fence/config-default.yaml

---
############################### Fence Configuration ####################################
# This file contains various configurations for the Fence microservice.
#
# README:
# - This is initially configured for minimal local development with reasonable defaults.
# - Descriptions for each of the configurations (if any) will be *above* the variable as
#   comments.
# - Some configuration variables will have examples commented out below them.
# - This is broken up into 2 main sections for REQUIRED and OPTIONAL configurations.
#     - Optional configs will note what features or endpoints they support
# - Underneath each main section the variables are logically grouped under named
#   sections.
#
# NOTE: Login is NOT ready out of the box. Fill out REQUIRED configurations first

########################################################################################
#                               REQUIRED CONFIGURATIONS                                #
########################################################################################

# //////////////////////////////////////////////////////////////////////////////////////
# GENERAL
#   - Fill out all variables!
# //////////////////////////////////////////////////////////////////////////////////////
APP_NAME: 'Gen3 Data Commons'
# Where fence microservice is deployed
BASE_URL: 'http://localhost/user'
# postgres db to connect to
# connection url format:
#     postgresql://[user[:password]@][netloc][:port][/dbname]
# can also be set via env var DB
DB: 'postgresql://test:test@localhost:5432/fence'

# A URL-safe base64-encoded 32-byte key for encrypting keys in db
# in python you can use the following script to generate one:
#     import base64
#     import os
#     key = base64.urlsafe_b64encode(os.urandom(32))
#     print(key)
ENCRYPTION_KEY: ''

# //////////////////////////////////////////////////////////////////////////////////////
# DEBUG & SECURITY SETTINGS
#   - Modify based on whether you're in a dev environment or in production
# //////////////////////////////////////////////////////////////////////////////////////
# flask's debug setting
# WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
DEBUG: true
# if true, will automatically login a user with username "test"
# WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
MOCK_AUTH: false
# if true, will fake a successful login response from Google in /login/google
#     NOTE: this will also modify the behavior of /link/google endpoints
# WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
# will login as the username set in cookie DEV_LOGIN_COOKIE_NAME
MOCK_GOOGLE_AUTH: false
DEV_LOGIN_COOKIE_NAME: "dev_login"
# if true, will ignore anything configured in STORAGE_CREDENTIALS
MOCK_STORAGE: true
# allow OIDC traffic on http for development. By default it requires https.
#
# WARNING: ONLY set to true when fence will be deployed in such a way that it will
#          ONLY receive traffic from internal clients and can safely use HTTP.
AUTHLIB_INSECURE_TRANSPORT: true

# enable Prometheus Metrics for observability purposes
#
# WARNING: Any counters, gauges, histograms, etc. should be carefully
# reviewed to make sure its labels do not contain any PII / PHI
ENABLE_PROMETHEUS_METRICS: false

# set if you want browsers to only send cookies with requests over HTTPS
SESSION_COOKIE_SECURE: true

ENABLE_CSRF_PROTECTION: true

# Signing key for WTForms to sign CSRF tokens with
WTF_CSRF_SECRET_KEY: '{{ENCRYPTION_KEY}}'

# fence (at the moment) attempts a migration on startup. setting this to false will disable that
# WARNING: ONLY set to false if you do NOT want to automatically migrate your database.
#          You should be careful about incompatible versions of your db schema with what
#          fence expects. In other words, things could be broken if you update to a later
#          fence that expects a schema your database isn't migrated to.
# NOTE: We are working to improve the migration process in the near future
ENABLE_DB_MIGRATION: true

