DEV-3876: Add pubkey AuthN by mpsolano · Pull Request #1334 · uc-cdis/fence

mpsolano · 2026-02-19T20:25:39Z

Implements public key authentication for connection to a dbGaP SFTP server as specified in the Gen3 Product Feature Document here.

Also patches paramiko at runtime to use a FIPS compliant hashing algorithm (SHA256 instead of MD5) for fingerprinting.

coveralls · 2026-02-19T20:28:20Z

Pull Request Test Coverage Report for Build 23868987927

Details

0 of 0 changed or added relevant lines in 0 files are covered.
134 unchanged lines in 1 file lost coverage.
Overall coverage remained the same at 75.067%

Files with Coverage Reduction	New Missed Lines	%
sync/sync_users.py	134	82.02%

Totals
Change from base Build 23756457076:	0.0%
Covered Lines:	8460
Relevant Lines:	11270

💛 - Coveralls

github-actions · 2026-02-19T21:33:37Z

Test summary after running integration tests

filepath	passed	failed	skipped	SUBTOTAL
tests/test_oauth2.py	15	0	0	15
tests/test_centralized_auth.py	15	1	0	16
tests/test_audit_service.py	3	0	3	6
tests/test_data_upload.py	8	0	1	9
tests/test_presigned_url.py	7	0	0	7
tests/test_dbgap.py	4	0	1	5
tests/test_drs_endpoint.py	4	0	0	4
tests/test_user_token.py	5	0	0	5
tests/test_oidc_client.py	2	0	0	2
tests/test_client_credentials.py	1	0	0	1
tests/test_register_user.py	2	0	0	2
tests/test_google_data_access.py	1	0	0	1
tests/test_ras_authn.py	0	0	3	3
TOTAL	67	1	8	76

Test summary after rerunning failed integration tests

filepath	passed	SUBTOTAL
tests/test_centralized_auth.py	1	1
TOTAL	1	1

Please find the detailed integration test report here

Please find the detailed integration test report after rerunning failed tests here

Please find the Github Action logs here

github-actions · 2026-02-19T22:59:12Z

Test summary after running integration tests

filepath	passed	failed	skipped	SUBTOTAL
tests/test_oauth2.py	15	0	0	15
tests/test_centralized_auth.py	16	0	0	16
tests/test_audit_service.py	3	0	3	6
tests/test_data_upload.py	8	0	1	9
tests/test_presigned_url.py	7	0	0	7
tests/test_dbgap.py	4	0	1	5
tests/test_user_token.py	4	1	0	5
tests/test_drs_endpoint.py	4	0	0	4
tests/test_register_user.py	2	0	0	2
tests/test_google_data_access.py	1	0	0	1
tests/test_client_credentials.py	1	0	0	1
tests/test_oidc_client.py	2	0	0	2
tests/test_ras_authn.py	0	0	3	3
TOTAL	67	1	8	76

Test summary after rerunning failed integration tests

filepath	passed	SUBTOTAL
tests/test_user_token.py	1	1
TOTAL	1	1

Please find the detailed integration test report here

Please find the detailed integration test report after rerunning failed tests here

Please find the Github Action logs here

github-actions · 2026-03-06T21:23:40Z

Test summary after running integration tests

filepath	passed	failed	skipped	SUBTOTAL
tests/test_oauth2.py	15	0	0	15
tests/test_centralized_auth.py	15	1	0	16
tests/test_audit_service.py	3	0	3	6
tests/test_data_upload.py	8	0	1	9
tests/test_presigned_url.py	7	0	0	7
tests/test_dbgap.py	4	0	1	5
tests/test_drs_endpoint.py	4	0	0	4
tests/test_register_user.py	2	0	0	2
tests/test_google_data_access.py	1	0	0	1
tests/test_client_credentials.py	1	0	0	1
tests/test_user_token.py	5	0	0	5
tests/test_oidc_client.py	2	0	0	2
tests/test_ras_authn.py	0	0	3	3
TOTAL	67	1	8	76

Test summary after rerunning failed integration tests

filepath	passed	SUBTOTAL
tests/test_centralized_auth.py	1	1
TOTAL	1	1

Please find the detailed integration test report here

Please find the detailed integration test report after rerunning failed tests here

Please find the Github Action logs here

github-actions · 2026-03-09T15:00:17Z

Failed to Prepare CI environment

Please find the Github Action logs here

github-actions · 2026-03-09T19:21:45Z

Test summary after running integration tests

filepath	passed	failed	skipped	SUBTOTAL
tests/test_oauth2.py	15	0	0	15
tests/test_centralized_auth.py	15	1	0	16
tests/test_audit_service.py	3	0	3	6
tests/test_data_upload.py	8	0	1	9
tests/test_presigned_url.py	7	0	0	7
tests/test_dbgap.py	4	0	1	5
tests/test_drs_endpoint.py	4	0	0	4
tests/test_oidc_client.py	2	0	0	2
tests/test_client_credentials.py	1	0	0	1
tests/test_register_user.py	2	0	0	2
tests/test_user_token.py	5	0	0	5
tests/test_google_data_access.py	1	0	0	1
tests/test_ras_authn.py	0	0	3	3
TOTAL	67	1	8	76

Test summary after rerunning failed integration tests

filepath	passed	SUBTOTAL
tests/test_centralized_auth.py	1	1
TOTAL	1	1

Please find the detailed integration test report here

Please find the detailed integration test report after rerunning failed tests here

Please find the Github Action logs here

Also remove additional logging.

