helm/fence/values.yaml

# Default values for audit.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Global configuration
global:
  # -- (map) AWS configuration
  aws:
    # -- (bool) Set to true if deploying to AWS. Controls ingress annotations.
    enabled: false
    # -- (string) Credentials for AWS stuff.
    awsAccessKeyId:
    # -- (string) Credentials for AWS stuff.
    awsSecretAccessKey:
    # -- (map) Local secret setting if using a pre-exising secret.
    useLocalSecret:
      # -- (bool) Set to true if you would like to use a secret that is already running on your cluster.
      enabled: false
      # -- (string) Name of the local secret.
      localSecretName:
      # -- (string) Namespace of the local secret.
      localSecretNamespace:
  # -- (bool) Whether the deployment is for development purposes.
  dev: true

  postgres:
    # -- (bool) Whether the database should be created.
    dbCreate: true
    # -- (string) Name of external secret. Disabled if empty
    externalSecret: ""
    # -- (map) Master credentials to postgres. This is going to be the default postgres server being used for each service, unless each service specifies their own postgres
    master:
      # -- (string) hostname of postgres server
      host:
      # -- (string) username of superuser in postgres. This is used to create or restore databases
      username: postgres
      # -- (string) password for superuser in postgres. This is used to create or restore databases
      password:
      # -- (string) Port for Postgres.
      port: "5432"
  # -- (string) Environment name. This should be the same as vpcname if you're doing an AWS deployment. Currently this is being used to share ALB's if you have multiple namespaces. Might be used other places too.
  environment: default
  # -- (string) Hostname for the deployment.
  hostname: localhost
  # -- (string) ARN of the reverse proxy certificate.
  revproxyArn: arn:aws:acm:us-east-1:123456:certificate
  # -- (string) URL of the data dictionary.
  dictionaryUrl: https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json
  # -- (string) Portal application name.
  portalApp: gitops
  # -- (string) S3 bucket name for Kubernetes manifest files.
  kubeBucket: kube-gen3
  # -- (string) S3 bucket name for log files.
  logsBucket: logs-gen3
  # -- (bool) Whether to sync data from dbGaP.
  syncFromDbgap: false
  # -- (bool) Whether public datasets are enabled.
  publicDataSets: true
  # -- (string) Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private`
  tierAccessLevel: libre
  # -- (int) Only relevant if tireAccessLevel is set to "regular". Summary charts below this limit will not appear for aggregated data.
  tierAccessLimit: "1000"
  # -- (map) Controls network policy settings
  netPolicy:
    enabled: false
  # -- (int) Number of dispatcher jobs.
  dispatcherJobNum: "10"
  # -- (bool) If the service will be deployed with a Pod Disruption Budget. Note- you need to have more than 2 replicas for the pdb to be deployed.
  pdb: false
  # -- (int) The minimum amount of pods that are available at all times if the PDB is deployed.
  minAvialable: 1
  # -- (map) External Secrets settings.
  externalSecrets:
    # -- (bool) Will use ExternalSecret resources to pull secrets from Secrets Manager instead of creating them locally. Be cautious as this will override any fence secrets you have deployed.
    deploy: false
    # -- (string) Will deploy a separate External Secret Store for this service.
    separateSecretStore: false

# -- (bool) Whether Metrics are enabled.
metricsEnabled: false

# -- (map) External Secrets settings.
externalSecrets:
  # -- (string) Will create the Helm "fence-config" secret even if Secrets Manager is enabled. This is helpful if you are wanting to use External Secrets for some, but not all secrets.
  createK8sFenceConfigSecret: false
  # -- (string) Will create the Helm "fence-jwt-keys" secret even if Secrets Manager is enabled. This is helpful if you are wanting to use External Secrets for some, but not all secrets.
  createK8sJwtKeysSecret: false
  # -- (string) Will create the Helm "fence-google-app-creds-secret" and "fence-google-storage-creds-secret" secrets even if Secrets Manager is enabled. This is helpful if you are wanting to use External Secrets for some, but not all secrets.
  createK8sGoogleAppSecrets: false
  # -- (string) Will override the name of the aws secrets manager secret. Default is "fence-jwt-keys"
  fenceJwtKeys:
  # -- (string) Will override the name of the aws secrets manager secret. Default is "fence-google-app-creds-secret"
  fenceGoogleAppCredsSecret:
  # -- (string) Will override the name of the aws secrets manager secret. Default is "fence-google-storage-creds-secret"
  fenceGoogleStorageCredsSecret:
  # -- (string) Will override the name of the aws secrets manager secret. Default is "fence-config"
  fenceConfig:
  # -- (string) Will override the name of the aws secrets manager secret. Default is "Values.global.environment-.Chart.Name-creds"
  dbcreds:

# -- (map) Configuration options for usersync cronjob.
usersync:
  # -- (bool) Whether to run Fence usersync or not.
  usersync: false
  # -- (string) The cron schedule expression to use in the usersync cronjob. Runs every 30 minutes by default.
  schedule: "*/30 * * * *"
  # -- (string) To set a custom image for pulling the user.yaml file from S3. Default is the Gen3 Awshelper image.
  custom_image:
  # -- (bool) Whether to sync data from dbGaP.
  syncFromDbgap: false
  # -- (bool) Force attempting a dbgap sync if "true", falls back on user.yaml
  addDbgap: false
  # -- (bool) Forces ONLY a dbgap sync if "true", IGNORING user.yaml
  onlyDbgap: false
  # -- (string) Path to the user.yaml file in S3.
  userYamlS3Path: s3://cdis-gen3-users/helm-test/user.yaml
  # -- (string) Slack webhook endpoint used with certain jobs.
  slack_webhook: None
  # -- (bool) Will echo what files we are seeing on dbgap ftp to Slack.
  slack_send_dbgap: false

# -- (map) Secret information for Usersync and External Secrets.
secrets:
  # -- (str) AWS access key ID. Overrides global key.
  awsAccessKeyId:
  # -- (str) AWS access key ID. Overrides global key.
  awsSecretAccessKey:

# -- (map) Postgres database configuration. If db does not exist in postgres cluster and dbCreate is set ot true then these databases will be created for you
postgres:
  # (bool) Whether the database should be restored from s3. Default to global.postgres.dbRestore
  dbRestore: false
  # -- (bool) Whether the database should be created. Default to global.postgres.dbCreate
  dbCreate:
  # -- (string) Hostname for postgres server. This is a service override, defaults to global.postgres.host
  host:
  # -- (string) Database name for postgres. This is a service override, defaults to <serviceName>-<releaseName>
  database:
  # -- (string) Username for postgres. This is a service override, defaults to <serviceName>-<releaseName>
  username:
  # -- (string) Port for Postgres.
  port: "5432"
  # -- (string) Password for Postgres. Will be autogenerated if left empty.
  password:
  # -- (string) Will create a Database for the individual service to help with developing it.
  separate: false

# -- (map) Postgresql subchart settings if deployed separately option is set to "true".
# Disable persistence by default so we can spin up and down ephemeral environments
postgresql:
  primary:
    persistence:
      # -- (bool) Option to persist the dbs data.
      enabled: false

# -- (int) Number of desired replicas
replicaCount: 1

image:
  # -- (string) The Docker image repository for the fence service
  repository: quay.io/cdis/fence
  # -- (string) When to pull the image. This value should be "Always" to ensure the latest image is used.
  pullPolicy: Always
  # -- (string) Overrides the image tag whose default is the chart appVersion.
  tag: "master"

