Release Notes

For: uc-cdis/fence

Notes since tag: 12.1.0

Notes to tag/commit: 4a3d07c

Generated: 2025-10-21

Improvements

• add global username denial regex to configuration (#1299)

Release Notes

For: uc-cdis/fence

Notes since tag: 12.0.1

Notes to tag/commit: 12.1.0

Generated: 2025-10-03

New Features

• Track X-forwarded headers for CADR reporting enhancements (#1291)

Improvements

• Update to the fence base image to pull in updates to nginx.conf. See: uc-cdis/base-images#50

Release Notes

For: uc-cdis/fence

Notes since tag: 11.4.1

Notes to tag/commit: 12.0.0

Generated: 2025-09-05

Breaking Changes

• Usersync SFTP now rejects unknown host keys. We switched from
  paramiko.AutoAddPolicy() to paramiko.RejectPolicy() and load keys from
  ~/.ssh/known_hosts. If that file does not contain the dbGaP/SFTP host key,
  the usersync dbGaP sync will fail (previously it auto-trusted and added the
  key) (#1238)

Deployment Changes

• Provide and mount a known_hosts file in the usersync pod/container at
  /root/.ssh/known_hosts (the process runs as root). (#1238)
• Helm: update to the gen3-helm change that adds the fence-ssh-known-hosts
  ConfigMap and mounts it into the usersync job. After upgrading the chart,
  populate that ConfigMap with the correct host keys. (#1238)
• Use ssh-keyscan -p 22 <sftp host> to retrieve the necessary keys to add to the known hosts.

Release Notes

For: uc-cdis/fence

Notes since tag: 11.4.0

Notes to tag/commit: 11.4.1

Generated: 2025-09-04

Bug Fixes

• Arborist timeouts no longer stop usersync (#1293)
• Replace grant bulk policy with smart policy diff (#1293)

Release Notes

For: uc-cdis/fence

Notes since tag: 11.3.2

Notes to tag/commit: 11.4.0

Generated: 2025-09-02

New Features

• The user registration flow has been modified in order to enforce
  registration before a user is officially logged in and can access website
  pages and data (when user registration is enabled) (#1286)
• The login audit log now conditionally includes the user's IP information if
  the audit schema version for login is 2.0 or greater. (#1274)
• Introduced AUDIT_SCHEMA_CACHE to cache audit service schema version/models,
  cache is checked and updated before creating presigned URL and login audit
  logs. (#1274)
• Added _get_audit_schema and _set_schema_models_cache methods to
  AuditServiceClient to fetch and cache the audit schema from the
  audit-service’s /_schema endpoint. (#1274)
• Falls back to a default v1 schema if the endpoint returns a 404 (older
  audit-service versions) (#1274)

Improvements

• Get user's projects from arborist to compare existing permissions to
  incoming permissions to decide which permissions to retain, revoke or add.
  (#1268)
• Added and adjusted tests for new features (#1274)

Dependency Updates

• updated dependency for python_dateutil (#1268)
• update dependency for python-jose (#1268)

Release Notes

For: uc-cdis/fence

Notes since tag: 11.3.0

Notes to tag/commit: 11.3.2

Generated: 2025-08-11

New Features

• Usersync now uses arborist bulk endpoint for granting policies to users.
  (#1265)
• Generic support of upstream identity providers. Deprecate the
  LOGIN_OPTIONS.fence_idp (string) setting in favor of the new, generic
  LOGIN_OPTIONS.upstream_idps (list of strings) setting. (#1260)
• Generic support of upstream identity provider discovery. Add
  OPENID_CONNECT.<idp>.idp_discovery and
  OPENID_CONNECT.<idp>.authorization_url_param_map settings. The discovery
  currently supports data formats "xml-mdq-v1.0" and "shibboleth". (#1260)
• Replace fence_idp with upstream_idp in code, metrics gathering, and
  information returned by the user info endpoint (fence_idp still returned
  as well for backwards compatibility) (#1260)
• Login audit log will have ip info (#1254)
• add request log support for /admin/ endpoints (#1234)
• add request log decorator to /admin/ endpoints (#1234)

Bug Fixes

• Fix the /login endpoint to set the providers cache correctly after it
  expires (#1285)
• Admin endpoints support "client_credentials" tokens again (#1284)

Improvements

• bump to get new base image (#1288)
• Request logs now include the client ID, if any (#1284)
• Add unit tests for errors from create blank record (#1276)
• User registration can now handle a configuration without a
  REGISTERED_USERS_GROUP (#1260)
• Cache the results of upstream identity provider discovery for 24 hours
  (instead of caching until the service is restarted as was the case with the
  previous Shibboleth discovery support) (#1260)
• Updates openapi docs to include GA4GH endpoint for data access with
  passports. (#1273)
• The assumption that all migrations are executed automatically on startup is
  not correct, and therefore it is crucial that the README of a PR in Fence
  that adds a migration, ALWAYS contains a “Deployment changes” section.
  (#1267)
• This PR adds a warning README in the /migrations folder to warn future
  developers about this. (#1267)

Dependency Updates

• Requests 2.32.3 -> 2.32.4 (#1287)
• Add defusedxml dependency and update all dependencies (#1260)
• depends on uc-cdis/audit-service#74 (#1234)

Release Notes

For: uc-cdis/fence
Notes since tag: 11.2.2
Notes to tag/commit: ea5f7a6
Generated: 2025-05-30

New Features

• Authorization Group Syncing based on a configured OIDC IdP's JWT claim
  (#1233)
• Job capable of updating authorization groups based on persistence of a
  user's refresh token and periodic calls to get updated JWT claim containing
  authz group info (Note: this is a modification of the existing "Access
  Token Polling" support built for GA4GH Passports) (#1233)

Dependency Updates

• Bumps h11 from 0.14.0 to 0.16.0.
  (#1248)
• Bumps flask-cors from 5.0.0 to
  6.0.0. (#1253)
• Bumps flask from 3.1.0 to 3.1.1. (#1252)

Release Notes

For: uc-cdis/fence
Notes since tag: 11.2.1
Notes to tag/commit: cb515dd
Generated: 2025-05-27

Bug Fixes

• Ensure prometheus env var and directory exist by adding to Dockerfile
  (eventually we should do this in the base image) (#1259)

Improvements

• Clear out old, unused files and code (#1259)
• When a bucket is missing from the S3_BUCKET configuration, print an info
  log instead of a debug log to facilitate understanding issues in production
  (#1251)
• Add native docker builds for amd and arm in github actions. (#1236)

What's Changed

• Fix/registration digest method by @k-burt-uch in #1250

Full Changelog: 11.2.0...11.2.1