github-actions · 2026-03-09T20:58:43Z

filepath	passed	skipped	SUBTOTAL
tests/test_oauth2.py	15	0	15
tests/test_centralized_auth.py	16	0	16
tests/test_audit_service.py	3	3	6
tests/test_data_upload.py	8	1	9
tests/test_presigned_url.py	7	0	7
tests/test_dbgap.py	4	1	5
tests/test_drs_endpoint.py	4	0	4
tests/test_user_token.py	5	0	5
tests/test_register_user.py	2	0	2
tests/test_google_data_access.py	1	0	1
tests/test_client_credentials.py	1	0	1
tests/test_oidc_client.py	2	0	2
tests/test_ras_authn.py	0	3	3
TOTAL	68	8	76

Please find the detailed integration test report here

Please find the Github Action logs here

k-burt-uch · 2026-03-31T16:33:23Z

fence/sync/sync_users.py

+                parameters["key_filename"] = str(server.get("private_key_filename"))
+
+                # patch paramiko to use sha256 instead of md5 for fips compliance
+                if server.get("is_fips_enabled", False):


We should remove this feature flag and call out in the release notes, maybe under Deployment Changes, that paramiko will no longer connect using md5.

Also, could we update this so paramiko's sha256 is used for both authN flows?

github-actions · 2026-04-01T19:45:23Z

filepath	passed	skipped	SUBTOTAL
tests/test_oauth2.py	15	0	15
tests/test_centralized_auth.py	16	0	16
tests/test_audit_service.py	3	3	6
tests/test_data_upload.py	8	1	9
tests/test_presigned_url.py	7	0	7
tests/test_dbgap.py	4	1	5
tests/test_user_token.py	5	0	5
tests/test_drs_endpoint.py	4	0	4
tests/test_register_user.py	2	0	2
tests/test_google_data_access.py	1	0	1
tests/test_oidc_client.py	2	0	2
tests/test_client_credentials.py	1	0	1
tests/test_ras_authn.py	0	3	3
TOTAL	68	8	76

Please find the detailed integration test report here

Please find the Github Action logs here

Also switch to lambda for enhanced readability.

github-actions · 2026-04-01T21:20:41Z

Test summary after running integration tests

filepath	passed	failed	skipped	SUBTOTAL
tests/test_oauth2.py	15	0	0	15
tests/test_centralized_auth.py	15	1	0	16
tests/test_audit_service.py	3	0	3	6
tests/test_data_upload.py	8	0	1	9
tests/test_presigned_url.py	7	0	0	7
tests/test_dbgap.py	4	0	1	5
tests/test_drs_endpoint.py	4	0	0	4
tests/test_register_user.py	2	0	0	2
tests/test_user_token.py	5	0	0	5
tests/test_google_data_access.py	1	0	0	1
tests/test_client_credentials.py	1	0	0	1
tests/test_oidc_client.py	2	0	0	2
tests/test_ras_authn.py	0	0	3	3
TOTAL	67	1	8	76

Test summary after rerunning failed integration tests

filepath	passed	SUBTOTAL
tests/test_centralized_auth.py	1	1
TOTAL	1	1

Please find the detailed integration test report here

Please find the detailed integration test report after rerunning failed tests here

Please find the Github Action logs here

DEV-3876: Add pubkey AuthN

df393e0

DEV-3876: Modify line comment

a13a7db

mpsolano added 2 commits March 6, 2026 14:11

DEV-3876: Add temporary logging to troubleshoot

ee10b88

DEV-3876: Raise exception after catching

59741a2

DEV-3876: Monkeypatch paramiko get_fingerprint

700f33a

DEV-3876: Only patch if private key is set

808a6a1

mpsolano added 3 commits March 9, 2026 14:39

DEV-3876: Add and use is_fips_enabled property.

c3d2eb1

Also remove additional logging.

DEV-3876: Remove temporary proxy log statement

0462e3d

DEV-3876: Fix typo

6e567f3

mpsolano marked this pull request as ready for review March 11, 2026 16:43

k-burt-uch requested changes Mar 31, 2026

View reviewed changes

Merge branch 'master' into feat/dev-3876-add-dbgap-sftp-pubkey-authn

2ea8c96

DEV-3876: Implement PR suggestions.

ca4f907

Also switch to lambda for enhanced readability.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DEV-3876: Add pubkey AuthN#1334

DEV-3876: Add pubkey AuthN#1334
mpsolano wants to merge 11 commits intomasterfrom
feat/dev-3876-add-dbgap-sftp-pubkey-authn

mpsolano commented Feb 19, 2026 •

edited

Loading

Uh oh!

coveralls commented Feb 19, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 19, 2026

Uh oh!

github-actions bot commented Feb 19, 2026

Uh oh!

github-actions bot commented Mar 6, 2026

Uh oh!

github-actions bot commented Mar 9, 2026

Uh oh!

github-actions bot commented Mar 9, 2026

Uh oh!

github-actions bot commented Mar 9, 2026

Uh oh!

k-burt-uch Mar 31, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

mpsolano commented Feb 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coveralls commented Feb 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pull Request Test Coverage Report for Build 23868987927

Details

💛 - Coveralls

Uh oh!

github-actions bot commented Feb 19, 2026

Uh oh!

github-actions bot commented Feb 19, 2026

Uh oh!

github-actions bot commented Mar 6, 2026

Uh oh!

github-actions bot commented Mar 9, 2026

Uh oh!

github-actions bot commented Mar 9, 2026

Uh oh!

github-actions bot commented Mar 9, 2026

Uh oh!

k-burt-uch Mar 31, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

mpsolano commented Feb 19, 2026 •

edited

Loading

coveralls commented Feb 19, 2026 •

edited

Loading