# -- (list) Docker image pull secrets.
imagePullSecrets: []

# -- (string) Override the name of the chart.
nameOverride: ""

# -- (string) Override the full name of the deployment.
fullnameOverride: ""

# -- (map) Service account to use or create.
serviceAccount:
  # -- (bool) Specifies whether a service account should be created.
  create: true
  # -- (map) Annotations to add to the service account.
  annotations:
    # -- (string) The Amazon Resource Name (ARN) of the role to associate with the service account
    eks.amazonaws.com/role-arn:
  # If not set and create is true, a name is generated using the fullname template
  # -- (string) The name of the service account
  name: "fence-sa"

# -- (map) Annotations to add to the pod
podAnnotations: {}

# -- (map) Security context for the pod
podSecurityContext:
  fsGroup: 101

# -- (map) Security context for the containers in the pod
securityContext:
  {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

# -- (map) Kubernetes service information.
service:
  # -- (string) Type of service. Valid values are "ClusterIP", "NodePort", "LoadBalancer", "ExternalName".
  type: ClusterIP
  # -- (int) The port number that the service exposes.
  port: 80

# -- (map) Resource requests and limits for the containers in the pod
resources:
  # -- (map) The amount of resources that the container requests
  requests:
    # -- (string) The amount of CPU requested
    cpu: 0.3
    # -- (string) The amount of memory requested
    memory: 128Mi
  # -- (map) The maximum amount of resources that the container is allowed to use
  limits:
    # -- (string) The maximum amount of CPU the container can use
    cpu: 1.0
    # -- (string) The maximum amount of memory the container can use
    memory: 2Gi

# -- (map) Configuration for autoscaling the number of replicas
autoscaling:
  # -- (bool) Whether autoscaling is enabled
  enabled: false
  # -- (int) The minimum number of replicas to scale down to
  minReplicas: 1
  # -- (int) The maximum number of replicas to scale up to
  maxReplicas: 4
  # -- (int) Target CPU utilization percentage
  targetCPUUtilizationPercentage: 80
  # -- (int) Target Memory utilization percentage
  targetMemoryUtilizationPercentage: 80

# -- (map) Node Selector for the pods
nodeSelector: {}

# -- (list) Tolerations for the pods
tolerations: []

# -- (map) Labels to add to the pod.
labels:
  # -- (string) Grants egress from all pods to pods labeled with authrpovider=yes. For network policy selectors.
  authprovider: "yes"
  # -- (string) Grants egress from pods labeled with netnolimit=yes to any IP address. Use explicit proxy and AWS APIs
  netnolimit: "yes"
  # -- (string) Grants ingress from the revproxy service for pods labeled with public=yes
  public: "yes"
  # -- (string) Grants ingress from pods in usercode namespaces for gen3 pods labeled with userhelper=yes
  userhelper: "yes"

# -- (map) Affinity to use for the deployment.
affinity:
  podAntiAffinity:
    # -- (map) Option for scheduling to be required or preferred.
    preferredDuringSchedulingIgnoredDuringExecution:
      # -- (int) Weight value for preferred scheduling.
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              # -- (list) Label key for match expression.
              - key: app
                # -- (string) Operation type for the match expression.
                operator: In
                # -- (list) Value for the match expression key.
                values:
                  - fence
          # -- (string) Value for topology key label.
          topologyKey: "kubernetes.io/hostname"

# -- (list) Environment variables to pass to the container
env:
  - name: GEN3_UWSGI_TIMEOUT
    valueFrom:
      configMapKeyRef:
        name: manifest-global
        key: uwsgi-timeout
        optional: true
  - name: DD_AGENT_HOST
    valueFrom:
      fieldRef:
        fieldPath: status.hostIP
  - name: AWS_STS_REGIONAL_ENDPOINTS
    value: regional
  - name: PYTHONPATH
    value: /var/www/fence
  - name: GEN3_DEBUG
    value: "False"
  - name: PGHOST
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: host
        optional: false
  - name: PGUSER
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: username
        optional: false
  - name: PGPASSWORD
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: password
        optional: false
  - name: PGDB
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: database
        optional: false
  - name: DBREADY
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: dbcreated
        optional: false
  - name: DB
    value: postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB)
  - name: INDEXD_PASSWORD
    valueFrom:
      secretKeyRef:
        name: indexd-service-creds
        key: fence
  - name: gen3Env
    valueFrom:
      configMapKeyRef:
        name: manifest-global
        key: hostname

# -- (list) Volumes to attach to the container.
volumes:
  - name: old-config-volume
    secret:
      secretName: "fence-secret"
  - name: json-secret-volume
    secret:
      secretName: "fence-json-secret"
      optional: true
  - name: creds-volume
    secret:
      secretName: "fence-creds"
  - name: config-helper
    configMap:
      name: config-helper
      optional: true
  - name: logo-volume
    configMap:
      name: "logo-config"
  - name: config-volume
    secret:
      secretName: "fence-config"
  - name: fence-google-app-creds-secret-volume
    secret:
      secretName: "fence-google-app-creds-secret"
  - name: fence-google-storage-creds-secret-volume
    secret:
      secretName: "fence-google-storage-creds-secret"
  - name: fence-jwt-keys
    secret:
      secretName: "fence-jwt-keys"
  - name: privacy-policy
    configMap:
      name: "privacy-policy"
  - name: yaml-merge
    configMap:
      name: "fence-yaml-merge"
      optional: false
  - name: config-volume-public
    configMap:
      name: "manifest-fence"
      optional: true

# -- (list) Volumes to mount to the container.
volumeMounts:
  - name: "old-config-volume"
    readOnly: true
    mountPath: "/var/www/fence/local_settings.py"
    subPath: local_settings.py
  - name: "json-secret-volume"
    readOnly: true
    mountPath: "/var/www/fence/fence_credentials.json"
    subPath: fence_credentials.json
  - name: "creds-volume"
    readOnly: true
    mountPath: "/var/www/fence/creds.json"
    subPath: creds.json
  - name: "config-helper"
    readOnly: true
    mountPath: "/var/www/fence/config_helper.py"
    subPath: config_helper.py
  - name: "logo-volume"
    readOnly: true
    mountPath: "/fence/fence/static/img/logo.svg"
    subPath: "logo.svg"
  - name: "privacy-policy"
    readOnly: true
    mountPath: "/fence/fence/static/privacy_policy.md"
    subPath: "privacy_policy.md"
  - name: "config-volume"
    readOnly: true
    mountPath: "/var/www/fence/fence-config-secret.yaml"
    subPath: fence-config.yaml
  - name: "yaml-merge"
    readOnly: true
    mountPath: "/var/www/fence/yaml_merge.py"
    subPath: yaml_merge.py
  - name: "fence-google-app-creds-secret-volume"
    readOnly: true
    mountPath: "/var/www/fence/fence_google_app_creds_secret.json"
    subPath: fence_google_app_creds_secret.json
  - name: "fence-google-storage-creds-secret-volume"
    readOnly: true
    mountPath: "/var/www/fence/fence_google_storage_creds_secret.json"
    subPath: fence_google_storage_creds_secret.json
  - name: "fence-jwt-keys"
    readOnly: true
    mountPath: "/fence/keys/key/jwt_private_key.pem"
    subPath: "jwt_private_key.pem"
  - name: "config-volume-public"
    readOnly: true
    mountPath: "/var/www/fence/fence-config-public.yaml"
    subPath: fence-config-public.yaml

