Merge pull request #222 from asfadmin/devel

Fix bc_config_client cache timeout bug

README.MD

@@ -49,7 +49,7 @@ If you are deploying in another region, you must upload the lambda and dependenc
 If you prefer to roll your own zip for the lambda code:
 
 #### Dependency Layer
-We've found that the if the dependency layer isn't built in an `amazonlinux:2` environment, the JWT crypto doesn't work. Here are instructions for gathering and packaging the dependencies in an `amazonlinux` docker container.
+We've found that if the dependency layer isn't built in an `amazonlinux:2` environment, the JWT crypto doesn't work. Here are instructions for gathering and packaging the dependencies in an `amazonlinux` docker container.
 ```bash
 
 # Make up a filename for code archive:
@@ -112,7 +112,7 @@ aws s3 cp --profile=default ./${CODE_ARCHIVE_FILENAME} s3://${CODE_BUCKET}/
 ### AWS Secrets
 
 #### Setting up the URS client secrets:
-`UrsId` can be found on your SSO appication's URS home page as `Client ID`. 
+`UrsId` can be found on your SSO application's URS home page as `Client ID`. 
 
 `UrsAuth` is the `UID` for your URS SSO app and password separated by a colon. You can create the value with the command below. See URS' [Request Authorization Code](https://urs.earthdata.nasa.gov/sso_client_impl) documentation for more details.
 
@@ -158,7 +158,7 @@ aws secretsmanager create-secret --name jwt_secret_for_tea \
 ```
 
 ##### Option 2: Using bash script
-You can create en encoded b64 key pair by running the provided [setup_jwt_cookie.sh](https://github.com/asfadmin/thin-egress-app/blob/devel/setup_jwt_cookie.sh) script :
+You can create an encoded b64 key pair by running the provided [setup_jwt_cookie.sh](https://github.com/asfadmin/thin-egress-app/blob/devel/setup_jwt_cookie.sh) script :
 ```bash
 profile_name=<aws_profile> aws_region=<region> bash setup_jwt_cookie.sh
 ```
@@ -258,7 +258,7 @@ This is the base template.
 
 Blocks: 
  * `pagetitle`: Gets inserted inside the `<title></title>` element
- * `content`
+ * `content`: Content payload fed into the template.
 
 **root.html**
 Child template. Gets called by `/` and `/logout` for 200 responses.
@@ -432,7 +432,7 @@ Its payload looks something like this:
 ![TEA](https://github.com/asfadmin/thin-egress-app/blob/devel/harmony-chain.png)
 
 #### TEA can accept a shared EDL Token as an Authorization (Bearer Token) method
-To enable this behavior, EDL Apps (Service + TEA) must belong to a shared EDL App Group. Processing a shared toekn is temporally expensive. After the initial request, subsequent Service->TEA data requests should reuse cookies. EULA enforment is preserved in with shared tokens. 
+To enable this behavior, EDL Apps (Service + TEA) must belong to a shared EDL App Group. Processing a shared token is temporally expensive. After the initial request, subsequent Service->TEA data requests should reuse cookies. EULA enforcement is preserved in with shared tokens. 
 
 ## Troubleshooting.
 Something went wrong. Here are some solutions:
@@ -446,7 +446,3 @@ If you see an error message in the Cloudformation Events like this:
 #### Solution:
 
 `EnableApiGatewayLogToCloudWatch` is set to `True`. If you don't need API Gateway logging to cloudwatch, set to `False`. If you do, you must create a role with write access to Cloudwatch Logs and add its ARN here: https://console.aws.amazon.com/apigateway/home?region=<REGION>#/settings
-
-#### Error message: 
-
-#### Solution:

lambda/app.py

@@ -407,11 +407,21 @@ def get_range_header_val():
 
 def get_bc_config_client(user_id):
     params = {}
+    now = time.time()
+
     if user_id not in bc_client_cache:
+        # This a new user, generate a new bc_Config client
         params['config'] = bc_Config(**get_bcconfig(user_id))
         session = get_role_session(user_id=user_id)
-        bc_client_cache[user_id] = session.client('s3', **params)
-    return bc_client_cache[user_id]
+        bc_client_cache[user_id] = {"client": session.client('s3', **params), "timestamp": now }
+    elif now - bc_client_cache[user_id]["timestamp"] >= (50*60): 
+        # Replace the client if is more than 50 minutes old 
+        log.info(f"Replacing old bc_Config_client for user {user_id}")
+        params['config'] = bc_Config(**get_bcconfig(user_id))
+        session = get_role_session(user_id=user_id)
+        bc_client_cache[user_id] = {"client": session.client('s3', **params), "timestamp": now }
+
+    return bc_client_cache[user_id]["client"]
 
 
 def get_data_dl_s3_client():

lambda/requirements.txt

@@ -1,10 +1,10 @@
 aws-requests-auth==0.4.3
 cfnresponse==1.0.2
-chalice==1.18.0
-cryptography==3.0
+chalice==1.18.1
+cryptography==3.1
 flatdict==4.0.1
 jinja2==2.11.2
-jwcrypto==0.7
+jwcrypto==0.8
 netaddr==0.8.0
 pyjwt==1.7.1
 pyOpenSSL==19.1.0 # maybe not necessary