# Key to lock the database during migrations
DB_MIGRATION_POSTGRES_LOCK_KEY: 100

# //////////////////////////////////////////////////////////////////////////////////////
# OPEN ID CONNECT (OIDC)
#   - Fully configure at least one client so login works
#   - WARNING: Be careful changing the *_ALLOWED_SCOPES as you can break basic
#              and optional functionality
# //////////////////////////////////////////////////////////////////////////////////////
OPENID_CONNECT:
  # any OIDC IDP that does not differ from the generic implementation can be
  # configured without code changes
  generic_oidc_idp:  # choose a unique ID and replace this key
    name: 'some_idp'  # optional; display name for this IDP
    client_id: ''
    client_secret: ''
    redirect_url: '{{BASE_URL}}/login/some_idp/login'  # replace IDP name
    # use `discovery` to configure IDPs that do not expose a discovery
    # endpoint. One of `discovery_url` or `discovery` should be configured
    discovery_url: 'https://server.com/.well-known/openid-configuration'
    discovery:
      authorization_endpoint: ''
      token_endpoint: ''
      jwks_uri: ''
    user_id_field: ''  # optional (default "sub"); claims field to get the user_id from
    email_field: ''  # optional (default "email"); claims field to get the user email from
    scope: ''  # optional (default "openid")
    multifactor_auth_claim_info: # optional, include if you're using arborist to enforce mfa on a per-file level
      claim: '' # claims field that indicates mfa, either the acr or acm claim.
      values: [ "" ] # possible values that indicate mfa was used. At least one value configured here is required to be in the token
  # These Google values must be obtained from Google's Cloud Console
  # Follow: https://developers.google.com/identity/protocols/OpenIDConnect
  #
  # You'll need to obtain a Client ID and Client Secret. Set the redirect URIs
  # in Google to be '{{BASE_URL}}/login/google/login', but expand BASE_URL to
  # whatever you set it to above.
  google:
    discovery_url: 'https://accounts.google.com/.well-known/openid-configuration'
    client_id: ''
    client_secret: ''
    # this is be the allowed redirect back to fence, should not need to change
    redirect_url: '{{BASE_URL}}/login/google/login/'
    scope: 'openid email'
    # if mock is true, will fake a successful login response from Google in /login/google
    #     NOTE: this will also modify the behavior of /link/google endpoints
    # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
    # will login as the username set in cookie DEV_LOGIN_COOKIE_NAME or default provided
    # here
    mock: '{{MOCK_GOOGLE_AUTH}}'  # for backwards compatibility with older cfg files
    mock_default_user: 'test@example.com'
  # Support for multi-tenant fence (another fence is this fence's IDP)
  # If this fence instance is a client of another fence, fill this cfg out.
  # REMOVE if not needed
  fence:
    # Custom name to display for consent screens. If not provided, will use `fence`.
    # If the other fence is using NIH Login, you should make name: `NIH Login`
    name: ''
    # this api_base_url should be the root url for the OTHER fence
    # something like: https://example.com
    api_base_url: ''
    # this client_id and client_secret should be obtained by registering THIS fence as
    # a new client of the OTHER fence
    client_id: ''
    client_secret: ''
    client_kwargs:
      # openid is required to use OIDC flow
      scope: 'openid'
      # callback after logging in through the other fence
      redirect_uri: '{{BASE_URL}}/login/fence/login'
    # The next 3 should not need to be changed if the provider is following
    # Oauth2 endpoint naming conventions
    authorize_url: '{{api_base_url}}/oauth2/authorize'
    access_token_url: '{{api_base_url}}/oauth2/token'
    refresh_token_url: '{{api_base_url}}/oauth2/token'
    # if mock is true, will fake a successful login response for login
    # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
    mock: false
    mock_default_user: 'test@example.com'
    # this is needed to enable InCommon login, if some LOGIN_OPTIONS are configured with idp=fence and a list of shib_idps:
    shibboleth_discovery_url: 'https://login.bionimbus.org/Shibboleth.sso/DiscoFeed'
  # you can setup up an orcid client here: https://orcid.org/developer-tools
  orcid:
    discovery_url: 'https://orcid.org/.well-known/openid-configuration'
    client_id: ''
    client_secret: ''
    # make sure you put the FULL url for this deployment in the allowed redirects in
    # ORCID.org. DO NOT include {{BASE_URL}} at ORCID.org, you need to actually put the
    # full url
    redirect_url: '{{BASE_URL}}/login/orcid/login/'
    scope: 'openid'
    # if mock is true, will fake a successful login response for login
    # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
    mock: false
    mock_default_user: '0000-0002-2601-8132'
  ras:
    discovery_url: 'https://sts.nih.gov/.well-known/openid-configuration'
    client_id: ''
    client_secret: ''
    redirect_url: '{{BASE_URL}}/login/ras/callback'
    scope: 'openid email profile ga4gh_passport_v1'
#    multifactor_auth_claim_info:
#      claim: 'acr'
#      values: [ 'https://stsstg.nih.gov/assurance/aal/2' ]
    # if mock is true, will fake a successful login response for login
    # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
    mock: false
    mock_default_user: 'test@example.com'
  # Create a client in Azure here:
  #   https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview
  # Currently supports organizational account only, so when registering a new App in
  # Azure, make sure to select the `Accounts in any organizational directory` for
  # supported account types.
  microsoft:
    discovery_url: 'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration'
    # after registering a new appl, client_id can be found as
    # "APPLICATION (CLIENT) ID" in Microsoft Azure
    client_id: ''
    # You have a generate a secret in Azure for this app, there should be a
    # "Certificates & secrets" section where you can create a "New client secret"
    client_secret: ''
    # make sure you put the FULL url for this deployment in the allowed redirects in
    # your app in Azure. DO NOT include {{BASE_URL}} in Azure, you need to actually put the
    # full url
    redirect_url: '{{BASE_URL}}/login/microsoft/login/'
    scope: 'openid email'
    # if mock is true, will fake a successful login response for login
    # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
    mock: false
    mock_default_user: 'test@example.com'
    #    multifactor_auth_claim_info:
    #      claim: 'amr'
    #      values: [ "mfa", "otp", "rsa", "ngcmfa", "wiaormfa" ]
  # For information on configuring an Okta tenant as an OIDC IdP refer to Okta documentation at:
  # https://developer.okta.com/docs/reference/api/oidc/#2-okta-as-the-identity-platform-for-your-app-or-api
  okta:
    discovery_url: ''
    client_id: ''
    client_secret: ''
    redirect_url: '{{BASE_URL}}/login/okta/login/'
    scope: 'openid email'
    #    multifactor_auth_claim_info:
    #      claim: 'amr'
    #      values: [ "mfa", "otp", "sms" ]
  cognito:
    # You must create a user pool in order to have a discovery url
    discovery_url: 'https://cognito-idp.{REGION}.amazonaws.com/{USER-POOL-ID}/.well-known/openid-configuration'
    client_id: ''
    client_secret: ''
    redirect_url: '{{BASE_URL}}/login/cognito/login/'
    scope: 'openid email'
    # In the case where Cognito is being used solely as an intermediary to a single IdP,
    # and that IdP is a SAML IdP with no 'email_verified' outgoing claim, but it is safe
    # to assume all emails from this SAML IdP are in fact verified, we may set this to True
    assume_emails_verified: False
  # CILogon subscribers can create and manage OIDC clients using COmanage Registry.
  # Free tier users may request OIDC clients at https://cilogon.org/oauth2/register
  cilogon:
    discovery_url: 'https://cilogon.org/.well-known/openid-configuration'
    client_id: ''
    client_secret: ''
    # When registering the Callback URLs for your CILogon OIDC client be
    # sure to include the FULL url for this deployment, including the https:// scheme
    # and server FQDN.
    redirect_url: '{{BASE_URL}}/login/cilogon/login/'
    scope: 'openid email profile'
    # if mock is true, will fake a successful login response for login
    # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
    mock: false
    mock_default_user: 'http://cilogon.org/serverT/users/64703'
    #    multifactor_auth_claim_info:
    #      claim: 'acr'
    #      values: [ "https://refeds.org/profile/mfa" ]
  synapse:
    discovery_url: ''
    client_id: ''
    client_secret: ''
    redirect_url: ''
    scope: 'openid'
  shibboleth:
    client_id: ''
    client_secret: ''
    redirect_url: '{{BASE_URL}}/login/shib/login'