# -- (list) Volumes to mount to the init container.
initVolumeMounts:
  - name: "config-volume"
    readOnly: true
    mountPath: "/var/www/fence/fence-config-secret.yaml"
    subPath: fence-config.yaml
  - name: "config-volume-public"
    readOnly: true
    mountPath: "/var/www/fence/fence-config-public.yaml"
    subPath: fence-config-public.yaml
  - name: "yaml-merge"
    readOnly: true
    mountPath: "/var/www/fence/yaml_merge.py"
    subPath: yaml_merge.py
  - name: "fence-google-app-creds-secret-volume"
    readOnly: true
    mountPath: "/var/www/fence/fence_google_app_creds_secret.json"
    subPath: fence_google_app_creds_secret.json
  - name: "fence-google-storage-creds-secret-volume"
    readOnly: true
    mountPath: "/var/www/fence/fence_google_storage_creds_secret.json"
    subPath: fence_google_storage_creds_secret.json

# -- (list) Volumes to attach to the init container.
initEnv:
  - name: PGHOST
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: host
        optional: false
  - name: PGUSER
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: username
        optional: false
  - name: PGPASSWORD
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: password
        optional: false
  - name: PGDB
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: database
        optional: false
  - name: DBREADY
    valueFrom:
      secretKeyRef:
        name: fence-dbcreds
        key: dbcreated
        optional: false
  - name: DB
    value: postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB)
  - name: FENCE_DB
    value: postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB)
  - name: PYTHONPATH
    value: /var/www/fence

# Values to determine the labels that are used for the deployment, pod, etc.
# -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev".
release: "production"
# -- (string) Valid options are "true" or "false". If invalid option is set- the value will default to "false".
criticalService: "true"
# -- (string) Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words.
partOf: "Authentication"
# -- (map) Will completely override the selectorLabels defined in the common chart's _label_setup.tpl
selectorLabels:
# -- (map) Will completely override the commonLabels defined in the common chart's _label_setup.tpl
commonLabels:

logo:
privacy_policy:
projects:

# USER_SYNC_CRON:
#   LOCATION:
#     TYPE:
#     S3:
#     github.com:

# -- (string) USER YAML. Passed in as a multiline string.
USER_YAML: |
  cloud_providers: {}
  authz:
    # policies automatically given to anyone, even if they are not authenticated
    anonymous_policies:
    - open_data_reader

    # policies automatically given to authenticated users (in addition to their other policies)
    all_users_policies: []

    groups:
    # can CRUD programs and projects and upload data files
    - name: data_submitters
      policies:
      - services.sheepdog-admin
      - data_upload
      - MyFirstProject_submitter
      users:
      - username1@gmail.com

    # can create/update/delete indexd records
    - name: indexd_admins
      policies:
      - indexd_admin
      users:
      - username1@gmail.com

    resources:
    - name: workspace
    - name: data_file
    - name: services
      subresources:
      - name: sheepdog
        subresources:
        - name: submission
          subresources:
          - name: program
          - name: project
      - name: 'indexd'
        subresources:
          - name: 'admin'
      - name: audit
        subresources:
          - name: presigned_url
          - name: login
    - name: open
    - name: programs
      subresources:
      - name: MyFirstProgram
        subresources:
        - name: projects
          subresources:
          - name: MyFirstProject

    policies:
    - id: workspace
      description: be able to use workspace
      resource_paths:
      - /workspace
      role_ids:
      - workspace_user
    - id: data_upload
      description: upload raw data files to S3
      role_ids:
      - file_uploader
      resource_paths:
      - /data_file
    - id: services.sheepdog-admin
      description: CRUD access to programs and projects
      role_ids:
        - sheepdog_admin
      resource_paths:
        - /services/sheepdog/submission/program
        - /services/sheepdog/submission/project
    - id: indexd_admin
      description: full access to indexd API
      role_ids:
        - indexd_admin
      resource_paths:
        - /programs
    - id: open_data_reader
      role_ids:
        - peregrine_reader
        - guppy_reader
        - fence_storage_reader
      resource_paths:
      - /open
    - id: all_programs_reader
      role_ids:
      - peregrine_reader
      - guppy_reader
      - fence_storage_reader
      resource_paths:
      - /programs
    - id: MyFirstProject_submitter
      role_ids:
      - reader
      - creator
      - updater
      - deleter
      - storage_reader
      - storage_writer
      resource_paths:
      - /programs/MyFirstProgram/projects/MyFirstProject

    roles:
    - id: file_uploader
      permissions:
      - id: file_upload
        action:
          service: fence
          method: file_upload
    - id: workspace_user
      permissions:
      - id: workspace_access
        action:
          service: jupyterhub
          method: access
    - id: sheepdog_admin
      description: CRUD access to programs and projects
      permissions:
      - id: sheepdog_admin_action
        action:
          service: sheepdog
          method: '*'
    - id: indexd_admin
      description: full access to indexd API
      permissions:
      - id: indexd_admin
        action:
          service: indexd
          method: '*'
    - id: admin
      permissions:
        - id: admin
          action:
            service: '*'
            method: '*'
    - id: creator
      permissions:
        - id: creator
          action:
            service: '*'
            method: create
    - id: reader
      permissions:
        - id: reader
          action:
            service: '*'
            method: read
    - id: updater
      permissions:
        - id: updater
          action:
            service: '*'
            method: update
    - id: deleter
      permissions:
        - id: deleter
          action:
            service: '*'
            method: delete
    - id: storage_writer
      permissions:
        - id: storage_creator
          action:
            service: '*'
            method: write-storage
    - id: storage_reader
      permissions:
        - id: storage_reader
          action:
            service: '*'
            method: read-storage
    - id: peregrine_reader
      permissions:
      - id: peregrine_reader
        action:
          method: read
          service: peregrine
    - id: guppy_reader
      permissions:
      - id: guppy_reader
        action:
          method: read
          service: guppy
    - id: fence_storage_reader
      permissions:
      - id: fence_storage_reader
        action:
          method: read-storage
          service: fence

  clients:
    wts:
      policies:
      - all_programs_reader
      - open_data_reader

  users:
    username1@gmail.com: {}
    username2:
      tags:
        name: John Doe
        email: johndoe@gmail.com
      policies:
      - MyFirstProject_submitter

  cloud_providers: {}
  groups: {}

# -- (map) Public configuration settings for Fence app
FENCE_CONFIG_PUBLIC: {}

# -- (map) Private configuration settings for Fence app
FENCE_CONFIG:
  # -- (string) Name of the Fence app
  APP_NAME: "Gen3 Data Commons"

  # -- (string) A URL-safe base64-encoded 32-byte key for encrypting keys in db
  # in python you can use the following script to generate one:
  #     import base64
  #     import os
  #     key = base64.urlsafe_b64encode(os.urandom(32))
  #     print(key)
  ENCRYPTION_KEY: REPLACEME

  # -- (map) Debug and security settings
  # Modify based on whether you're in a dev environment or in production
  DEBUG: false
  # -- (bool) if true, will automatically login a user with username "test"
  # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
  MOCK_AUTH: false

  # -- (bool) if true, will fake a successful login response from Google in /login/google
  #     NOTE: this will also modify the behavior of /link/google endpoints
  # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
  # will login as the username set in cookie DEV_LOGIN_COOKIE_NAME
  MOCK_GOOGLE_AUTH: false

  # -- (str) the name of the cookie set by mock authentication (used for testing only)
  DEV_LOGIN_COOKIE_NAME: "dev_login"

  # -- (bool) if true, will ignore anything configured in STORAGE_CREDENTIALS
  MOCK_STORAGE: false

  # -- (bool) allow OIDC traffic on http for development. By default it requires https.
  #
  # WARNING: ONLY set to true when fence will be deployed in such a way that it will
  #          ONLY receive traffic from internal clients and can safely use HTTP.
  AUTHLIB_INSECURE_TRANSPORT: true

