Merge pull request #128 from asfadmin/teatest-build.123-release

Release teatest-build.123 publically

README.MD

@@ -163,9 +163,8 @@ aws secretsmanager create-secret --name urs_creds_for_tea \
     --description "URS creds for TEA app" \
     --secret-string file://urscreds.json
 ```
-
-
 #### Setting up the JWT Cookie secrets
+##### Option 1: Manually
 Create a key pair and b64 encode them:
 ```bash
 ssh-keygen -t rsa -b 4096 -m PEM -f ./jwtcookie.key
@@ -186,6 +185,12 @@ aws secretsmanager create-secret --name jwt_secret_for_tea \
     --secret-string file://jwtkeys.json
 ```
 
+##### Option 2: Using bash script
+You can create en encoded b64 key pair by running the provided setup_jwt_cookie.sh script :
+```bash
+profile_name=<aws_profile> aws_region=<region> bash setup_jwt_cookie.sh
+```
+
 
 ### Bucket map
 

build/Jenkinsfile

@@ -80,7 +80,9 @@ pipeline {
 
         // Zip up the upload.
         sh "echo '>> Building Zipfile....'"
+
         sh """ cd ${WORKSPACE}/lambda  && \
+               sed -i -e "s/<BUILD_ID>/${BUILDTAG}/" ./app.py && \
                zip -g ../${CODE_ARCHIVE_FILENAME} ./app.py && \
                zip -g -r ../${CODE_ARCHIVE_FILENAME} ./templates && \
                cd .. && \
@@ -93,9 +95,9 @@ pipeline {
         sh "cd ${WORKSPACE}"
         sh 'if [ ${APPTAG} != "tea" ]; then sed -i -e "s/asf.public.code/${CODE_BUCKET}/" ./cloudformation/thin-egress-app.yaml; fi'
         sh 'sed -i -e "s/<CODE_ARCHIVE_PATH_FILENAME>/${CODE_DIR}\\/${CODE_ARCHIVE_FILENAME}/" ./cloudformation/thin-egress-app.yaml'
-        sh 'sed -i -e "s/<BUILD_ID>/${NEWTAG}/" ./cloudformation/thin-egress-app.yaml'
-        sh 'sed -i -e "s/<BUILD_ID>/${NEWTAG}/" ./terraform/variables.tf'
-        sh 'sed -i -e "s;^Description:.*;Description: \\"TEA built by Jenkins job ${JOB_NAME}, ${NEWTAG}\\";" ./cloudformation/thin-egress-app.yaml'
+        sh 'sed -i -e "s/<BUILD_ID>/${BUILDTAG}/" ./cloudformation/thin-egress-app.yaml'
+        sh 'sed -i -e "s/<BUILD_ID>/${BUILDTAG}/" ./terraform/variables.tf'
+        sh 'sed -i -e "s;^Description:.*;Description: \\"TEA built by Jenkins job ${JOB_NAME}, ${BUILDTAG}\\";" ./cloudformation/thin-egress-app.yaml'
 
         // Zip up terraform
         sh "echo '>> Building Terraform Zip....'"
@@ -117,7 +119,7 @@ pipeline {
           sh "aws s3 cp ./cloudformation/thin-egress-app.yaml s3://${CODE_BUCKET}/${CODE_DIR}/${CF_TEMPLATE_FILENAME}"
 
           // Clarify in description that this stack is deployed by Jenkins
-          sh 'sed -i -e "s;^Description:.*;Description: \\"TEA built and deployed by Jenkins job ${JOB_NAME}, currently at ${NEWTAG}\\";" ./cloudformation/thin-egress-app.yaml'
+          sh 'sed -i -e "s;^Description:.*;Description: \\"TEA built and deployed by Jenkins job ${JOB_NAME}, currently at ${BUILDTAG}\\";" ./cloudformation/thin-egress-app.yaml'
           // Push out the CF Stack
           sh "echo '>> Deploying the CF stack'"
           sh """ aws cloudformation deploy --profile=jenkins --region=us-east-1 \

cloudformation/thin-egress-app.yaml

@@ -119,8 +119,9 @@ Parameters:
 
   JwtKeySecretName:
     Type: String
-    Default: ''
+    AllowedPattern: '[0-9a-zA-Z\.\-\+\/\_\+\=\.\@\-]+'
     Description: 'Name of secret that contains RSA public and private keys for use in encrypting JWT payload. Secret keys should be named "rsa_priv_key" and "rsa_pub_key" and contents should be base64 encoded.'
