Merge pull request #208 from asfadmin/devel

Public Release Of EDL Bearer Token support

.gitignore

@@ -9,3 +9,5 @@
 bucket_map.yaml
 terraform.tfstate*
 *.tfvars
+build/requirements_dev.txt
+build/tea-dev.Dockerfile

README.MD

@@ -1,5 +1,5 @@
 # TEA (Thin Egress App)
-![TEA](https://github.com/asfadmin/thin-egress-app/blob/bb.img/tea.png)
+![TEA](https://github.com/asfadmin/thin-egress-app/blob/devel/tea.png)
 ## About
 The Thin Egress App is an app running in lambda that creates temporary S3 links and provides URS integration. It provides a lightweight egress solution for when you don't need to throttle or cut off egress.
 
@@ -112,12 +112,12 @@ aws s3 cp --profile=default ./${CODE_ARCHIVE_FILENAME} s3://${CODE_BUCKET}/
 ### AWS Secrets
 
 #### Setting up the URS client secrets:
-`UrsId` can be found on your appication's URS home page as `Client ID`. 
+`UrsId` can be found on your SSO appication's URS home page as `Client ID`. 
 
-`UrsAuth` is the `Client ID` and password separated by a colon. You can create the value with the command below. See URS' [Request Authorization Code](https://urs.earthdata.nasa.gov/sso_client_impl) documentation for more details.
+`UrsAuth` is the `UID` for your URS SSO app and password separated by a colon. You can create the value with the command below. See URS' [Request Authorization Code](https://urs.earthdata.nasa.gov/sso_client_impl) documentation for more details.
 
 ```bash
-echo -n "<Client ID>:<App Password>" | openssl base64 
+echo -n "<UID>:<App Password>" | openssl base64 
 ```
 
 
@@ -166,7 +166,7 @@ profile_name=<aws_profile> aws_region=<region> bash setup_jwt_cookie.sh
 
 ### Buckets and Bucket map
 
-The bucket map allows the app to determine in which bucket to look when given the path from the URL. It's possible to separate the maps into separate files for bucket, public and private, but this functionality is deprecated and will be removed in a future version of TEA.
+The bucket map allows the app to determine in which bucket to look when given the path from the URL.
 
 If a url for a product would look like:
 ```https://datapile.domain.com/STAGE/PROCESSING_TYPE_1/PLATFORM_A/datafile.dat```
@@ -427,6 +427,13 @@ Its payload looks something like this:
 
 ```
 
+## Service chaining with Shared Tokens
+
+![TEA](https://github.com/asfadmin/thin-egress-app/blob/devel/harmony-chain.png)
+
+#### TEA can accept a shared EDL Token as an Authorization (Bearer Token) method
+To enable this behavior, EDL Apps (Service + TEA) must belong to a shared EDL App Group. Processing a shared toekn is temporally expensive. After the initial request, subsequent Service->TEA data requests should reuse cookies. EULA enforment is preserved in with shared tokens. 
+
 ## Troubleshooting.
 Something went wrong. Here are some solutions:
 

cloudformation/thin-egress-app.yaml

@@ -43,8 +43,6 @@ Metadata:
           - BucketnamePrefix
           - BucketMapFile
           - UseReverseBucketMap
-          - PublicBucketsFile
-          - PrivateBucketsFile
           - DownloadRoleArn
           - DownloadRoleInRegionArn
           - SuppressHeadCheck
@@ -142,6 +140,8 @@ Parameters:
     AllowedValues:
       - 'https://urs.earthdata.nasa.gov'
       - 'https://uat.urs.earthdata.nasa.gov'
+      - 'https://sit.urs.earthdata.nasa.gov'
+      - 'https://sbx.urs.earthdata.nasa.gov'
     Default: 'https://urs.earthdata.nasa.gov'
     Description: "Is the 'AUTH_BASE_URL' env var in the lambda."
 
@@ -212,15 +212,6 @@ Parameters:
       - "True"
     Description: "Do not validate if a file exists before creating pre-signed URL. "
 
-  PublicBucketsFile:
-    Type: String
-    Default: ''
-    Description: "Deprecated, will be removed in a near-future version of TEA. Path and file of public buckets file's location in the ConfigBucket."
-
-  PrivateBucketsFile:
-    Type: String
-    Default: ''
-    Description: "Deprecated, will be removed in a near-future version of TEA. Path and file of private buckets file's location in the ConfigBucket."
 
   DownloadRoleArn:
     Type: String
@@ -285,6 +276,7 @@ Resources:
     Condition: CreateDownloadRole
     Properties:
       RoleName: !Sub "${AWS::StackName}-DownloadRoleInRegion"
+      MaxSessionDuration: 43200
       PermissionsBoundary:
         !If
         - UsePermissionsBoundary
@@ -319,6 +311,7 @@ Resources:
     Condition: CreateDownloadRole
     Properties:
       RoleName: !Sub "${AWS::StackName}-DownloadRoleLocal"
+      MaxSessionDuration: 43200
       PermissionsBoundary:
         !If
         - UsePermissionsBoundary
@@ -349,6 +342,7 @@ Resources:
     Type: AWS::IAM::Role
     Properties:
       RoleName: !Sub "${AWS::StackName}-EgressLambdaIamRole"
+      MaxSessionDuration: 43200
       PermissionsBoundary:
         !If
           - UsePermissionsBoundary
@@ -536,8 +530,6 @@ Resources:
           CONFIG_BUCKET: !Ref ConfigBucket
           BUCKET_MAP_FILE: !Ref BucketMapFile
           USE_REVERSE_BUCKET_MAP: !Ref UseReverseBucketMap
-          PUBLIC_BUCKETS_FILE: !Ref PublicBucketsFile
-          PRIVATE_BUCKETS_FILE: !Ref PrivateBucketsFile
           EGRESS_APP_DOWNLOAD_ROLE_ARN: !If [ CreateDownloadRole, !GetAtt DownloadRoleLocal.Arn, !Ref DownloadRoleArn ]
           EGRESS_APP_DOWNLOAD_ROLE_INREGION_ARN: !If [ CreateDownloadRole, !GetAtt DownloadRoleInRegion.Arn, !Ref DownloadRoleInRegionArn ]
           HTML_TEMPLATE_DIR: !Ref HtmlTemplateDir