  # -- (bool) enable Prometheus Metrics for observability purposes
  #
  # WARNING: Any counters, gauges, histograms, etc. should be carefully
  # reviewed to make sure its labels do not contain any PII / PHI
  ENABLE_PROMETHEUS_METRICS: false

  # -- (bool) set if you want browsers to only send cookies with requests over HTTPS
  SESSION_COOKIE_SECURE: true

  # -- (bool) enable CSRF protection
  ENABLE_CSRF_PROTECTION: true

  # -- (str) signing key for WTForms to sign CSRF tokens with
  WTF_CSRF_SECRET_KEY: "{{ENCRYPTION_KEY}}"

  # -- (bool) fence (at the moment) attempts a migration on startup. setting this to false will disable that
  # WARNING: ONLY set to false if you do NOT want to automatically migrate your database.
  #          You should be careful about incompatible versions of your db schema with what
  #          fence expects. In other words, things could be broken if you update to a later
  #          fence that expects a schema your database isn't migrated to.
  # NOTE: We are working to improve the migration process in the near future
  ENABLE_DB_MIGRATION: true

  # -- (dict) Configurations for OpenID Connect (OIDC) authentication
  #   - Fully configure at least one client so login works
  #   - WARNING: Be careful changing the *_ALLOWED_SCOPES as you can break basic
  #              and optional functionality
  OPENID_CONNECT:
    # any OIDC IDP that does not differ from the generic implementation can be
    # configured without code changes
    generic_oidc_idp:   # choose a unique ID and replace this key
      # -- (str) Optional; display name for this IDP
      name: "some_idp"
      # -- (str) Client ID
      client_id: ""
      # -- (str) Client secret
      client_secret: ""
      # -- (str) Redirect URL for this IDP
      redirect_url: "{{BASE_URL}}/login/some_idp/login"   # replace IDP name
      # use `discovery` to configure IDPs that do not expose a discovery
      # endpoint. One of `discovery_url` or `discovery` should be configured
      # -- (str) URL of the OIDC discovery endpoint for the IDP
      discovery_url: "https://server.com/.well-known/openid-configuration"
      discovery:
        # -- (str) Authorization endpoint URL
        authorization_endpoint: ""
        # -- (str) Token endpoint URL
        token_endpoint: ""
        # -- (str) JSON Web Key Set (JWKS) URI
        jwks_uri: ""
      # -- (str) Optional; claims field to get the user_id from (default "sub")
      user_id_field: ""
      # -- (str) Optional; claims field to get the user email from (default "email")
      email_field: ""
      # -- (str) Optional; default is "openid"
      scope: ""
    # These Google values must be obtained from Google's Cloud Console
    # Follow: https://developers.google.com/identity/protocols/OpenIDConnect
    #
    # You'll need to obtain a Client ID and Client Secret. Set the redirect URIs
    # in Google to be '{{BASE_URL}}/login/google/login', but expand BASE_URL to
    # whatever you set it to above.
    # -- (dict) Configuration for Google authentication provider
    google:
      # -- (str) URL of the OIDC discovery endpoint for Google
      discovery_url: "https://accounts.google.com/.well-known/openid-configuration"
      # -- (str) Client ID
      client_id: ""
      # -- (str) Client secret
      client_secret: ""
      # -- (str) The allowed redirect back to fence, should not need to change
      redirect_url: "{{BASE_URL}}/login/google/login/"
      # -- (str) The scope to request from Google (default "openid email")
      scope: "openid email"
      # if mock is true, will fake a successful login response from Google in /login/google
      #     NOTE: this will also modify the behavior of /link/google endpoints
      # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
      # will login as the username set in cookie DEV_LOGIN_COOKIE_NAME or default provided
      # here
      # -- (str) Optional; defaults to '{{MOCK_GOOGLE_AUTH}}' for backwards compatibility with older cfg files
      mock: ""
      # -- (str) Optional; defaults to 'test@example.com'
      mock_default_user: "test@example.com"

    # -- (dict): Contains multi-tenant Fence configuration
    # Support for multi-tenant fence (another fence is this fence's IDP)
    # If this fence instance is a client of another fence, fill this cfg out.
    # REMOVE if not needed
    fence:
      # -- (str): Root URL for the other fence
      # this api_base_url should be the root url for the OTHER fence
      # something like: https://example.com
      api_base_url: ""

      # -- (str): ID of the client of this fence on the other fence
      # this client_id and client_secret should be obtained by registering THIS fence as
      # a new client of the OTHER fence
      client_id: ""

      # -- (str): Secret of the client of this fence on the other fence
      client_secret: ""

      # -- dict: Additional client parameters
      client_kwargs:
        # -- (str): Space-separated string of scopes
        # openid is required to use OIDC flow
        scope: "openid"

        # -- (str): The URL to which the other fence will redirect after logging in
        redirect_uri: "{{BASE_URL}}/login/fence/login"

      # -- (str): URL for authorization endpoint of the other fence
      # The next 3 should not need to be changed if the provider is following
      # Oauth2 endpoint naming conventions
      authorize_url: "{{api_base_url}}/oauth2/authorize"

      # -- (str): URL for access token endpoint of the other fence
      access_token_url: "{{api_base_url}}/oauth2/token"

      # -- (str): URL for refresh token endpoint of the other fence
      refresh_token_url: "{{api_base_url}}/oauth2/token"

      # -- (str): Name of the provider for consent screens
      # Custom name to display for consent screens. If not provided, will use `fence`.
      # If the other fence is using NIH Login, you should make name: `NIH Login`
      name: ""

      # -- (bool): Whether to mock a successful login response for testing purposes
      # if mock is true, will fake a successful login response for login
      # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
      mock: false

      # -- (str): Default user for mock login
      mock_default_user: "test@example.com"

      # -- (str): URL of the shibboleth discovery endpoint if needed for InCommon login
      # this is needed to enable InCommon login, if some LOGIN_OPTIONS are configured with idp=fence and a list of shib_idps:
      shibboleth_discovery_url: "https://login.bionimbus.org/Shibboleth.sso/DiscoFeed"

