Add credential handling to UserClient and ToolClient#534
Merged
nsoranzo merged 9 commits intogalaxyproject:mainfrom Apr 13, 2026
Merged
Add credential handling to UserClient and ToolClient#534nsoranzo merged 9 commits intogalaxyproject:mainfrom
nsoranzo merged 9 commits intogalaxyproject:mainfrom
Conversation
Add get_credentials, create_credentials, and get_credentials_for_tool methods to UserClient for managing stored credentials (API keys, etc.) via Galaxy's credentials API. Also add credentials_context parameter to ToolClient.run_tool() so credentials can be passed through when executing tools that require them.
The get_credentials_for_tool helper was using wrong field names from the Galaxy API response -- service_name/service_version instead of name/version, and current_group (an object) instead of current_group_id (an ID) with a groups list lookup. Verified against Galaxy's schema in credentials.py. Also widened run_tool payload type annotation and added integration tests for the credential methods.
Galaxy doesn't auto-set current_group_id when credentials are created,
so the get_credentials_for_tool helper was broken out of the box. Add
select_credential_group wrapping PUT /api/users/{id}/credentials so
callers can activate a group after creation.
Also fix truthiness checks to use 'is not None' instead of truthy
evaluation, clarify create_credentials return docstring, and update
tests to call select_credential_group before get_credentials_for_tool.
…ssing credential tools Ruff format with default line-length was reformatting existing code that black with line-length=120 left alone, causing lint failures. Reverted all formatting-only changes to existing code. Bumped test version gate from release_25.0 to release_25.1 since the credentials API doesn't exist in 25.0. The create/get_for_tool tests now use a real tool ID and gracefully skip when the tool doesn't have credential definitions (which is the case for standard test tools).
nsoranzo
reviewed
Apr 10, 2026
nsoranzo
reviewed
Apr 10, 2026
Use the existing skip_unless_tool decorator for the create-dependent tests instead of relying solely on the Galaxy version gate. Also drop the silent fallbacks in get_credentials_for_tool: cred["name"] and cred["version"] should fail loudly if the API contract drifts, and the group_name="default" fallback was masking the case where current_group_id points at a group that isn't in the groups list.
Co-authored-by: Nicola Soranzo <nicola.soranzo@gmail.com>
random_lines1 doesn't define any credentials, so the create-dependent tests were always being skipped via the try/except. secret_tool is defined in Galaxy's sample_tool_conf.xml with a real credentials block (service1 v1, server variable, username/password secrets) and is what Galaxy's own test/integration/test_credentials.py uses. The tests now actually exercise the create flow end-to-end.
The credentials API requires a vault to store secrets. Without one, create_credentials returns 500. Add a database vault config file with test fernet keys (matching what Galaxy's own test_credentials.py uses) and reference it from the template galaxy.yml. This lets the credential tests actually exercise the create flow against secret_tool.
nsoranzo
approved these changes
Apr 13, 2026
Co-authored-by: Nicola Soranzo <nicola.soranzo@gmail.com>
Member
|
Thanks @dannon ! |
Member
Author
|
@nsoranzo Thank you for the careful review and suggestions! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
get_credentials,create_credentials,select_credential_group, andget_credentials_for_toolmethods toUserClientwrapping Galaxy's/api/users/{id}/credentialsendpointscredentials_contextparameter toToolClient.run_tool()for passing stored credentials when executing tools that require themget_credentials_for_toolis a convenience method that builds thecredentials_contextlist from stored credentials, ready to pass directly torun_tool()Test plan
release_25.1)create_credentials+select_credential_group+get_credentials_for_tool+run_tool(credentials_context=...)workflow against a Galaxy instance with credential supportruff checkandruff formatpass