CI_PROJECT_PATH}" CONTAINER_GALAXY_BASE_URL: "${CONTAINER_GALAXY_URL}/base" CONTAINER_GALAXY_COMMIT_URL: "${CONTAINER_GALAXY_URL}/commit" - GALAXY_VERSION_PYTHON: 24.2.dev4+ornl - GALAXY_VERSION_DOCKER: 24.2.dev4.ornl + GALAXY_VERSION_PYTHON: 24.2.dev5+ornl + GALAXY_VERSION_DOCKER: 24.2.dev5.ornl # This import is for the func_rse_docker_* functions before_script: -- GitLab