    orcid:
      discovery_url: "https://orcid.org/.well-known/openid-configuration"
      client_id: ""
      client_secret: ""
      # make sure you put the FULL url for this deployment in the allowed redirects in
      # ORCID.org. DO NOT include {{BASE_URL}} at ORCID.org, you need to actually put the
      # full url
      redirect_url: "{{BASE_URL}}/login/orcid/login/"
      scope: "openid"
      # if mock is true, will fake a successful login response for login
      # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
      mock: false
      mock_default_user: "0000-0002-2601-8132"
    ras:
      discovery_url: "https://sts.nih.gov/.well-known/openid-configuration"
      client_id: ""
      client_secret: ""
      redirect_url: "{{BASE_URL}}/login/ras/callback"
      scope: "openid email profile ga4gh_passport_v1"
      # if mock is true, will fake a successful login response for login
      # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
      mock: false
      mock_default_user: "test@example.com"
    # Create a client in Azure here:
    #   https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview
    # Currently supports organizational account only, so when registering a new App in
    # Azure, make sure to select the `Accounts in any organizational directory` for
    # supported account types.
    microsoft:
      discovery_url: "https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration"
      # after registering a new appl, client_id can be found as
      # "APPLICATION (CLIENT) ID" in Microsoft Azure
      client_id: ""
      # You have a generate a secret in Azure for this app, there should be a
      # "Certificates & secrets" section where you can create a "New client secret"
      client_secret: ""
      # make sure you put the FULL url for this deployment in the allowed redirects in
      # your app in Azure. DO NOT include {{BASE_URL}} in Azure, you need to actually put the
      # full url
      redirect_url: "{{BASE_URL}}/login/microsoft/login/"
      scope: "openid email"
      # if mock is true, will fake a successful login response for login
      # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
      mock: false
      mock_default_user: "test@example.com"
    # For information on configuring an Okta tenant as an OIDC IdP refer to Okta documentation at:
    # https://developer.okta.com/docs/reference/api/oidc/#2-okta-as-the-identity-platform-for-your-app-or-api
    okta:
      discovery_url: ""
      client_id: ""
      client_secret: ""
      redirect_url: "{{BASE_URL}}/login/okta/login/"
      scope: "openid email"
    cognito:
      # You must create a user pool in order to have a discovery url
      discovery_url: "https://cognito-idp.{REGION}.amazonaws.com/{USER-POOL-ID}/.well-known/openid-configuration"
      client_id: ""
      client_secret: ""
      redirect_url: "{{BASE_URL}}/login/cognito/login/"
      scope: "openid email"
      # In the case where Cognito is being used solely as an intermediary to a single IdP,
      # and that IdP is a SAML IdP with no 'email_verified' outgoing claim, but it is safe
      # to assume all emails from this SAML IdP are in fact verified, we may set this to True
      # assume_emails_verified: False
    # CILogon subscribers can create and manage OIDC clients using COmanage Registry.
    # Free tier users may request OIDC clients at https://cilogon.org/oauth2/register
    cilogon:
      discovery_url: "https://cilogon.org/.well-known/openid-configuration"
      client_id: ""
      client_secret: ""
      # When registering the Callback URLs for your CILogon OIDC client be
      # sure to include the FULL url for this deployment, including the https:// scheme
      # and server FQDN.
      redirect_url: "{{BASE_URL}}/login/cilogon/login/"
      scope: "openid email profile"
      # if mock is true, will fake a successful login response for login
      # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
      mock: false
      mock_default_user: "http://cilogon.org/serverT/users/64703"
    synapse:
      discovery_url: ""
      client_id: ""
      client_secret: ""
      redirect_url: ""
      scope: "openid"
    shibboleth:
      client_id: ""
      client_secret: ""
      redirect_url: "{{BASE_URL}}/login/shib/login"

  # these are the *possible* scopes a client can be given, NOT scopes that are
  # given to all clients. You can be more restrictive during client creation
  # -- (list) These are the *possible* scopes a client can be given, NOT scopes that are given to all clients. You can be more restrictive during client creation
  CLIENT_ALLOWED_SCOPES:
    - "openid"
    - "user"
    - "data"
    - "google_credentials"
    - "google_service_account"
    - "google_link"
    - "ga4gh_passport_v1"

  # -- (list) these are the scopes that CAN be included in a user's own access_token
  USER_ALLOWED_SCOPES:
    - "fence"
    - "openid"
    - "user"
    - "data"
    - "admin"
    - "google_credentials"
    - "google_service_account"
    - "google_link"
    - "ga4gh_passport_v1"

  # -- (list) these are the scopes that a browser session can create for a user (very similar to USER_ALLOWED_SCOPES, as the session will actually create access_tokens for an actively logged in user)
  SESSION_ALLOWED_SCOPES:
    - "openid"
    - "user"
    - "credentials"
    - "data"
    - "admin"
    - "google_credentials"
    - "google_service_account"
    - "google_link"
    - "ga4gh_passport_v1"

  # //////////////////////////////////////////////////////////////////////////////////////
  # LOGIN
  #   - Modify based on which OIDC provider(s) you configured above
  #   - NOTE: You can have multiple IDPs for users to login with, but one has to be set
  #           as the default
  # //////////////////////////////////////////////////////////////////////////////////////

  # List of enabled login options (used by data-portal to display login buttons).
  # Each option must be configured with a "name" and an "idp".
  # - "idp" must be a configured provider in OPENID_CONNECT section.
  # Multiple options can be configured with the same idp.
  # - if provider_id is "fence", "fence_idp" can be any of the providers
  # supported by the other Fence. If not specified, will default to NIH login.
  # - if provider_id is "fence" and fence_idp is "shibboleth", a list of
  # "shib_idps" can be configured for InCommon login. If not specified, will
  # default to NIH login.
  # - Optional parameters: "desc" (description) and "secondary" (boolean - can
  # be used by the frontend to display secondary buttons differently).
  # -- (list) List of enabled login options (used by data-portal to display login buttons).
  LOGIN_OPTIONS:
    - name: "Login from Google"
      desc: "description"
      idp: google

  # -- (string) Default login provider. - must be configured in LOGIN_OPTIONS and OPENID_CONNECT - - if several options in LOGIN_OPTIONS are defined for this IDP, will default to the first one
  DEFAULT_LOGIN_IDP: google

  # -- (string) Default login URL: DEPRECATED and replaced by LOGIN_OPTIONS + DEFAULT_LOGIN_IDP configs
  DEFAULT_LOGIN_URL: "{{BASE_URL}}/login/google"

  # `LOGIN_REDIRECT_WHITELIST` is a list of extra whitelisted URLs which can be redirected
  # to by the `/login/*` endpoints. Fence automatically populates this with the redirect
  # URLs for any registered OAuth clients, and its own URL. When validating the redirects,
  # fence chesk whether the domain for the redirect matches a domain in the whitelist (so
  # only the domains for the additional desired redirects are necessary here).
  LOGIN_REDIRECT_WHITELIST: []

  ### DEPRECATED and replaced by OPENID_CONNECT + LOGIN_OPTIONS configs
  ENABLED_IDENTITY_PROVIDERS: {}

  # //////////////////////////////////////////////////////////////////////////////////////
  # LIBRARY CONFIGURATION (authlib & flask)
  #   - Already contains reasonable defaults
  # //////////////////////////////////////////////////////////////////////////////////////
  # authlib-specific configs for OIDC flow and JWTs
  # NOTE: the OAUTH2_JWT_KEY cfg gets set automatically by fence if keys are setup
  #       correctly
  OAUTH2_JWT_ALG: "RS256"
  OAUTH2_JWT_ENABLED: true
  OAUTH2_JWT_ISS: "{{BASE_URL}}"
  OAUTH2_PROVIDER_ERROR_URI: "/api/oauth2/errors"

  # used for flask, "path mounted under by the application / web server"
  # since we deploy as microservices, fence is typically under {{base}}/user
  # this is also why our BASE_URL default ends in /user
  APPLICATION_ROOT: "/user"

  # //////////////////////////////////////////////////////////////////////////////////////
  # Tokens, Lifetimes, & Expirations
  #   - Already contains reasonable defaults
  # //////////////////////////////////////////////////////////////////////////////////////
  # The name of the browser cookie in which the access token will be stored.
  ACCESS_TOKEN_COOKIE_NAME: "access_token"

  # The name of the browser cookie in which the session token will be stored.
  # Note that the session token also stores information for the
  # ``flask.session`` in the ``context`` field of the token.
  SESSION_COOKIE_NAME: "fence"

  # The domain of the browser cookie in which the session token will be stored.
  # Leave unset (not empty string!) for normal single-site deployment.
  SESSION_COOKIE_DOMAIN:

  OAUTH2_TOKEN_EXPIRES_IN:
    "authorization_code": 1200
    "implicit": 1200

  # The number of seconds after an access token is issued until it expires.
  ACCESS_TOKEN_EXPIRES_IN: 1200

  # The number of seconds after a refresh token is issued until it expires.
  REFRESH_TOKEN_EXPIRES_IN: 2592000

  # The number of seconds after which a browser session is considered stale.
  SESSION_TIMEOUT: 1800

  # The maximum session lifetime in seconds.
  SESSION_LIFETIME: 28800

  # The number of seconds the user's Google service account key used for
  # url signing will last before being expired/rotated
  # 30 days: 2592000 seconds
  GOOGLE_SERVICE_ACCOUNT_KEY_FOR_URL_SIGNING_EXPIRES_IN: 2592000