# these are the *possible* scopes a client can be given, NOT scopes that are
# given to all clients. You can be more restrictive during client creation
CLIENT_ALLOWED_SCOPES:
  - "openid"
  - "user"
  - "data"
  - "google_credentials"
  - "google_service_account"
  - "google_link"
  - "ga4gh_passport_v1"

# these are the scopes that CAN be included in a user's own access_token
USER_ALLOWED_SCOPES:
  - "fence"
  - "openid"
  - "user"
  - "data"
  - "admin"
  - "google_credentials"
  - "google_service_account"
  - "google_link"
  - "ga4gh_passport_v1"

# these are the scopes that a browser session can create for a user (very
# similar to USER_ALLOWED_SCOPES, as the session will actually create access_tokens
# for an actively logged in user)
SESSION_ALLOWED_SCOPES:
  - "openid"
  - "user"
  - "credentials"
  - "data"
  - "admin"
  - "google_credentials"
  - "google_service_account"
  - "google_link"
  - "ga4gh_passport_v1"

# //////////////////////////////////////////////////////////////////////////////////////
# LOGIN
#   - Modify based on which OIDC provider(s) you configured above
#   - NOTE: You can have multiple IDPs for users to login with, but one has to be set
#           as the default
# //////////////////////////////////////////////////////////////////////////////////////

# List of enabled login options (used by data-portal to display login buttons).
# Each option must be configured with a "name" and an "idp".
# - "idp" must be a configured provider in OPENID_CONNECT section.
# Multiple options can be configured with the same idp.
# - if provider_id is "fence", "fence_idp" can be any of the providers
# supported by the other Fence. If not specified, will default to NIH login.
# - if provider_id is "fence" and fence_idp is "shibboleth", a list of
# "shib_idps" can be configured for InCommon login. If not specified, will
# default to NIH login.
# - Optional parameters: "desc" (description) and "secondary" (boolean - can
# be used by the frontend to display secondary buttons differently).
LOGIN_OPTIONS: [] # !!! remove the empty list to enable login options!
  # - name: 'Login from Google'
  #   desc: 'description'
  #   idp: google
  #   secondary: True
  # - name: 'ORCID Login'
  #   idp: orcid
  # - name: 'Microsoft Login'
  #   idp: microsoft
  # - name: 'Okta Login'
  #   idp: okta
  # # Cognito login: You may want to edit the name to reflect Cognito's IdP,
  # # especially if Cognito is only using one IdP
  # - name: 'Login from Cognito'
  #   desc: 'Amazon Cognito login'
  #   idp: cognito
  # - name: 'Login from RAS'
  #   idp: ras
  # - name: 'NIH Login'
  #   idp: fence
  #   fence_idp: shibboleth
  # - name: 'ORCID Login through other Fence'
  #   idp: fence
  #   fence_idp: orcid
  # - name: 'CILogon Login'
  #   idp: cilogon
  # - name: 'InCommon Login'
  #   idp: fence
  #   fence_idp: shibboleth
  #   # "shib_idps" can be '*' or a list of one or more entity IDs
  #   shib_idps:
  #     - urn:mace:incommon:nih.gov
  #     - urn:mace:incommon:uchicago.edu
# The following can be used for shibboleth login, simply uncomment.
# NOTE: Don't enable shibboleth if the deployment is not protected by
# shibboleth module, the shib module takes care of preventing header
# spoofing.
  # - name: 'Shibboleth Login'
  #   idp: shibboleth

# Default login provider:
# - must be configured in LOGIN_OPTIONS and OPENID_CONNECT
# - if several options in LOGIN_OPTIONS are defined for this IDP, will default
# to the first one.
DEFAULT_LOGIN_IDP: null

# Default login URL: DEPRECATED and replaced by LOGIN_OPTIONS + DEFAULT_LOGIN_IDP configs
# - Google? Use: '{{BASE_URL}}/login/google'
# - Multi-tenant fence (e.g. another fence instance)? Use: '{{BASE_URL}}/login/fence'
# - Sibboleth? Use: '{{BASE_URL}}/login/shib'
DEFAULT_LOGIN_URL: '{{BASE_URL}}/login/google'

# `LOGIN_REDIRECT_WHITELIST` is a list of extra whitelisted URLs which can be redirected
# to by the `/login/*` endpoints. Fence automatically populates this with the redirect
# URLs for any registered OAuth clients, and its own URL. When validating the redirects,
# fence chesk whether the domain for the redirect matches a domain in the whitelist (so
# only the domains for the additional desired redirects are necessary here).
LOGIN_REDIRECT_WHITELIST: []

### DEPRECATED and replaced by OPENID_CONNECT + LOGIN_OPTIONS configs
ENABLED_IDENTITY_PROVIDERS: {}


# //////////////////////////////////////////////////////////////////////////////////////
# LIBRARY CONFIGURATION (flask)
#   - Already contains reasonable defaults
# //////////////////////////////////////////////////////////////////////////////////////

# used for flask, "path mounted under by the application / web server"
# since we deploy as microservices, fence is typically under {{base}}/user
# this is also why our BASE_URL default ends in /user
APPLICATION_ROOT: '/user'


