Skip to content

ENA Webin - Move credentials to requirements #7605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
RZ9082 wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

ENA Webin - Move credentials to requirements #7605

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7203c8b
ENA Webin - Move credentials to requirements
RZ9082 Jan 21, 2026
2f5e6ce
Make use of -passwordFile
RZ9082 Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 14 additions & 36 deletions tools/ena_webin_cli/ena_webin_cli.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,33 +2,28 @@
<description>Submission of consensus sequences to the European Nucleotide Archive (ENA)</description>
<macros>
<token name="@TOOL_VERSION@">9.0.1</token>
<token name="@VERSION_SUFFIX@">1</token>
<token name="@VERSION_SUFFIX@">2</token>
</macros>
<requirements>
<requirement type="package" version="@TOOL_VERSION@">ena-webin-cli</requirement>
<requirement type="package" version="5.3">pyyaml</requirement>
<credentials name="ena_webin_credentials" version="1.0" label="ENA Webin account credentials">
<secret name="ena_webin_username" inject_as_env="ENA_WEBIN_USERNAME" optional="false" label="ENA Webin username"/>
<secret name="ena_webin_password" inject_as_env="ENA_WEBIN_PASSWORD" optional="false" label="ENA Webin password"/>
</credentials>
</requirements>

<command detect_errors="exit_code"><![CDATA[
## -----------------------------------------------------------------------------
## 1) Initialize log and credentials
## -----------------------------------------------------------------------------
echo "Initializing log and credentials";

## Truncate (or create) the Galaxy-captured Webin-CLI log dataset.
: > "$webin_cli_log";

## Extract username/password from the credentials file.
## NOTE: $webin_id appears in bash, so we escape it as \$webin_id.
webin_id=`grep 'username' $credentials | cut -d':' -f2`;
if [ -z "\$webin_id" ]; then
## Fail early with guidance if no username is present.
echo "No ENA credentials defined. Set your credentials via: User -> Preferences -> Manage Information" >&2;
exit 1;
else
## Pull the password similarly.
password=`grep 'password' $credentials | cut -d':' -f2`;
fi;
#if $dry_run == "true":
#set $webin_id = "test-webin"
#set $password = "test-password"
#else
#set $webin_id = "$ENA_WEBIN_USERNAME"
#set $password = "$ENA_WEBIN_PASSWORD"
#end if

## -----------------------------------------------------------------------------
## 2) Create a base manifest (fields common to all submissions)
Expand Down Expand Up @@ -179,12 +174,12 @@ echo "Executing Webin-CLI";
echo "Submitting manifest \$manifest" >> "$webin_cli_log" 2>&1;

## Invoke Webin-CLI with computed flags.
ena-webin-cli -context genome -manifest "\$manifest" -userName "\$webin_id" -password "\$password" -centerName "\$center_name" -inputDir "./fasta" $test_flag $action_flag -outputDir $outputs_dir >> '$webin_cli_log' 2>&1 || true;
Copy link
Contributor

@bedroesb bedroesb Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The\ in "$webin_id" and "$password" was done to make it work for both Conda and Singularity installations. #7340 it was quite a debugging to get it working.

Copy link
Collaborator Author

@RZ9082 RZ9082 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for mentioning this, I will have a look!

Copy link
Contributor

@bernt-matthias bernt-matthias Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The \ just makes $webin_id" a bash variable. Otherwise the cheetah interpreter would try to replace it with the value of a Galaxy parameter (or output) named webin_id`.

Independent of this, the problem with bash variables in commands is the the content of the variables will be exposed in the process list (to all users of the system where the tool is running),

ena-webin-cli -context genome -manifest "\$manifest" -userName "$webin_id" -password "$password" -centerName "\$center_name" -inputDir "./fasta" $test_flag $action_flag -outputDir $outputs_dir >> '$webin_cli_log' 2>&1 || true;
Copy link
Contributor

@bernt-matthias bernt-matthias Jan 21, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we use "$webin_id" and "$password" on the command line the values are visible to other users. Since this seems to be the only way to provide username and password to the program my suggestion would be to ask upstream to allow input via a file (e.g. json or whatever they prefer) or environment variables.

Also this might be a possible attack vector (since username and password are not sanitized) in particular if double quotes are used.

However, for now the PR provides an improvement and we may proceed (a bump would be required).

Wondering if || true is the right thing to do here? Intuitively I would remove it...

Copy link
Collaborator Author

@RZ9082 RZ9082 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing the env variables directly into the ena-webin-cli command would also solve the problem for now, right? Then the values will not be visible

Copy link
Contributor

@bernt-matthias bernt-matthias Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but does ena-webin-cli support this already?

Copy link
Collaborator Author

@RZ9082 RZ9082 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

      -userName, -username=USER
                           Webin submission account name or e-mail address.
      -password=PASSWORD   Webin submission account password.
      -passwordFile=FILE   File containing the Webin submission account
                             password.
      -passwordEnv=VAR     Environment variable containing the Webin submission
                             account password.

For the password yes.

Copy link
Contributor

@bernt-matthias bernt-matthias Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then lets take this for now and ask for the same for user. We can then add this as soon as it is possible.

done < submit_list.tab;

#else:
## Single run in "form" mode with the one generated manifest.
ena-webin-cli -context genome -manifest $generated_manifest -userName "\$webin_id" -password "\$password" -centerName "\$center_name" -inputDir "./" $test_flag $action_flag -outputDir $outputs_dir >> "$webin_cli_log" 2>&1 || true;
ena-webin-cli -context genome -manifest $generated_manifest -userName "$webin_id" -password "$password" -centerName "\$center_name" -inputDir "./" $test_flag $action_flag -outputDir $outputs_dir >> "$webin_cli_log" 2>&1 || true;
#end if

## -----------------------------------------------------------------------------
Expand All @@ -201,23 +196,6 @@ tar -cf $webin_cli_outputs $outputs_dir ;
They are plain text files placed in the job working directory and referenced above.
-->
<configfiles>
<!-- Credentials file:
Pulls stored ENA Webin details (if set) from the Galaxy user preferences and writes
simple "username:..." and "password:..." lines. The command reads from this file. -->
<configfile name="credentials"><![CDATA[
#set $webin_id = $__user__.extra_preferences.get('ena_webin_account|webin_id', "").strip()
#set $password = $__user__.extra_preferences.get('ena_webin_account|password', "").strip()
## In dry-run we add fake creds when not provided.
#if $webin_id == "" and $dry_run == "true":
#set $webin_id = "test-webin"
#set $password = "test-password"
#end if
#if $webin_id != "" :
username:$webin_id
password:$password
#end if
]]></configfile>

<!-- genome_fasta_files:
In "file" mode, build a JSON array containing the *element_identifier* (dataset name)
for each selected FASTA. process_input.py uses these names to derive sample aliases. -->
Expand Down