Also remove defunct custos vault

nuwang · nuwang · commit bb875092b76e · 2025-10-16T23:24:33.000+05:30
diff --git a/doc/source/admin/special_topics/vault.md b/doc/source/admin/special_topics/vault.md
@@ -12,7 +12,6 @@ There are currently 3 supported backends.
 | Backend     | Description                                                                                                                                                                                                                                                                                                                                   |
 |-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | hashicorp   | Hashicorp Vault is a secrets and encryption management system. https://www.vaultproject.io/                                                                                                                                                                                                                                                   |
-| custos      | Custos is an NSF-funded project, backed by open source software that provides science gateways such as Galaxy with single sign-on, group management, and management of secrets such as access keys and OAuth2 access tokens. Custos secrets management is backed by Hashicorp's vault, but provides a convenient, always-on ReST API service. |
 | database    | The database backend stores secrets in an encrypted table in the Galaxy database itself. It is a convenient way to get started with a vault, and while it supports basic key rotation, we recommend using one of the other options in production.                                                                                           |
 
 ## Configuring Galaxy
@@ -36,7 +35,7 @@ path_prefix: /galaxy  # optional
 ...
 ```
 
-The `type` must be a valid backend type: `hashicorp`, `custos`, or `database`. At present, only a single vault backend
+The `type` must be a valid backend type: `hashicorp`, or `database`. At present, only a single vault backend
 is supported. The `path_prefix` property indicates  the root path under which to store all vault keys. If multiple
 Galaxy instances are using the same vault, a prefix can  be used to uniquely identify the Galaxy instance.
 If no path_prefix is provided, the prefix defaults to `/galaxy`.
@@ -50,19 +49,6 @@ vault_address: http://localhost:8200
 vault_token: vault_application_token
 ```
 