+    ConstraintDescription: 'Secret name must contain only alphanumeric characters and the characters /_+=.@-'
 
   JwtAlgo:
     Type: String
@@ -132,8 +133,9 @@ Parameters:
 
   URSAuthCredsSecretName:
     Type: String
-    Default: ''
+    AllowedPattern: '[0-9a-zA-Z\.\-\+\/\_\+\=\.\@\-]+'
     Description: "AWS Secrets Manager name of URS creds. Must consist of two rows, names 'UrsId' and 'UrsAuth'."
+    ConstraintDescription: 'Secret name must contain only alphanumeric characters and the characters /_+=.@-'
 
   AuthBaseUrl:
     Type: String
@@ -256,11 +258,17 @@ Conditions:
 
 Outputs:
   ExternalEndpoint:
-    Value: !Sub "https://${DomainName}/"
+    Value:
+      !If
+        - DomainNameIsSet
+        - !Sub "https://${DomainName}/"
+        - !Sub "https://${EgressApiGateway}.execute-api.${AWS::Region}.amazonaws.com/${EgressStage}/"
   URSredirectURI:
-    Value: !Sub "https://${DomainName}/login"
-  URSredirectNoDomainURI:
-    Value: !Sub "https://${EgressApiGateway}.execute-api.${AWS::Region}.amazonaws.com/${EgressStage}/login"
+    Value:
+      !If
+        - DomainNameIsSet
+        - !Sub "https://${DomainName}/login"
+        - !Sub "https://${EgressApiGateway}.execute-api.${AWS::Region}.amazonaws.com/${EgressStage}/login"
   ApiEndpoint:
     Value: !Sub "https://${EgressApiGateway}.execute-api.${AWS::Region}.amazonaws.com/${EgressStage}/"
   RestApiId:
@@ -611,6 +619,14 @@ Resources:
       PathPart: 'profile'
       RestApiId: !Ref EgressApiGateway
 
+  EgressApiResourceVersion:
+    Type: AWS::ApiGateway::Resource
+    DependsOn:
+      - EgressApiGateway
+    Properties:
+      ParentId: !GetAtt EgressApiGateway.RootResourceId
+      PathPart: 'version'
+      RestApiId: !Ref EgressApiGateway
 
   EgressAPIrootMethod:
     Type: AWS::ApiGateway::Method
@@ -740,7 +756,6 @@ Resources:
       ResourceId: !Ref EgressApiResourceDynamicUrl
       RestApiId: !Ref EgressApiGateway
 
-
   EgressAPIMethodProfile:
     Type: AWS::ApiGateway::Method
     Properties:
@@ -762,6 +777,27 @@ Resources:
       ResourceId: !Ref EgressApiResourceProfile
       RestApiId: !Ref EgressApiGateway
 
+  EgressAPIMethodVersion:
+    Type: AWS::ApiGateway::Method
+    Properties:
+      ApiKeyRequired: false
+      AuthorizationType: 'NONE'
+      HttpMethod: 'GET'
+      Integration:
+        IntegrationHttpMethod: 'POST'
+        IntegrationResponses:
+          - StatusCode: 200
+        Type: 'AWS_PROXY'
+        Uri: !Sub "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${EgressLambda.Arn}/invocations"
+      MethodResponses: #TODO: this, probably
+        - ResponseParameters:
+            'method.response.header.Set-Cookie': true
+          StatusCode: 200
+      OperationName: 'version method'
+      RequestParameters:
+        'method.request.header.Cookie': true
+      ResourceId: !Ref EgressApiResourceVersion
+      RestApiId: !Ref EgressApiGateway
 
   EgressAPIdeployment:
     Type: AWS::ApiGateway::Deployment

lambda/app.py

@@ -2,6 +2,7 @@
 from botocore.config import Config as bc_Config
 from botocore.exceptions import ClientError
 import os
+import json
 from urllib.parse import urlparse, quote_plus
 
 from rain_api_core.general_util import get_log
@@ -208,7 +209,7 @@ def logout():
     cookievars = get_cookie_vars(app.current_request.headers)