# //////////////////////////////////////////////////////////////////////////////////////
# Tokens, Lifetimes, & Expirations
#   - Already contains reasonable defaults
#
#   WARNING: Some of these default times are strict external requirements for compliance
#            of running Gen3 instances. DO NOT CHANGE WITHOUT CONSIDERING THE RAMIFICATIONS.
#
# //////////////////////////////////////////////////////////////////////////////////////
# The name of the browser cookie in which the access token will be stored.
ACCESS_TOKEN_COOKIE_NAME: "access_token"

# The name of the browser cookie in which the session token will be stored.
# Note that the session token also stores information for the
# ``flask.session`` in the ``context`` field of the token.
SESSION_COOKIE_NAME: "fence"

# The domain of the browser cookie in which the session token will be stored.
# Leave unset (not empty string!) for normal single-site deployment.
SESSION_COOKIE_DOMAIN:

OAUTH2_TOKEN_EXPIRES_IN:
  "authorization_code": 1200
  "implicit": 1200

# The number of seconds after an access token is issued until it expires.
ACCESS_TOKEN_EXPIRES_IN: 1200

# The number of seconds after a refresh token is issued until it expires.
REFRESH_TOKEN_EXPIRES_IN: 2592000

# The number of seconds after which a browser session is considered stale.
SESSION_TIMEOUT: 900

# The maximum session lifetime in seconds.
SESSION_LIFETIME: 28800

# The number of seconds the user's Google service account key used for
# url signing will last before being expired/rotated
# 30 days: 2592000 seconds
GOOGLE_SERVICE_ACCOUNT_KEY_FOR_URL_SIGNING_EXPIRES_IN: 2592000

# The number of seconds after a User's Google Service account is added to bucket
# access until it expires.
# 7 days: 604800 seconds
GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN: 604800

# The number of seconds after a User's Google account is added to bucket
# access until it expires.
GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN: 86400

# The number of seconds after a pre-signed url is issued until it expires.
MAX_PRESIGNED_URL_TTL: 3600

# The number of seconds after an API KEY is issued until it expires.
MAX_API_KEY_TTL: 2592000

# The number of seconds after an access token is issued until it expires.
MAX_ACCESS_TOKEN_TTL: 3600

# TEMPORARY: The maximum number of projects allowed in token claims.
# This config var should be removed after sheepdog and peregrine support
# auth checks against Arborist, and no longer check the token.
TOKEN_PROJECTS_CUTOFF: 10

# If set to true, will generate an new access token each time when a browser session update happens
RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: false

# The maximum lifetime of a Gen3 passport in seconds
GEN3_PASSPORT_EXPIRES_IN: 43200

# The JSON field the GA4GH Passport is in when a request is POST-ed to DRS
# We use the same field name for POSTs to /data/download for consistency
GA4GH_DRS_POSTED_PASSPORT_FIELD: "passports"


########################################################################################
#                               OPTIONAL CONFIGURATIONS                                #
########################################################################################

# For displaying a privacy policy to users, we can either link to the URL specified by
# PRIVACY_POLICY_URL, or default to the `static/privacy_policy.md` file in fence.
PRIVACY_POLICY_URL: null

# //////////////////////////////////////////////////////////////////////////////////////
# RELIABILITY OPTS
# //////////////////////////////////////////////////////////////////////////////////////
# Configurations related to resiliency, fault-tolerance and availability
# This is the number of requests per second that the Nginx proxy will accept before reaching fence
# The value defined in fence-config-public.yaml takes precedence over this one
# In the absence of this OVERRIDE prefixed config, the legacy NGINX_RATE_LIMIT from the k8s deployment yaml is applied
OVERRIDE_NGINX_RATE_LIMIT: 18

# This is the maximum numbers of retries when exponentially backing off against an
# error from an external API.
DEFAULT_BACKOFF_SETTINGS_MAX_TRIES: 3

# //////////////////////////////////////////////////////////////////////////////////////
# SUPPORT INFO
# //////////////////////////////////////////////////////////////////////////////////////
# If you want an email address to show up when an unhandled error occurs, provide one
# here. Something like: support@example.com
SUPPORT_EMAIL_FOR_ERRORS: null

# //////////////////////////////////////////////////////////////////////////////////////
# USER ACTIVATION
# //////////////////////////////////////////////////////////////////////////////////////
# If you want new users (read: users that login for the first time) to automatically be
# allowed through and added to the Fence DB, set this to true. Otherwise, set this to false.
# Setting it to false will ensure the user will only be able to login after the user
# is added to the Fence DB via a separate process. This two-step process allows for
# a separate onboarding and user "approval" process, instead of the default automatic approval.
ALLOW_NEW_USER_ON_LOGIN: true

# //////////////////////////////////////////////////////////////////////////////////////
# SHIBBOLETH
#   - Support using `shibboleth` in LOGIN_OPTIONS
#   - Contains defaults for using NIH's Login.
# //////////////////////////////////////////////////////////////////////////////////////
# assumes shibboleth is deployed under {{BASE_URL}}/shibboleth
SHIBBOLETH_HEADER: 'persistent_id'
SSO_URL: 'https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState='
ITRUST_GLOBAL_LOGOUT: 'https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl='