-## Vault configuration for Custos
-
-```yaml
-type: custos
-custos_host: service.staging.usecustos.org
-custos_port: 30170
-custos_client_id: custos-jeREDACTEDye-10000001
-custos_client_sec: OGREDACTEDBSUDHn
-```
-
-Obtaining the Custos client id and client secret requires first registering your Galaxy instance with Custos.
-Visit [usecustos.org](http://usecustos.org/) for more information.
-
 ## Vault configuration for database
 
 ```yaml
diff --git a/lib/galaxy/dependencies/__init__.py b/lib/galaxy/dependencies/__init__.py
@@ -308,9 +308,6 @@ def check_pydyf(self):
         # See notes in ./conditional-requirements.txt for more information.
         return os.environ.get("GALAXY_DEPENDENCIES_INSTALL_WEASYPRINT") == "1"
 
-    def check_custos_sdk(self):
-        return "custos" == self.vault_type
-
     def check_hvac(self):
         return "hashicorp" == self.vault_type
 
diff --git a/lib/galaxy/dependencies/conditional-requirements.txt b/lib/galaxy/dependencies/conditional-requirements.txt
@@ -37,7 +37,6 @@ huggingface_hub
 
 # Vault backend
 hvac
-custos-sdk
 
 # Chronos client
 chronos-python==1.2.1
diff --git a/lib/galaxy/security/vault.py b/lib/galaxy/security/vault.py
@@ -13,17 +13,6 @@
 )
 from sqlalchemy import select
 
-try:
-    from custos.clients.resource_secret_management_client import ResourceSecretManagementClient
-    from custos.clients.utils.exceptions.CustosExceptions import KeyDoesNotExist
-    from custos.transport.settings import CustosServerClientSettings
-
-    logging.getLogger("custos.clients.resource_secret_management_client").setLevel(logging.CRITICAL)
-
-    custos_sdk_available = True
-except ImportError:
-    custos_sdk_available = False
-
 try:
     import hvac
 except ImportError:
@@ -184,34 +173,6 @@ def _get_vault_value(self, key):
         return self.sa_session.scalars(stmt).first()
 
 
-class CustosVault(Vault):
-    def __init__(self, config):
-        if not custos_sdk_available:
-            raise InvalidVaultConfigException(
-                "Custos sdk library 'custos-sdk' is not available. Make sure the custos-sdk is installed."
-            )
-        custos_settings = CustosServerClientSettings(
-            custos_host=config.get("custos_host"),
-            custos_port=config.get("custos_port"),
-            custos_client_id=config.get("custos_client_id"),
-            custos_client_sec=config.get("custos_client_sec"),
-        )
-        self.client = ResourceSecretManagementClient(custos_settings)
-
-    def read_secret(self, key: str) -> Optional[str]:
-        try:
-            response = self.client.get_kv_credential(key=key)
-            return response.get("value")
-        except KeyDoesNotExist:
-            return None
-
-    def write_secret(self, key: str, value: str) -> None:
-        self.client.set_kv_credential(key=key, value=value)
-
-    def list_secrets(self, key: str) -> list[str]:
-        raise NotImplementedError()
-
-
 class UserVaultWrapper(Vault):
     def __init__(self, vault: Vault, user):
         self.vault = vault
@@ -300,8 +261,6 @@ def from_vault_type(app, vault_type: Optional[str], cfg: dict) -> Vault:
             vault = HashicorpVault(cfg)
         elif vault_type == "database":
             vault = DatabaseVault(app.model.context, cfg)
-        elif vault_type == "custos":
-            vault = CustosVault(cfg)
         else:
             raise InvalidVaultConfigException(f"Unknown vault type: {vault_type}")
         vault_prefix = cfg.get("path_prefix") or "/galaxy"
diff --git a/test/unit/app/dependencies/test_deps.py b/test/unit/app/dependencies/test_deps.py
@@ -30,9 +30,6 @@
   runner1:
     load: job_runner_A
 """
-VAULT_CONF_CUSTOS = """
-type: custos
-"""
 VAULT_CONF_HASHICORP = """
 type: hashicorp
 """
@@ -102,17 +99,6 @@ def test_yaml_jobconf_runners():
         assert "job_runner_A" in cds.job_runners
 
 
-def test_vault_custos_configured():
-    with _config_context() as cc:
-        vault_conf = cc.write_config("vault_conf.yml", VAULT_CONF_CUSTOS)
-        config = {
-            "vault_config_file": vault_conf,
-        }
-        cds = cc.get_cond_deps(config=config)
-        assert cds.check_custos_sdk()
-        assert not cds.check_hvac()
-
-
 def test_vault_hashicorp_configured():
     with _config_context() as cc:
         vault_conf = cc.write_config("vault_conf.yml", VAULT_CONF_HASHICORP)
@@ -121,7 +107,6 @@ def test_vault_hashicorp_configured():
         }
         cds = cc.get_cond_deps(config=config)
         assert cds.check_hvac()
-        assert not cds.check_custos_sdk()
 
 
 @pytest.mark.parametrize(
diff --git a/test/unit/data/security/fixtures/vault_conf_custos.yml b/test/unit/data/security/fixtures/vault_conf_custos.yml
diff --git a/test/unit/data/security/test_vault.py b/test/unit/data/security/test_vault.py
@@ -110,30 +110,3 @@ def test_wrong_keys(self):
         vault = VaultFactory.from_app(app)
         with self.assertRaises(InvalidToken):
             vault.read_secret("my/incorrect/secret")
-
-
-VAULT_CONF_CUSTOS = os.path.join(os.path.dirname(__file__), "fixtures/vault_conf_custos.yml")
-
-
-@pytest.mark.skipif(
-    not os.environ.get("CUSTOS_CLIENT_ID") or not os.environ.get("CUSTOS_CLIENT_SECRET"),
-    reason="CUSTOS_CLIENT_ID and CUSTOS_CLIENT_SECRET env vars not set",
-)
-class TestCustosVault(AbstractTestCases.VaultTestBase):
-    def setUp(self) -> None:
-        with (
-            tempfile.NamedTemporaryFile(mode="w", prefix="vault_custos", delete=False) as tempconf,
-            open(VAULT_CONF_CUSTOS) as f,
-        ):
-            content = string.Template(f.read()).safe_substitute(
-                custos_client_id=os.environ.get("CUSTOS_CLIENT_ID"),
-                custos_client_secret=os.environ.get("CUSTOS_CLIENT_SECRET"),
-            )
-            tempconf.write(content)
-            self.vault_temp_conf = tempconf.name
-        config = GalaxyDataTestConfig(vault_config_file=self.vault_temp_conf)
-        app = GalaxyDataTestApp(config=config)
-        self.vault = VaultFactory.from_app(app)
-
-    def tearDown(self) -> None:
-        os.remove(self.vault_temp_conf)