  # The number of seconds after a User's Google Service account is added to bucket
  # access until it expires.
  # 7 days: 604800 seconds
  GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN: 604800

  # The number of seconds after a User's Google account is added to bucket
  # access until it expires.
  GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN: 86400

  # The number of seconds after a pre-signed url is issued until it expires.
  MAX_PRESIGNED_URL_TTL: 3600

  # The number of seconds after an API KEY is issued until it expires.
  MAX_API_KEY_TTL: 2592000

  # The number of seconds after an access token is issued until it expires.
  MAX_ACCESS_TOKEN_TTL: 3600

  # TEMPORARY: The maximum number of projects allowed in token claims.
  # This config var should be removed after sheepdog and peregrine support
  # auth checks against Arborist, and no longer check the token.
  TOKEN_PROJECTS_CUTOFF: 10

  # If set to true, will generate an new access token each time when a browser session update happens
  RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: false

  # The maximum lifetime of a Gen3 passport in seconds
  GEN3_PASSPORT_EXPIRES_IN: 43200

  ########################################################################################
  #                               OPTIONAL CONFIGURATIONS                                #
  ########################################################################################

  # For displaying a privacy policy to users, we can either link to the URL specified by
  # PRIVACY_POLICY_URL, or default to the `static/privacy_policy.md` file in fence.
  PRIVACY_POLICY_URL: null

  # //////////////////////////////////////////////////////////////////////////////////////
  # RELIABILITY OPTS
  # //////////////////////////////////////////////////////////////////////////////////////
  # Configurations related to resiliency, fault-tolerance and availability
  # This is the number of requests per second that the Nginx proxy will accept before reaching fence
  # The value defined in fence-config-public.yaml takes precedence over this one
  # In the absence of this OVERRIDE prefixed config, the legacy NGINX_RATE_LIMIT from the k8s deployment yaml is applied
  OVERRIDE_NGINX_RATE_LIMIT: 18

  # //////////////////////////////////////////////////////////////////////////////////////
  # SUPPORT INFO
  # //////////////////////////////////////////////////////////////////////////////////////
  # If you want an email address to show up when an unhandled error occurs, provide one
  # here. Something like: support@example.com
  SUPPORT_EMAIL_FOR_ERRORS: null

  # //////////////////////////////////////////////////////////////////////////////////////
  # SHIBBOLETH
  #   - Support using `shibboleth` in LOGIN_OPTIONS
  #   - Contains defaults for using NIH's Login.
  # //////////////////////////////////////////////////////////////////////////////////////
  # assumes shibboleth is deployed under {{BASE_URL}}/shibboleth
  SHIBBOLETH_HEADER: "persistent_id"
  SSO_URL: "https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState="
  ITRUST_GLOBAL_LOGOUT: "https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl="

  # //////////////////////////////////////////////////////////////////////////////////////
  # dbGaP USER SYNCING SUPPORT
  #   - Support syncing authorization information from dbGaP
  # //////////////////////////////////////////////////////////////////////////////////////
  # "dbGaP project serves as an access gateway for researchers seeking to gain
  #  access to genotype and phenotype data"
  #
  # User syncing and access can also be done throught a User Access file. See
  # fence's README for more information
  dbGaP:
    - info:
        host: ""
        username: ""
        password: ""
        port: 22
        proxy: ""
      protocol: "sftp"
      decrypt_key: ""
      # parse out the consent from the dbgap accession number such that something
      # like "phs000123.v1.p1.c2" becomes "phs000123.c2".
      #
      # NOTE: when this is "false" the above would become "phs000123"
      parse_consent_code: true
      # A consent of "c999" can indicate access to that study's "exchange area data"
      # and when a user has access to one study's exchange area data, they
      # have access to the parent study's "common exchange area data" that is not study
      # specific. The following config is whether or not to parse/handle "c999" codes
      # for access to the common exchange area data
      #
      # NOTE: When enabled you MUST also provide a mapping to the
      # `study_common_exchange_areas` from study -> parent common exchange area resource
      enable_common_exchange_area_access: false
      # The below configuration is a mapping from studies to their "common exchange area data"
      # Fence project name a user gets access to when parsing c999 exchange area codes (and
      # subsequently gives access to an Arborist resource representing this common area
      # as well)
      study_common_exchange_areas:
        "example": "test_common_exchange_area"
        # 'studyX': 'test_common_exchange_area'
        # 'studyY': 'test_common_exchange_area'
        # 'studyZ': 'test_common_exchange_area'
      # A mapping from the dbgap study / Fence project to which authorization namespaces the
      # actual data lives in. For example, `studyX` data may exist in multiple organizations, so
      # we need to know how to map authorization to all orgs resources
      study_to_resource_namespaces:
        "_default": ["/"]
        "test_common_exchange_area": ["/dbgap/"]
        # above are for default support and exchange area support
        # below are further examples
        #
        # 'studyX': ['/orgA/', '/orgB/']
        # 'studyX.c2': ['/orgB/', '/orgC/']
        # 'studyZ': ['/orgD/']
  # Regex to match an assession number that has consent information in forms like:
  #   phs00301123.c999
  #   phs000123.v3.p1.c3
  #   phs000123.c3
  #   phs00301123.v3.p4.c999
  # Will NOT MATCH forms like: phs000123
  #
  # WARNING: Do not change this without consulting the code that uses it
  DBGAP_ACCESSION_WITH_CONSENT_REGEX: "(?P<phsid>phs[0-9]+)(.(?P<version>v[0-9]+)){0,1}(.(?P<participant_set>p[0-9]+)){0,1}.(?P<consent>c[0-9]+)"

  # //////////////////////////////////////////////////////////////////////////////////////
  # STORAGE BACKENDS AND CREDENTIALS
  #   - Optional: Used for `/admin` & `/credentials` endpoints for user management.
  #               Also used during User Syncing process to automate managing Storage
  #               access for users.
  # //////////////////////////////////////////////////////////////////////////////////////
  # When true, this modifies usersync (not fence service itself) such that when syncing user
  # access to a Google storage backend happens in "bulk" by doing a diff *per google group*
  # between what's in Google and what's expected. Then it adds, removes only as necessary.
  # This is in contrast to the default logic which does blind updates per user and ignores
  # 409s from Google.
  # NOTE: This reduces the number of API calls to Google in the general case, but increases
  #       memory usages by usersync (as it has to track all the Google groups and user access)
  GOOGLE_BULK_UPDATES: false

  # Configuration for various storage systems for the backend
  # NOTE: Remove the {} and supply backends if needed. Example in comments below
  STORAGE_CREDENTIALS: {}
  # Google Cloud Storage backend
  #
  #  'google':
  #    backend: 'google'
  #    # this should be the project id where the Google Groups for data access are managed
  #    google_project_id: 'some-project-id-12378923'

  # Cleversafe data storage backend
  #
  #  'cleversafe-server-a':
  #    backend: 'cleversafe'
  #    aws_access_key_id: ''
  #    aws_secret_access_key: ''
  #    host: 'somemanager.osdc.io'
  #    public_host: 'someobjstore.example.com'
  #    port: 443
  #    is_secure: true
  #    username: 'someone'
  #    password: 'somepass'
  #    is_mocked: true