# //////////////////////////////////////////////////////////////////////////////////////
# dbGaP USER SYNCING SUPPORT
#   - Support syncing authorization information from dbGaP
# //////////////////////////////////////////////////////////////////////////////////////
# "dbGaP project serves as an access gateway for researchers seeking to gain
#  access to genotype and phenotype data"
#
# User syncing and access can also be done throught a User Access file. See
# fence's README for more information
dbGaP:
  - info:
      host: ''
      username: ''
      password: ''
      port: 22
      proxy: ''
      proxy_user: ''
    protocol: 'sftp'
    decrypt_key: ''
    # allow non_dbgap_whitelist allows you to read a non-dbgap sftp server.
    # by default Fence only allows usersync to read a dbgap whitelist with
    # the format authentication_file_phs000123.csv enabling this with addition to
    # providing a list of additional_allowed_project_id_patterns allows usersyn to
    # read any filename that matches the patterns in the list.
    allow_non_dbGaP_whitelist: false
    additional_allowed_project_id_patterns: []
    # parse out the consent from the dbgap accession number such that something
    # like "phs000123.v1.p1.c2" becomes "phs000123.c2".
    #
    # NOTE: when this is "false" the above would become "phs000123"
    parse_consent_code: true
    # When a dbGaP study authorizes access to child studies through a parent study ID,
    # you can use this mapping. When a user gets access to the first ID, they automatically
    # get access to the list of projects to the right.
    #
    # There's usually a note in the "Authorized Access" section of the dbGaP study page
    # (https://www.ncbi.nlm.nih.gov/projects/gap/cgi-bin/study.cgi?study_id=phs001843.v1.p2)
    # along the lines of:
    # Note: The data for this study is collected as a substudy of
    #       phs001194.v3.p2. dbGaP Authorized Access requests for
    #       this data should be made for study phs001194.v3.p2 and
    #       not phs001843.v1.p2
    #
    # There are also other dbGaP APIs that expose this parent/child mapping.
    # Example: https://dbgap.ncbi.nlm.nih.gov/ss/dbgapssws.cgi?request=Study&phs=000571&v=6
    #
    # If `parse_consent_code` is true, then a user will be given access to the exact
    # same consent codes in the child studies
    parent_to_child_studies_mapping:
      # 'phs001194': ['phs000571', 'phs001843']
    # A consent of "c999" can indicate access to that study's "exchange area data"
    # and when a user has access to one study's exchange area data, they
    # have access to the parent study's "common exchange area data" that is not study
    # specific. The following config is whether or not to parse/handle "c999" codes
    # for access to the common exchange area data
    #
    # NOTE: When enabled you MUST also provide a mapping to the
    # `study_common_exchange_areas` from study -> parent common exchange area resource
    enable_common_exchange_area_access: false
    # The below configuration is a mapping from studies to their "common exchange area data"
    # Fence project name a user gets access to when parsing c999 exchange area codes (and
    # subsequently gives access to an Arborist resource representing this common area
    # as well)
    study_common_exchange_areas:
      'example': 'test_common_exchange_area'
      # 'studyX': 'test_common_exchange_area'
      # 'studyY': 'test_common_exchange_area'
      # 'studyZ': 'test_common_exchange_area'
    # A mapping from the dbgap study / Fence project to which authorization namespaces the
    # actual data lives in. For example, `studyX` data may exist in multiple organizations, so
    # we need to know how to map authorization to all orgs resources
    study_to_resource_namespaces:
      '_default': ['/']
      'test_common_exchange_area': ['/dbgap/']
      # above are for default support and exchange area support
      # below are further examples
      #
      # 'studyX': ['/orgA/', '/orgB/']
      # 'studyX.c2': ['/orgB/', '/orgC/']
      # 'studyZ': ['/orgD/']
    # Allowed patterns for project_ids. The default value in usersync is 'phs(\d{6}) for dbgap projects'
    allowed_project_id_patterns: []
    # Additional allowed patterns for project_ids. The default value in usersync is 'phs(\d{6}) for dbgap projects'
    additional_allowed_project_id_patterns: []
# Regex to match an assession number that has consent information in forms like:
#   phs00301123.c999
#   phs000123.v3.p1.c3
#   phs000123.c3
#   phs00301123.v3.p4.c999
# Will NOT MATCH forms like: phs000123
#
# WARNING: Do not change this without consulting the code that uses it
DBGAP_ACCESSION_WITH_CONSENT_REGEX: '(?P<phsid>phs[0-9]+)(.(?P<version>v[0-9]+)){0,1}(.(?P<participant_set>p[0-9]+)){0,1}.(?P<consent>c[0-9]+)'

# //////////////////////////////////////////////////////////////////////////////////////
# STORAGE BACKENDS AND CREDENTIALS
#   - Optional: Used for `/admin` & `/credentials` endpoints for user management.
#               Also used during User Syncing process to automate managing Storage
#               access for users.
# //////////////////////////////////////////////////////////////////////////////////////
# When true, this modifies usersync (not fence service itself) such that when syncing user
# access to a Google storage backend happens in "bulk" by doing a diff *per google group*
# between what's in Google and what's expected. Then it adds, removes only as necessary.
# This is in contrast to the default logic which does blind updates per user and ignores
# 409s from Google.
# NOTE: This reduces the number of API calls to Google in the general case, but increases
#       memory usages by usersync (as it has to track all the Google groups and user access)
GOOGLE_BULK_UPDATES: false

# Configuration for various storage systems for the backend
# NOTE: Remove the {} and supply backends if needed. Example in comments below
STORAGE_CREDENTIALS: {}
# Google Cloud Storage backend
#
#  'google':
#    backend: 'google'
#    # this should be the project id where the Google Groups for data access are managed
#    google_project_id: 'some-project-id-12378923'

# Cleversafe data storage backend
#
#  'cleversafe-server-a':
#    backend: 'cleversafe'
#    aws_access_key_id: ''
#    aws_secret_access_key: ''
#    host: 'somemanager.osdc.io'
#    public_host: 'someobjstore.example.com'
#    port: 443
#    is_secure: true
#    username: 'someone'
#    password: 'somepass'
#    is_mocked: true

