Inmem gs cache fix

Release Notes

For: uc-cdis/fence

Notes since tag: 6.0.0

Notes to tag/commit: e38eb3d

Generated: 2022-06-28

Bug Fixes

• ensure inmem gs cache of sa keys has exp checked (#1025)

GA4GH Passport to DRS Support

Release Notes

For: uc-cdis/fence
Notes since tag: 5.6.0
Notes to tag/commit: c523375
Generated: 2022-06-08

New Features

• Add idp_to_user table that maps multiple IdP's to a single user (Currently
  only using for RAS) #963 (#964)
• Cronjob for removing expired Google Data Access if expiration is set #968
  (#964)
• Support multi-passport validation #967 (#964)
• Visa validation and authz sync for POST /data/download/{guid} endpoint #973
  (#964)
• Set expiration for created user policies when a passport is POSTed to DRS
  endpoint #986 (#964)
• Change username in Arborist when a user POSTs to DRS endpoint and then logs
  in #986 (#964)
• project id to authz resource mapping is now persisted in the database from
  user.yaml #987 (#964)
• Populate iss_sub_pair_to_user table using User table's id_from_idp column
  #995 (#964)
• usersync no longer updates visas and Access Token Polling now both gets
  updated passport(s) for a user and updates authorization #988 (#964)
• A frequently-running cronjob handles the removal of expired visas #988
  (#964)

Breaking Changes

• URL Signing when no_force_sign query param is provided: Previously Fence
  would make a decision based off if the data was public and no_force_sign
  provided. Fence will now NEVER sign if no_force_sign is provided (since the
  concept of "public" data has been abstracted out of Fence. Data access -
  public or not - is the sole responsibility of the policy engine). In other
  words, if no_force_sign is provided at the API level, Fence will respect
  that regardless of whether the resulting URL will actually work. The
  default Fence behavior should remain the same. #988 (#964)

Bug Fixes

• Fix granting of storage access so that expires is honored (#1026)

Improvements

• Syncing to Google storage backend supports supplying an expiration for
  Google Data Access #968 (#964)
• Use validate_jwt from Fence instead of authutils #967 (#964)
• Passport sync now uses persisted project id to authz resource mapping from
  the database if available when syncing authz #987 (#964)
• Passport cache for substantially increasing speed of subsequent parsing of
  the same, valid passport #999 (#964)
• Significantly improve sync_single_user_visas performance by use of a single
  Arborist policy to represent access #1005 (#964)
• fix issue where Fence was not finding the newest Service Account for a user
  b/c of an existing SA under a previous username (this situation occurs when
  a user uses a Passport and THEN logs in with their eRA Commons) #1001 (#964)
• InCommon: do not configure duplicate Shibboleth IDPs (#1024)

Dependency Updates

• Update gen3authz to 1.5.1 #1007 #1005 #986 (#964)

Deployment Changes

• Requires database migration for a new table to Fence, google Access
  expiration to add new expires column, and to create iss_sub_pair_to_user
  table #968 #963 #973 (#964)
• Requires Arborist >= 2022.04 OR >=3.4.0
  uc-cdis/arborist#143 (#964)
• To enable Passports -> DRS in an environment you must update Fence
  Configuration to at a minimum specify GA4GH_PASSPORTS_TO_DRS_ENABLED: true (only do this after coordinating with the environment owner as this
  has several requirements before it can be enabled, including the need to
  use Indexd's authz field in ALL records rather than acl) (#964)

Generic OIDC support

Release Notes

For: uc-cdis/fence

Notes since tag: 5.5.5

Notes to tag/commit: 5.6.0

Generated: 2022-04-19

New Features

• Generic OIDC support (#1017)

Improvements

• Fix generic OIDC: get_user_id returns the correct user ID field (#1021)
• Refactor so the list of supported OIDC IDPs is not hardcoded anymore (#1017)
• Update unit tests so all supported OIDC IDPs are tested (#1017)
• don't use json.dumps in logs, as it creates too many new lines that make
  log parsing difficult (#1018)
• Add documentation around fence-create --append (#1013)
• use central workflow github actions for image build and push (#1009)
• Add all the user's scopes to API keys (#1006)
• Add authz column to project table during migration. Corresponds with
  uc-cdis/userdatamodel#74.
  (#1003)

Bug Fixes

• Fix ENABLED_IDENTITY_PROVIDERS errors caused by the default config (#1010)
• During arborist calls retries, only await healthy() if the arborist
  client is async (#1002)
• visa_types should be strings (#985)

Dependency Updates

• Upgrade PyYAML to version 5.4 or higher. (#998)
• Upgrade Flask-Cors to version 3.0.9 or higher. (#998)

Deployment Changes

• Requires a Fence DB migration (#1003)

Configurable scope and discovery_url for oauth clients

Release Notes

For: uc-cdis/fence
Notes since tag: 5.5.4
Notes to tag/commit: eebad54
Generated: 2021-12-08

Bug Fixes

• Fix issue with IdP subject being sent to audit log on login instead of Gen3
  subject (#982)

Improvements

• scopes and discovery_url are overridable per oauth client in the
  configuration (#994)

Fix the redirection to the default IDP

Release Notes

For: uc-cdis/fence

Notes since tag: 5.5.3

Notes to tag/commit: 5.5.4

Generated: 2021-11-16

Bug Fixes

• Fix the redirection to the default IDP in the /oauth2/authorize endpoint:
  when the default IDP is "fence", include idp and shib_idp query
  parameters (#977)

Improvements

• Update the unit tests so we don't make real requests to get the list of
  InCommon IDPs (#977)

update dockerfile

Release Notes

For: uc-cdis/fence

Notes since tag: 5.5.2

Notes to tag/commit: 0c40a48

Generated: 2021-11-11

Improvements

• update to latest base image (#976)

Populate id from IdP

Release Notes

For: uc-cdis/fence

Notes since tag: 5.5.1

Notes to tag/commit: 8370e56

Generated: 2021-11-11

Improvements

• populate the ID the IdP uses in the database if provided (for future
  reference) NOTE: This may be the same as the unique username determined,
  but if not, this allows storing both (#975)
• Use new Python base image (now: Debian, before: Alpine) (#972)

5.5.1

Release Notes

For: uc-cdis/fence

Notes since tag: 5.5.0

Notes to tag/commit: 70c6347

Generated: 2021-10-19

Improvements

• Remove fallback to other fields from RAS userinfo response when UserID is
  not provided and return an error instead. (#969)
• Update image links in example Azure DevOps pipeline and documentation
  (#961)
• Example Azure DevOps pipeline and documentation (#947)
• remove deprecated project access from cookies (making them smaller) (#958)

GA4GH DRS Access API

Release Notes

For: uc-cdis/fence
Notes since tag: 5.4.1
Notes to tag/commit: dbedbf6
Generated: 2021-09-08

New Features

• Expose /ga4gh/drs/v1/objects/{object_id}/access/{access_id} GA4GH DRS
  Access API via Fence (#957)

new base python image

Release Notes

For: uc-cdis/fence
Notes since tag: 5.4.0
Notes to tag/commit: 15edba7
Generated: 2021-09-08

New Features

• Use RAS v1.1 Passport instead of RAS v1.0 passport (#956)
• Validate RAS v1.1 Passports (#956)
• Added logic to create Gen3 Passports (#956)

Bug Fixes

• A change in the gen3cirrus package for the get_signed_url function was
  made, the function parameters were not updated in fence and returned an
  invalid parameter error. Adding missing parameters to the function in Fence
  resolved error. (#955)

Improvements

• update to latest python base image (#959)