From a4817da7dd623e69f6f93e3a265222c199ab56c1 Mon Sep 17 00:00:00 2001
From: Arash <arash77.kad@gmail.com>
Date: Mon, 9 Dec 2024 12:21:53 +0100
Subject: [PATCH] Enhance ToolEvaluator to read secrets from UserVaultWrapper
 and query user credentials

---
 lib/galaxy/tools/evaluation.py | 38 +++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/lib/galaxy/tools/evaluation.py b/lib/galaxy/tools/evaluation.py
index 12d81a55a0be..bbafe7383828 100644
--- a/lib/galaxy/tools/evaluation.py
+++ b/lib/galaxy/tools/evaluation.py
@@ -6,9 +6,10 @@
 import string
 import tempfile
 from datetime import datetime
-from typing import (  # cast,
+from typing import (
     Any,
     Callable,
+    cast,
     Dict,
     List,
     Optional,
@@ -28,11 +29,11 @@
 )
 from galaxy.model.none_like import NoneDataset
 from galaxy.security.object_wrapper import wrap_with_safe_string
-
-# from galaxy.security.vault import UserVaultWrapper
-from galaxy.structured_app import (  # StructuredApp,
+from galaxy.security.vault import UserVaultWrapper
+from galaxy.structured_app import (
     BasicSharedApp,
     MinimalToolApp,
+    StructuredApp,
 )
 from galaxy.tool_util.data import TabularToolDataTable
 from galaxy.tools.parameters import (
@@ -191,16 +192,33 @@ def set_compute_environment(self, compute_environment: ComputeEnvironment, get_s
         self.execute_tool_hooks(inp_data=inp_data, out_data=out_data, incoming=incoming)
 
         if self.tool.credentials:
-            # app = cast(StructuredApp, self.app)
-            # user_vault = UserVaultWrapper(app.vault, self._user)
+            app = cast(StructuredApp, self.app)
+            user_vault = UserVaultWrapper(app.vault, self._user)
             for credentials in self.tool.credentials:
                 reference = credentials.reference
                 for secret in credentials.secret:
-                    secret_value = f"{reference}/{secret.name}"
-                    self.environment_variables.append({"name": secret.inject_as_env, "value": secret_value})
+                    vault_value = user_vault.read_secret(f"{reference}|{secret.name}") or ""
+                    self.environment_variables.append({"name": secret.inject_as_env, "value": vault_value})
                 for variable in credentials.variable:
-                    variable_value = f"{reference}/{variable.name}"
-                    self.environment_variables.append({"name": variable.inject_as_env, "value": variable_value})
+                    service_refrence = f"{reference}|{variable.name}"
+                    model = app.model
+                    query = (
+                        model.context.query(model.UserCredential)
+                        .filter_by(user_id=self._user.id, service_reference=service_refrence)
+                        .first()
+                    )
+                    if query:
+                        credential_id = query.id
+                        credential = (
+                            model.context.query(model.Credential)
+                            .filter_by(user_credential_id=credential_id, name=variable.name)
+                            .first()
+                        )
+                        if credential:
+                            variable_value = credential.value
+                            self.environment_variables.append({"name": variable.inject_as_env, "value": variable_value})
+                        else:
+                            log.warning(f"Variable {variable.name} not found in credentials")
 
     def execute_tool_hooks(self, inp_data, out_data, incoming):
         # Certain tools require tasks to be completed prior to job execution