# //////////////////////////////////////////////////////////////////////////////////////
# AWS BUCKETS AND CREDENTIALS
#   - Support `/data` endpoints
# //////////////////////////////////////////////////////////////////////////////////////
AWS_CREDENTIALS: {}
# NOTE: Remove the {} and supply creds if needed. Example in comments below
#   'CRED1':
#     aws_access_key_id: ''
#     aws_secret_access_key: ''
#   'CRED2':
#     aws_access_key_id: ''
#     aws_secret_access_key: ''

# NOTE: the region is optonal for s3_buckets, however it should be specified to avoid a
# call to GetBucketLocation which you make lack the AWS ACLs for.
# public buckets do not need the region field.
# the cred values should be keys in section `AWS_CREDENTIALS`.
S3_BUCKETS: {}
# NOTE: Remove the {} and supply buckets if needed. Example in comments below
#   bucket1:
#     cred: 'CRED1'
#     region: 'us-east-1'
#     # optionally you can manually specify an s3-compliant endpoint for this bucket
#     endpoint_url: 'https://cleversafe.example.com/'
#   bucket2:
#     cred: 'CRED2'
#     region: 'us-east-1'
#   bucket3:
#     cred: '*' # public bucket
#   bucket4:
#     cred: 'CRED1'
#     region: 'us-east-1'
#     role-arn: 'arn:aws:iam::role1'
#   bucket5:
#     cred: 'CRED3'
#     region: 'us-east-1'
#     requester_pays: true # to indicate this is a requester pay enabled S3 bucket
GS_BUCKETS: {}
# NOTE: Remove the {} and supply buckets if needed. Example in comments below
#   bucket1:
#     region: 'us-east-1'
#   bucket2:
#     region: 'us-east-1'
#   bucket3:
#     region: 'us-east-1'

# When using the Cleversafe storageclient, whether or not to send verify=true
# for requests
VERIFY_CLEVERSAFE_CERT: true

# Names of the S3 buckets to which data files can be uploaded. They should be
# configured in `S3_BUCKETS`.
ALLOWED_DATA_UPLOAD_BUCKETS: []

# Default S3 bucket to which data files are uploaded, when the bucket is not specified
# by the uploader. It should be configured in `S3_BUCKETS`.
DATA_UPLOAD_BUCKET: ''

# //////////////////////////////////////////////////////////////////////////////////////
# PROXY
#   - Optional: If the api is behind firewall that needs to set http proxy
# //////////////////////////////////////////////////////////////////////////////////////
# NOTE: leave as-is to not use proxy
# this is only used by the Google Oauth2Client at the moment if provided
HTTP_PROXY:
  host: null
  port: 3128

# //////////////////////////////////////////////////////////////////////////////////////
# MICROSERVICE PATHS
#   - Support `/data` endpoints & authz functionality
# //////////////////////////////////////////////////////////////////////////////////////
# url where indexd microservice is running (for signed urls primarily)
# NOTE: Leaving as null will force fence to default to {{BASE_URL}}/index
# example value: 'https://example.com/index'
INDEXD: null

# this is the username which fence uses to make authenticated requests to indexd
INDEXD_USERNAME: 'fence'
# this is the password which fence uses to make authenticated requests to indexd
# can also be set via env var INDEXD_PASSWORD
INDEXD_PASSWORD: ''

# //////////////////////////////////////////////////////////////////////////////////////
# AZURE STORAGE BLOB CONFIGURATION
#   - Support Azure Blob Data Access Methods
# //////////////////////////////////////////////////////////////////////////////////////

# https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=azure-portal#view-account-access-keys
# AZ_BLOB_CREDENTIALS: 'fake connection string'
AZ_BLOB_CREDENTIALS:

# AZ_BLOB_CONTAINER_URL: 'https://storageaccount.blob.core.windows.net/container/'
# this is the container used for uploading, and should match the storage account
# used in the connection string for AZ_BLOB_CREDENTIALS
AZ_BLOB_CONTAINER_URL: 'https://myfakeblob.blob.core.windows.net/my-fake-container/'

# url where authz microservice is running
ARBORIST: null

# url where the audit-service is running
AUDIT_SERVICE: 'http://audit-service'
ENABLE_AUDIT_LOGS:
  presigned_url: false
  login: false
# `PUSH_AUDIT_LOGS_CONFIG.type` is one of: [api, aws_sqs].
# - if type == api: logs are created by hitting the log creation endpoint.
# - if type == aws_sqs: logs are pushed to an SQS and `aws_sqs_config` fields
# `sqs_url` and `region` are required. Field `aws_cred` is optional and it
# should be a key in section `AWS_CREDENTIALS`.
PUSH_AUDIT_LOGS_CONFIG:
  type: aws_sqs
  aws_sqs_config:
    sqs_url:
    region:
    aws_cred:

# //////////////////////////////////////////////////////////////////////////////////////
# CLOUD API LIBRARY (CIRRUS) AND GOOGLE CONFIGURATION
#   - Support Google Data Access Methods
# //////////////////////////////////////////////////////////////////////////////////////
# Setting this up allows fence to create buckets, manage Google groups, etc.
# See directions here for setting up cirrus: https://github.com/uc-cdis/cirrus
CIRRUS_CFG:
  GOOGLE_API_KEY: ''
  GOOGLE_PROJECT_ID: ''
  GOOGLE_APPLICATION_CREDENTIALS: ''
  GOOGLE_STORAGE_CREDS: ''
  GOOGLE_ADMIN_EMAIL: ''
  GOOGLE_IDENTITY_DOMAIN: ''
  GOOGLE_CLOUD_IDENTITY_ADMIN_EMAIL: ''

# Prefix to namespace Google Groups on a single Cloud Identity (see cirrus
# setup for more info on Cloud Identity)
#
# NOTE: Make this short! Less than 8 characters if possible. Google has
#       length restrictions on group names.
GOOGLE_GROUP_PREFIX: ''

