diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py index 8d54aed20177..4f9030ab48d2 100644 --- a/lib/galaxy/authnz/custos_authnz.py +++ b/lib/galaxy/authnz/custos_authnz.py @@ -76,6 +76,7 @@ class CustosAuthnzConfiguration: class OIDCAuthnzBase(IdentityProvider): def __init__(self, provider, oidc_config, oidc_backend_config, idphint=None): provider = provider.lower() + self.jwks_client: Optional[jwt.PyJWKClient] self.config = CustosAuthnzConfiguration( provider=provider, verify_ssl=oidc_config["VERIFY_SSL"], @@ -502,6 +503,8 @@ def _username_from_userinfo(trans, userinfo): return username def find_user_by_access_token(self, sa_session, access_token): + if not self.jwks_client: + return None signing_key = self.jwks_client.get_signing_key_from_jwt(access_token) decoded_jwt = jwt.decode( access_token, diff --git a/lib/galaxy/webapps/galaxy/api/__init__.py b/lib/galaxy/webapps/galaxy/api/__init__.py index 4cf559f134b2..f8ebecedb20e 100644 --- a/lib/galaxy/webapps/galaxy/api/__init__.py +++ b/lib/galaxy/webapps/galaxy/api/__init__.py @@ -36,6 +36,7 @@ APIKeyCookie, APIKeyHeader, APIKeyQuery, + HTTPAuthorizationCredentials, HTTPBearer, ) from fastapi_utils.cbv import cbv @@ -141,7 +142,7 @@ def get_api_user( user_manager: UserManager = depends(UserManager), key: str = Security(api_key_query), x_api_key: str = Security(api_key_header), - bearer_token: str = Security(api_bearer_token), + bearer_token: HTTPAuthorizationCredentials = Security(api_bearer_token), run_as: Optional[DecodedDatabaseIdField] = Header( default=None, title="Run as User", diff --git a/test/integration/oidc/test_auth_oidc.py b/test/integration/oidc/test_auth_oidc.py index 2d590251a7d6..66778b0ed38f 100644 --- a/test/integration/oidc/test_auth_oidc.py +++ b/test/integration/oidc/test_auth_oidc.py @@ -78,7 +78,6 @@ def start_keycloak_docker(container_name, port=8443, image="keycloak/keycloak:22 "--https-certificate-file=/opt/keycloak/data/import/keycloak-server.crt.pem", "--https-certificate-key-file=/opt/keycloak/data/import/keycloak-server.key.pem", ] - print(" ".join(START_SLURM_DOCKER)) subprocess.check_call(START_SLURM_DOCKER) wait_till_keycloak_ready(port) @@ -91,6 +90,8 @@ class AbstractTestCases: @integration_util.skip_unless_docker() class BaseKeycloakIntegrationTestCase(integration_util.IntegrationTestCase): container_name: ClassVar[str] + backend_config_file: ClassVar[str] + saved_oauthlib_insecure_transport: ClassVar[bool] @classmethod def setUpClass(cls): @@ -136,7 +137,7 @@ def tearDownClass(cls): @classmethod def disableOauthlibHttps(cls): if "OAUTHLIB_INSECURE_TRANSPORT" in os.environ: - cls.saved_oauthlib_insecure_transport = os.environ["OAUTHLIB_INSECURE_TRANSPORT"] + cls.saved_oauthlib_insecure_transport = bool(os.environ["OAUTHLIB_INSECURE_TRANSPORT"]) os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = "true" os.environ["REQUESTS_CA_BUNDLE"] = os.path.dirname(__file__) + "/keycloak-server.crt.pem" os.environ["SSL_CERT_FILE"] = os.path.dirname(__file__) + "/keycloak-server.crt.pem" @@ -144,7 +145,7 @@ def disableOauthlibHttps(cls): @classmethod def restoreOauthlibHttps(cls): if getattr(cls, "saved_oauthlib_insecure_transport", None): - os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = cls.saved_oauthlib_insecure_transport + os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = str(cls.saved_oauthlib_insecure_transport) else: del os.environ["OAUTHLIB_INSECURE_TRANSPORT"] @@ -175,7 +176,8 @@ def _login_via_keycloak( provider_url = response.json()["redirect_uri"] response = session.get(provider_url, verify=False) matches = self.REGEX_KEYCLOAK_LOGIN_ACTION.search(response.text) - auth_url = html.unescape(matches.groups(1)[0]) + assert matches + auth_url = html.unescape(matches.groups(1)[0][0]) response = session.post(auth_url, data={"username": username, "password": password}, verify=False) assert response.status_code in expected_codes, response if save_cookies: @@ -208,7 +210,7 @@ def test_oidc_login(self): def test_oidc_logout(self): # login - session, response = self._login_via_keycloak(KEYCLOAK_TEST_USERNAME, KEYCLOAK_TEST_PASSWORD, save_cookies=True) + session, _ = self._login_via_keycloak(KEYCLOAK_TEST_USERNAME, KEYCLOAK_TEST_PASSWORD, save_cookies=True) # get the user response = session.get(self._api_url("users/current")) self._assert_status_code_is(response, 200)