  # //////////////////////////////////////////////////////////////////////////////////////
  # AWS BUCKETS AND CREDENTIALS
  #   - Support `/data` endpoints
  # //////////////////////////////////////////////////////////////////////////////////////
  AWS_CREDENTIALS: {}
  # NOTE: Remove the {} and supply creds if needed. Example in comments below
  #   'CRED1':
  #     aws_access_key_id: ''
  #     aws_secret_access_key: ''
  #   'CRED2':
  #     aws_access_key_id: ''
  #     aws_secret_access_key: ''

  # NOTE: the region is optonal for s3_buckets, however it should be specified to avoid a
  # call to GetBucketLocation which you make lack the AWS ACLs for.
  # public buckets do not need the region field.
  # the cred values should be keys in section `AWS_CREDENTIALS`.
  S3_BUCKETS: {}
  # NOTE: Remove the {} and supply buckets if needed. Example in comments below
  #   bucket1:
  #     cred: 'CRED1'
  #     region: 'us-east-1'
  #     # optionally you can manually specify an s3-compliant endpoint for this bucket
  #     endpoint_url: 'https://cleversafe.example.com/'
  #   bucket2:
  #     cred: 'CRED2'
  #     region: 'us-east-1'
  #   bucket3:
  #     cred: '*' # public bucket
  #   bucket4:
  #     cred: 'CRED1'
  #     region: 'us-east-1'
  #     role-arn: 'arn:aws:iam::role1'

  # `DATA_UPLOAD_BUCKET` specifies an S3 bucket to which data files are uploaded,
  # using the `/data/upload` endpoint. This must be one of the first keys under
  # `S3_BUCKETS` (since these are the buckets fence has credentials for).
  DATA_UPLOAD_BUCKET: "bucket1"

  # //////////////////////////////////////////////////////////////////////////////////////
  # PROXY
  #   - Optional: If the api is behind firewall that needs to set http proxy
  # //////////////////////////////////////////////////////////////////////////////////////
  # NOTE: leave as-is to not use proxy
  # this is only used by the Google Oauth2Client at the moment if provided
  HTTP_PROXY:
    host: null
    port: 3128

  # //////////////////////////////////////////////////////////////////////////////////////
  # MICROSERVICE PATHS
  #   - Support `/data` endpoints & authz functionality
  # //////////////////////////////////////////////////////////////////////////////////////
  # url where indexd microservice is running (for signed urls primarily)
  # NOTE: Leaving as null will force fence to default to {{BASE_URL}}/index
  # example value: 'https://example.com/index'
  INDEXD: http://indexd-service

  # this is the username which fence uses to make authenticated requests to indexd
  INDEXD_USERNAME: "fence"
  # this is the password which fence uses to make authenticated requests to indexd
  INDEXD_PASSWORD: ""

  # //////////////////////////////////////////////////////////////////////////////////////
  # AZURE STORAGE BLOB CONFIGURATION
  #   - Support Azure Blob Data Access Methods
  # //////////////////////////////////////////////////////////////////////////////////////

  # https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=azure-portal#view-account-access-keys
  # AZ_BLOB_CREDENTIALS: 'fake connection string'
  AZ_BLOB_CREDENTIALS:

  # AZ_BLOB_CONTAINER_URL: 'https://storageaccount.blob.core.windows.net/container/'
  # this is the container used for uploading, and should match the storage account
  # used in the connection string for AZ_BLOB_CREDENTIALS
  AZ_BLOB_CONTAINER_URL: "https://myfakeblob.blob.core.windows.net/my-fake-container/"

  # url where authz microservice is running
  ARBORIST: http://arborist-service

  # url where the audit-service is running
  AUDIT_SERVICE: "http://audit-service"
  ENABLE_AUDIT_LOGS:
    presigned_url: false
    login: false
  # `PUSH_AUDIT_LOGS_CONFIG.type` is one of: [api, aws_sqs].
  # - if type == api: logs are created by hitting the log creation endpoint.
  # - if type == aws_sqs: logs are pushed to an SQS and `aws_sqs_config` fields
  # `sqs_url` and `region` are required. Field `aws_cred` is optional and it
  # should be a key in section `AWS_CREDENTIALS`.
  PUSH_AUDIT_LOGS_CONFIG:
    type: aws_sqs
    aws_sqs_config:
      sqs_url:
      region:
      aws_cred:

  # //////////////////////////////////////////////////////////////////////////////////////
  # CLOUD API LIBRARY (CIRRUS) AND GOOGLE CONFIGURATION
  #   - Support Google Data Access Methods
  # //////////////////////////////////////////////////////////////////////////////////////
  # Setting this up allows fence to create buckets, manage Google groups, etc.
  # See directions here for setting up cirrus: https://github.com/uc-cdis/cirrus
  CIRRUS_CFG:
    GOOGLE_API_KEY: ""
    GOOGLE_PROJECT_ID: ""
    GOOGLE_APPLICATION_CREDENTIALS: ""
    GOOGLE_STORAGE_CREDS: ""
    GOOGLE_ADMIN_EMAIL: ""
    GOOGLE_IDENTITY_DOMAIN: ""
    GOOGLE_CLOUD_IDENTITY_ADMIN_EMAIL: ""

  # Prefix to namespace Google Groups on a single Cloud Identity (see cirrus
  # setup for more info on Cloud Identity)
  #
  # NOTE: Make this short! Less than 8 characters if possible. Google has
  #       length restrictions on group names.
  GOOGLE_GROUP_PREFIX: ""

  # Prefix to namespace Google Service Accounts in a single Google Cloud Platform Project.
  # This is primarily to support multiple instances of fence references the same Google
  # project. If that is not something you need to support, then you can leave this blank.
  #
  # NOTE: Make this short! Less than 8 characters if possible. Google has
  #       length restrictions on service account names.
  GOOGLE_SERVICE_ACCOUNT_PREFIX: ""

  # A Google Project identitifier representing the default project to bill to for
  # accessing Google Requester Pays buckets (for signed urls and/or temporary service account
  # credentials). If this is provided and the API call for
  # Google access does not include a `userProject`, this will be used instead.
  #
  # WARNING: Setting this WITHOUT setting "ENABLE_AUTOMATIC_BILLING_*" to `true` below,
  #          means that clients and end-users will be responsible for making sure that
  #          the service account used in either of these methods actually has billing
  #          permission in the specified project.
  BILLING_PROJECT_FOR_SIGNED_URLS:
  BILLING_PROJECT_FOR_SA_CREDS:

  # Setting this to `true` will make Fence automatically attempt to create a Custom Role
  # in the billing project and give the necessary Google Service Account that role
  # (which will allow it to bill to the project).
  #
  # NOTE: The Fence SA will need the necessary permissions in the specified project to
  #       both create a custom role and update the Project's IAM Policy to include the
  #       necessary SA. At the time of writing, there are pre-defined roles in Google's
  #       IAM that provide the necessary permissions. Those are "Project IAM Admin" and
  #       "Role Administrator"
  #
  #       NOTE2: It may be possible to further restrict the permissions in the future to
  #              be more fine-grained.
  #
  ENABLE_AUTOMATIC_BILLING_PERMISSION_SIGNED_URLS: false
  ENABLE_AUTOMATIC_BILLING_PERMISSION_SA_CREDS: false

  # //////////////////////////////////////////////////////////////////////////////////////
  # EMAIL
  #   - Support for sending emails from fence. Used for user certificates
  #     and `/google/service_accounts` endpoints
  # //////////////////////////////////////////////////////////////////////////////////////
  # Gun Mail Service (for sending emails from fence)
  #
  # NOTE: Example in comments below
  GUN_MAIL:
    "datacommons.io":
      smtp_hostname: "smtp.mailgun.org"
      api_key: ""
      default_login: "postmaster@mailgun.example.com"
      api_url: "https://api.mailgun.net/v3/mailgun.example.com"
      smtp_password: ""