# Prefix to namespace Google Service Accounts in a single Google Cloud Platform Project.
# This is primarily to support multiple instances of fence references the same Google
# project. If that is not something you need to support, then you can leave this blank.
#
# NOTE: Make this short! Less than 8 characters if possible. Google has
#       length restrictions on service account names.
GOOGLE_SERVICE_ACCOUNT_PREFIX: ''

# A Google Project identitifier representing the default project to bill to for
# accessing Google Requester Pays buckets (for signed urls and/or temporary service account
# credentials). If this is provided and the API call for
# Google access does not include a `userProject`, this will be used instead.
#
# WARNING: Setting this WITHOUT setting "ENABLE_AUTOMATIC_BILLING_*" to `true` below,
#          means that clients and end-users will be responsible for making sure that
#          the service account used in either of these methods actually has billing
#          permission in the specified project.
BILLING_PROJECT_FOR_SIGNED_URLS:
BILLING_PROJECT_FOR_SA_CREDS:

# Setting this to `true` will make Fence automatically attempt to create a Custom Role
# in the billing project and give the necessary Google Service Account that role
# (which will allow it to bill to the project).
#
# NOTE: The Fence SA will need the necessary permissions in the specified project to
#       both create a custom role and update the Project's IAM Policy to include the
#       necessary SA. At the time of writing, there are pre-defined roles in Google's
#       IAM that provide the necessary permissions. Those are "Project IAM Admin" and
#       "Role Administrator"
#
#       NOTE2: It may be possible to further restrict the permissions in the future to
#              be more fine-grained.
#
ENABLE_AUTOMATIC_BILLING_PERMISSION_SIGNED_URLS: false
ENABLE_AUTOMATIC_BILLING_PERMISSION_SA_CREDS: false

# //////////////////////////////////////////////////////////////////////////////////////
# EMAIL
#   - Support for sending emails from fence. Used for user certificates
#     and `/google/service_accounts` endpoints
# //////////////////////////////////////////////////////////////////////////////////////
# Gun Mail Service (for sending emails from fence)
#
# NOTE: Example in comments below
GUN_MAIL:
  'datacommons.io':
    smtp_hostname: 'smtp.mailgun.org'
    api_key: ''
    default_login: 'postmaster@mailgun.example.com'
    api_url: 'https://api.mailgun.net/v3/mailgun.example.com'
    smtp_password: ''

# For emails regarding users certificates
EMAIL_SERVER: 'localhost'
SEND_FROM: 'example@gmail.com'
SEND_TO: 'example@gmail.com'

# //////////////////////////////////////////////////////////////////////////////////////
# DATA ACCESS: GOOGLE LINKING & SERVICE ACCOUNT REGISTRATION
#   - Support `/google/service_accounts` endpoints
# //////////////////////////////////////////////////////////////////////////////////////
# whether or not to allow access to the /link/google endpoints
ALLOW_GOOGLE_LINKING: true

# A Google Project with controlled data access will be determined INVALID if
# if it has a parent organization UNLESS that parent organization's ID is in this
# whitelist.
#
# NOTE: Remove the [] and Google Organization IDs if needed. Example in comments below
WHITE_LISTED_GOOGLE_PARENT_ORGS: []
#  - '12345678910'

# A Google Project with Google Service Accounts determined INVALID will result in the
# the entire project being invalid UNLESS that service accounts's email is in this
# whitelist.
#
# NOTE: Remove the [] and service account emails if needed. Example in comments below
WHITE_LISTED_SERVICE_ACCOUNT_EMAILS: []
#  - 'example@developer.gserviceaccount.com'
#  - 'example@test.iam.gserviceaccount.com'

# when service accounts or google projects are determined invalid, an email is sent
# to the project owners. These settings are for that email
REMOVE_SERVICE_ACCOUNT_EMAIL_NOTIFICATION:
  enable: false
  # this domain MUST exist in GUN_MAIL config
  domain: 'example.com'
  from: 'do-not-reply@example.com'
  subject: 'User service account removal notification'
  # the {} gets replaced dynamically in the Python code to be the Project ID
  content: >
    Service accounts were removed from access control data because some users or
    service accounts of GCP Project {} are not authorized to access the data sets
    associated to the service accounts, or do not adhere to the security policies.
  # this admin email will be included as a recipient to *any* email to anyone about
  # service account removal.
  #
  # WARNING: This is NOT a bcc so the email is visible to the end-user
  admin:
    - 'admin@example.edu'

PROBLEM_USER_EMAIL_NOTIFICATION:
  # this domain MUST exist in GUN_MAIL config
  domain: 'example.com'
  from: 'do-not-reply@example.com'
  subject: 'Account access error notification'
  # the {} gets replaced dynamically in the Python code to be the Project ID
  content: >
    The Data Commons Framework utilizes dbGaP for data access authorization.
    Another member of a Google project you belong to ({}) is attempting to
    register a service account to the following additional datasets ({}).
    Please contact dbGaP to request access.
  # this admin email will be included as a recipient to *any* email to anyone about
  # service account removal.
  #
  # WARNING: This is NOT a bcc so the email is visible to the end-user
  admin:
    - 'admin@example.edu'