     template_vars = {'title': 'Logged Out', 'URS_URL': get_urs_url(app.current_request.context)}
 
-    if cookievars:
+    if 'urs-user-id' in cookievars and 'urs-access-token' in cookievars:
         user_id = cookievars['urs-user-id']
         urs_access_token = cookievars['urs-access-token']
         delete_session(user_id, urs_access_token)
@@ -232,6 +233,11 @@ def login():
     return make_html_response(template_vars, headers, status_code, 'error.html')
 
 
+@app.route('/version')
+def version():
+    return json.dumps({'version_id': '<BUILD_ID>'})
+
+
 def get_range_header_val():
 
     if 'Range' in app.current_request.headers:

lambda/requirements.txt

@@ -1,5 +1,5 @@
-jinja2==2.10.1
-PyYAML==5.2
+jinja2==2.11.1
+PyYAML==5.3
 aws-requests-auth==0.4.2
 pyjwt==1.7.1
 jwcrypto==0.6.0

setup_jwt_cookie.sh

@@ -0,0 +1,34 @@
+#! /usr/bash
+
+
+function GENERATE_JWTKEYS_FILE {
+    cat >  /tmp/jwtkeys.json <<EOL
+{
+    "rsa_priv_key": "${rsa_priv_key}",
+    "rsa_pub_key":  "${rsa_pub_key}"
+}
+
+EOL
+
+}
+
+function GENERATE_TEA_CREDS {
+  cd /tmp || exit 1
+  ssh-keygen -t rsa -b 4096 -m PEM -f ./jwtcookie.key -N ''
+  openssl base64 -in jwtcookie.key -out jwtcookie.key.b64
+  openssl base64 -in jwtcookie.key.pub -out jwtcookie.key.pub.b64
+
+  export rsa_priv_key=$(<jwtcookie.key.b64)
+  export rsa_pub_key=$(<jwtcookie.key.pub.b64)
+  rm jwtcookie.key*
+  GENERATE_JWTKEYS_FILE
+}
+
+GENERATE_TEA_CREDS
+aws secretsmanager create-secret --name tt_for_tea --profile ${profile_name:-default} --region ${aws_region:-us-east-1} \
+    --description "RS256 keys for TEA app JWT cookies" \
+    --secret-string file:/tmp/jwtkeys.json
+
+
+
+

terraform/main.tf

@@ -13,9 +13,12 @@ resource "aws_security_group" "egress_lambda" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+
+  tags = var.tags
 }
 
 resource "aws_s3_bucket" "lambda_source" {
+  tags = var.tags
 }
 
 resource "aws_s3_bucket_object" "lambda_source" {
@@ -72,6 +75,7 @@ resource "aws_cloudformation_stack" "thin_egress_app" {
     VPCSecurityGroupIDs             = local.vpc_security_group_ids_set ? join(",", var.vpc_security_group_ids) : aws_security_group.egress_lambda[0].id
     VPCSubnetIDs                    = join(",", var.vpc_subnet_ids)
   }
+  tags = var.tags
 }
 
 data "aws_cloudformation_stack" "thin_egress_stack" {

terraform/variables.tf

@@ -64,7 +64,7 @@ variable "jwt_algo" {
 
 variable "jwt_secret_name" {
   type        = string
-  default     = null
+  default     = "jwt_secret_for_tea"
   description = "Name of AWS secret where keys for JWT encode/decode are stored."
 }
 
@@ -157,6 +157,12 @@ variable "stage_name" {
   description = "This value will show up as the 'base' of the url path as so: https://xxxxxxxx.execute-api.us-east-1.amazonaws.com/<StageName>/and/so/on."
 }
 
+variable "tags" {
+  description = "Tags to be applied to managed resources"
+  type        = map(string)
+  default     = {}
+}
+
 variable "template_url" {
   type        = string
   default     = "https://s3.amazonaws.com/asf.public.code/thin-egress-app/tea-cloudformation-<BUILD_ID>.yaml"
@@ -165,7 +171,7 @@ variable "template_url" {
 
 variable "urs_auth_creds_secret_name" {
   type        = string
-  default     = null
+  default     = "urs_creds_for_tea"
   description = "AWS Secrets Manager name of URS creds. Must consist of two rows, names 'UrsId' and 'UrsAuth'."
 }