  # For emails regarding users certificates
  EMAIL_SERVER: "localhost"
  SEND_FROM: "example@gmail.com"
  SEND_TO: "example@gmail.com"

  # //////////////////////////////////////////////////////////////////////////////////////
  # DATA ACCESS: GOOGLE LINKING & SERVICE ACCOUNT REGISTRATION
  #   - Support `/google/service_accounts` endpoints
  # //////////////////////////////////////////////////////////////////////////////////////
  # whether or not to allow access to the /link/google endpoints
  ALLOW_GOOGLE_LINKING: true

  # A Google Project with controlled data access will be determined INVALID if
  # if it has a parent organization UNLESS that parent organization's ID is in this
  # whitelist.
  #
  # NOTE: Remove the [] and Google Organization IDs if needed. Example in comments below
  WHITE_LISTED_GOOGLE_PARENT_ORGS: []
  #  - '12345678910'

  # A Google Project with Google Service Accounts determined INVALID will result in the
  # the entire project being invalid UNLESS that service accounts's email is in this
  # whitelist.
  #
  # NOTE: Remove the [] and service account emails if needed. Example in comments below
  WHITE_LISTED_SERVICE_ACCOUNT_EMAILS: []
  #  - 'example@developer.gserviceaccount.com'
  #  - 'example@test.iam.gserviceaccount.com'

  # when service accounts or google projects are determined invalid, an email is sent
  # to the project owners. These settings are for that email
  REMOVE_SERVICE_ACCOUNT_EMAIL_NOTIFICATION:
    enable: false
    # this domain MUST exist in GUN_MAIL config
    domain: "example.com"
    from: "do-not-reply@example.com"
    subject: "User service account removal notification"
    # the {} gets replaced dynamically in the Python code to be the Project ID
    content: >
      Service accounts were removed from access control data because some users or
      service accounts of GCP Project {} are not authorized to access the data sets
      associated to the service accounts, or do not adhere to the security policies.
    # this admin email will be included as a recipient to *any* email to anyone about
    # service account removal.
    #
    # WARNING: This is NOT a bcc so the email is visible to the end-user
    admin:
      - "admin@example.edu"

  PROBLEM_USER_EMAIL_NOTIFICATION:
    # this domain MUST exist in GUN_MAIL config
    domain: "example.com"
    from: "do-not-reply@example.com"
    subject: "Account access error notification"
    # the {} gets replaced dynamically in the Python code to be the Project ID
    content: >
      The Data Commons Framework utilizes dbGaP for data access authorization.
      Another member of a Google project you belong to ({}) is attempting to
      register a service account to the following additional datasets ({}).
      Please contact dbGaP to request access.
    # this admin email will be included as a recipient to *any* email to anyone about
    # service account removal.
    #
    # WARNING: This is NOT a bcc so the email is visible to the end-user
    admin:
      - "admin@example.edu"

  # Service account email domains that represent a service account that Google owns.
  # These are usually created when a sepcific GCP service is enabled.
  # This is used for Service Account Validation for Data Access.
  GOOGLE_MANAGED_SERVICE_ACCOUNT_DOMAINS:
    - "dataflow-service-producer-prod.iam.gserviceaccount.com"
    - "cloudbuild.gserviceaccount.com"
    - "cloud-ml.google.com.iam.gserviceaccount.com"
    - "container-engine-robot.iam.gserviceaccount.com"
    - "dataflow-service-producer-prod.iam.gserviceaccount.com"
    - "sourcerepo-service-accounts.iam.gserviceaccount.com"
    - "dataproc-accounts.iam.gserviceaccount.com"
    - "gae-api-prod.google.com.iam.gserviceaccount.com"
    - "genomics-api.google.com.iam.gserviceaccount.com"
    - "containerregistry.iam.gserviceaccount.com"
    - "container-analysis.iam.gserviceaccount.com"
    - "cloudservices.gserviceaccount.com"
    - "stackdriver-service.iam.gserviceaccount.com"
    - "appspot.gserviceaccount.com"
    - "partnercontent.gserviceaccount.com"
    - "trifacta-gcloud-prod.iam.gserviceaccount.com"
    - "gcf-admin-robot.iam.gserviceaccount.com"
    - "compute-system.iam.gserviceaccount.com"
    - "gcp-sa-websecurityscanner.iam.gserviceaccount.com"
    - "storage-transfer-service.iam.gserviceaccount.com"
    - "firebase-sa-management.iam.gserviceaccount.com"
    - "firebase-rules.iam.gserviceaccount.com"
    - "gcp-sa-cloudbuild.iam.gserviceaccount.com"
    - "gcp-sa-automl.iam.gserviceaccount.com"
    - "gcp-sa-datalabeling.iam.gserviceaccount.com"
    - "gcp-sa-cloudscheduler.iam.gserviceaccount.com"

  # The types of service accounts that are allowed to be registered at
  # /google/service_accounts endpoints
  ALLOWED_USER_SERVICE_ACCOUNT_DOMAINS:
    # compute engine default service account
    - "developer.gserviceaccount.com"
    # app engine default service account
    - "appspot.gserviceaccount.com"
    # user-managed service account
    - "iam.gserviceaccount.com"

  # Synapse integration and DREAM challenge mapping. Team is from Synapse, and group is
  # providing the actual permission in Arborist. User will be added to the group for TTL
  # seconds if the team matches.
  DREAM_CHALLENGE_TEAM: "DREAM"
  DREAM_CHALLENGE_GROUP: "DREAM"
  SYNAPSE_URI: "https://repo-prod.prod.sagebase.org/auth/v1"
  SYNAPSE_JWKS_URI:
  # deprecated, use the discovery_url in the OPENID_CONNECT block for the synapse client
  SYNAPSE_DISCOVERY_URL:
  SYNAPSE_AUTHZ_TTL: 86400

  # Role caching for generating presigned urls if max role session increase is true
  # then we can increase the amount of time that a session is valid for
  MAX_ROLE_SESSION_INCREASE: false
  ASSUME_ROLE_CACHE_SECONDS: 1800

  # Optional user registration feature: Ask users to register (provide firstname/lastname/org/email) on login.
  # If user registers, add them to configured Arborist group; idea is that the Arborist group
  # will have access to download data.
  REGISTER_USERS_ON: false
  REGISTERED_USERS_GROUP: ""
  # RAS refresh_tokens expire in 15 days
  RAS_REFRESH_EXPIRATION: 1296000
  # List of JWT issuers from which Fence will accept GA4GH visas
  GA4GH_VISA_ISSUER_ALLOWLIST:
    - "{{BASE_URL}}"
    - "https://sts.nih.gov"
    - "https://stsstg.nih.gov"
  # Number of projects that can be registered to a Google Service Accont
  SERVICE_ACCOUNT_LIMIT: 6

  # Global sync visas during login
  # None(Default): Allow per client i.e. a fence client can pick whether or not to sync their visas during login with parse_visas param in /authorization endpoint
  # True: Parse for all clients i.e. a fence client will always sync their visas during login
  # False: Parse for no clients i.e. a fence client will not be able to sync visas during login even with parse_visas param
  GLOBAL_PARSE_VISAS_ON_LOGIN: false
  # Settings for usersync with visas
  USERSYNC:
    sync_from_visas: false
    # fallback to dbgap sftp when there are no valid visas for a user i.e. if they're expired or if they're malformed
    fallback_to_dbgap_sftp: false
    visa_types:
      ras: ["https://ras.nih.gov/visas/v1", "https://ras.nih.gov/visas/v1.1"]
  RAS_USERINFO_ENDPOINT: "/openid/connect/v1.1/userinfo"