# Service account email domains that represent a service account that Google owns.
# These are usually created when a sepcific GCP service is enabled.
# This is used for Service Account Validation for Data Access.
GOOGLE_MANAGED_SERVICE_ACCOUNT_DOMAINS:
  - 'dataflow-service-producer-prod.iam.gserviceaccount.com'
  - 'cloudbuild.gserviceaccount.com'
  - 'cloud-ml.google.com.iam.gserviceaccount.com'
  - 'container-engine-robot.iam.gserviceaccount.com'
  - 'dataflow-service-producer-prod.iam.gserviceaccount.com'
  - 'sourcerepo-service-accounts.iam.gserviceaccount.com'
  - 'dataproc-accounts.iam.gserviceaccount.com'
  - 'gae-api-prod.google.com.iam.gserviceaccount.com'
  - 'genomics-api.google.com.iam.gserviceaccount.com'
  - 'containerregistry.iam.gserviceaccount.com'
  - 'container-analysis.iam.gserviceaccount.com'
  - 'cloudservices.gserviceaccount.com'
  - 'stackdriver-service.iam.gserviceaccount.com'
  - 'appspot.gserviceaccount.com'
  - 'partnercontent.gserviceaccount.com'
  - 'trifacta-gcloud-prod.iam.gserviceaccount.com'
  - 'gcf-admin-robot.iam.gserviceaccount.com'
  - 'compute-system.iam.gserviceaccount.com'
  - 'gcp-sa-websecurityscanner.iam.gserviceaccount.com'
  - 'storage-transfer-service.iam.gserviceaccount.com'
  - 'firebase-sa-management.iam.gserviceaccount.com'
  - 'firebase-rules.iam.gserviceaccount.com'
  - 'gcp-sa-cloudbuild.iam.gserviceaccount.com'
  - 'gcp-sa-automl.iam.gserviceaccount.com'
  - 'gcp-sa-datalabeling.iam.gserviceaccount.com'
  - 'gcp-sa-cloudscheduler.iam.gserviceaccount.com'

# The types of service accounts that are allowed to be registered at
# /google/service_accounts endpoints
ALLOWED_USER_SERVICE_ACCOUNT_DOMAINS:
  # compute engine default service account
  - 'developer.gserviceaccount.com'
  # app engine default service account
  - 'appspot.gserviceaccount.com'
  # user-managed service account
  - 'iam.gserviceaccount.com'

# Synapse integration and DREAM challenge mapping. Team is from Synapse, and group is
# providing the actual permission in Arborist. User will be added to the group for TTL
# seconds if the team matches.
DREAM_CHALLENGE_TEAM: 'DREAM'
DREAM_CHALLENGE_GROUP: 'DREAM'
SYNAPSE_URI: 'https://repo-prod.prod.sagebase.org/auth/v1'
SYNAPSE_JWKS_URI:
# deprecated, use the discovery_url in the OPENID_CONNECT block for the synapse client
SYNAPSE_DISCOVERY_URL:
SYNAPSE_AUTHZ_TTL: 86400

# Role caching for generating presigned urls if max role session increase is true
# then we can increase the amount of time that a session is valid for
MAX_ROLE_SESSION_INCREASE: false
ASSUME_ROLE_CACHE_SECONDS: 1800

# Optional user registration feature: Ask users to register (provide firstname/lastname/org/email) on login.
# If user registers, add them to configured Arborist group; idea is that the Arborist group
# will have access to download data.
REGISTER_USERS_ON: false
REGISTERED_USERS_GROUP: ''

# Number of projects that can be registered to a Google Service Account
SERVICE_ACCOUNT_LIMIT: 6

# //////////////////////////////////////////////////////////////////////////////////////
# GA4GH SUPPORT: DATA ACCESS AND AUTHORIZATION SYNCING
# //////////////////////////////////////////////////////////////////////////////////////
# whether or not to accept GA4GH Passports as a means of AuthN/Z to the DRS data access endpoint
GA4GH_PASSPORTS_TO_DRS_ENABLED: false

# RAS refresh_tokens expire in 15 days
RAS_REFRESH_EXPIRATION: 1296000
# List of JWT issuers from which Fence will accept GA4GH visas
GA4GH_VISA_ISSUER_ALLOWLIST:
  - '{{BASE_URL}}'
  - 'https://sts.nih.gov'
  - 'https://stsstg.nih.gov'
GA4GH_VISA_V1_CLAIM_REQUIRED_FIELDS:
  type:
    - 'https://ras.nih.gov/visas/v1.1'
  value:
    - 'https://sts.nih.gov/passport/dbgap/v1.1'
    - 'https://stsstg.nih.gov/passport/dbgap/v1.1'
  source:
    - 'https://ncbi.nlm.nih.gov/gap'
EXPIRED_AUTHZ_REMOVAL_JOB_FREQ_IN_SECONDS: 300

# Global sync visas during login
# - None (Default): Allow per client i.e. a fence client can pick whether or not to sync their visas during login with `parse_visas` param in /authorization endpoint
# - True: Parse for all clients i.e. a fence client will always sync their visas during login
# - False: Parse for no clients i.e. a fence client will not be able to sync visas during login even with `parse_visas` param
GLOBAL_PARSE_VISAS_ON_LOGIN: false

# whether or not to enable the `fence-visa-update` cronjob which updates users' visas.
# Note: this cronjob lives outstide of fence
# /!\ if `ENABLE_VISA_UPDATE_CRON` is false, `GLOBAL_PARSE_VISAS_ON_LOGIN` CANNOT be none/true and
# `parse_visas` CANNOT be used
ENABLE_VISA_UPDATE_CRON: false

# Settings for usersync with visas
USERSYNC:
  visa_types:
    ras: ['https://ras.nih.gov/visas/v1', 'https://ras.nih.gov/visas/v1.1']
RAS_USERINFO_ENDPOINT: '/openid/connect/v1.1/userinfo'

# //////////////////////////////////////////////////////////////////////////////////////
# CLIENT CREDENTIALS
# //////////////////////////////////////////////////////////////////////////////////////
# set to true to enable client credentials on download/{guid} and
# /ga4gh/drs/v1/objects/{guid}/access/{access_id}
CLIENT_CREDENTIALS_ON_DOWNLOAD_ENABLED: false