tea-build.117: DO NOT USE.

Please see https://github.com/asfadmin/thin-egress-app/releases/tag/tea-build.118

tea-build.115: Add CORS support and update CVEs

What changed in TEA:

✳️ ⚠️ 🚨 There is an IMPORTANT post-upgrade step below 🚨 ⚠️

✳️ Smarter In-Region control:

• Get IP from x-forwarded-for header if present instead of context['identity']['sourceIp']
  • x-forwarded-for header CAN be polluted, but that would only work against a user.
  • In EDC, sourceIp is the Egress System, not the end-user IP.
• Pre-signed URLs using the In-Region roles cannot be used outside the origin region.

✳️ CVE Remediation:

• Update cryptography from 3.4.7 to 3.4.8
• Update chalice from 1.22.4 to 1.24.2

✳️ Dynamic CORS Support:

• You can enable CORS header responses by the UseCorsCookieDomain parameter;
• If enabled, and a CookieDomain is provided, Requests with Origin Header matching CookieDomain will result in the following Response Headers:
  • Access-Control-Allow-Origin: "<Origin-Value>"
  • Access-Control-Allow-Credentials: "true"
• By default, CORS support is NOT enabled.

CloudFormation Template changes:

• Added Template Parameter UseCorsCookieDomain enables cross origin resource sharing

Terraform Module Changes:

• Added Terraform Variable use_cors in variables thin-egress-app/variabes.tf) to set UseCorsCookieDomain in thin-egress-app/terraform/main.tf value

⚠️ 🚨IMPORTANT NOTE ON UPGRADES 🚨 ⚠️

✳️ Important post-upgrade steps:

This version includes a change to the In-Region role. To ensure In-Region downloads are successful after upgrading to to build.115, run the following commands to re-build the role. This step can be omitted if you're doing a new/fresh install.

# Manually invoke the UpdatePolicyLambda to re-build the in-region IAM Policy 
$ aws --region=us-west-2 --profile=<profile> lambda list-functions \
                  --query 'Functions[?ends_with(FunctionName,`UpdatePolicyLambda`)].FunctionName' \
                  --output=text
<TEA-STACK>-UpdatePolicyLambda

$ aws --region=us-west-2 --profile=<profile> lambda invoke \
                  --function-name <TEA-STACK>-UpdatePolicyLambda \
                  --payload "{}" -
{
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}

# Manually invoke the TeaBumper to flush the session cache
$  aws --region=us-west-2 --profile=<profile> lambda list-functions \
                  --query 'Functions[?ends_with(FunctionName,`BumperLambda`)].FunctionName' \
                  --output=text
<TEA-STACK>-BumperLambda

$ aws --region=us-west-2 --profile=<profile> lambda invoke \
                  --function-name <TEA-STACK>-BumperLambda --payload "{}" -
{
    "StatusCode": 200,
    "ExecutedVersion": "$LATEST"
}

Theses steps can be run from the AWS lambda console using an empty test event too.

⚠️ Do Not Use! ⚠️

⚠️ See build.115!

tea-build.107: CVE + Project Name Extension

✳️ CVE Remediation:

• jwcrypto: 0.8 => 0.9.1
• jinja2: 2.11.3 => 3.0.1
• python-jose: 3.2.0 => 3.3.0

CloudFormation Template changes

• No changes

Terraform Module Changes

• Increate the stack-name to 36 chars

tea-build.105: BumperLambda + CVE

What changed in TEA:

✳️ Issue#328 New BumperLambda Function to dynamically reload environment cache

• Read about new lambda here.

✳️ Issue#274 Added RequestId to cumulus format log messages

✳️ Issue#277 Figure out a way to invalidate ONE user JWT/Session

• This is JUST the initial implementation for manual validation. No docs or supporting infrastructure. It works though.

✳️ CVE Remediation:

• chalice: 1.22.1 => 1.22.4
• cryptography: 3.4.6 => 3.4.7
• pyjwt: 2.0.1 => 2.1.0

CloudFormation Template changes

• Added BumperLambda infrastructure

Terraform Module Changes

• No changes

tea-build.106: CVE

✳️ CVE Remediation:

• jwcrypto: 0.8 => 0.9.1
• jinja2: 2.11.3 => 3.0.1
• python-jose: 3.2.0 => 3.3.0

CloudFormation Template changes

• No changes

Terraform Module Changes

• Increate the stack-name to 36 chars

tea-build.103: PI 21.1 CVE Remediation

What changed in TEA:

✳️ CVE Remediation:

• chalice: 1.21.7 => 1.22.1
• cryptography: 3.3.1 => 3.4.6
• jinja2: 2.11.2 => 2.11.3
• pyjwt: 1.7.1 => 2.0.1
• PyYAML: 5.3.1 => 5.4.1

CloudFormation Template changes

• No changes

Terraform Module Changes

• No changes

tea-build.102: Object Prefix access control

What changed in TEA:

✳️ New Object Prefix Access control

• Specify data as Public or Private based on Object Prefix

✳️ Cumulus Integrations:

• Added lookup() to CloudFormation output egress_lambda_name to prevent upgrade errors

✳️ New /pubkey public endpoint

• Allows validating JWT cookie by external or 3rd party services

✳️ Python Package Updates for security compliance

• Updated cfnresponse , chalice , cryptography , and pyOpenSSL to latest versions

✳️ Various other Improvements

• Added EDL User email address to JWT payload
• Added the RequestID to the user-facing error page
• Fixed a bug that prevented using API Gateway test harness because of empty headers

CloudFormation Template changes

• No changes to Inputs/Outputs

Terraform Module Changes

• egress_lambda_name slightly changed as specified above.

tea-build.100: Memory control & log improvements

What changed in TEA:

✳️ Major logging improvements

• New JSON log format for better CloudWatch Log Insights Integration
  • JSON logs are stamp with EDL User ID if known
  • FLAT format logs are still optionally available
• Better logging of invalid Range requests
• "Cumulus" format logs are now pure-JSON format.

✳️ Configurable Lambda memory allocation

• Default is now 1792MB, which ensure 1 dedicated vCPU for best performance
• Memory allocation can be lowered for cost purposes.
  • The Lambda only need around 600MB.
  • 128MB (Lambda Minimum) will work, but will result is more latency and timeouts

CloudFormation Template changes

• LambdaMemory parameter added with Default 1792MB.
• LogType parameter added with valid Option JSON (default) and FLAT.

Terraform Module Changes

• lambda_memory variable added to control deployment of LambdaMemory CF Parameter
• log_type variable added to control deployment of LogType CF Parameter

⚠️⚠️⚠️ Insecurity Warning: ⚠️⚠️⚠️

• This version uses cryptography==3.2, which is the latest version, but contains CVE-2020-25659, an unmitigated bug affecting this, and previous versions of cryptography. There is no remediation at this point.
• cryptography<=3.2 also uses Python's Lib/ipaddress.py, another unmitigated potential threat that exists in previous versions

tea-build.98: CI/CD Improvements + Bug Fixes

What changed in TEA:

✳️ Refactored and Upgraded CI/CD environment

• New unit test framework
• New dockerized build workflow
• Improved test coverage and maintainability

✳️ Updated dependencies to remove CVE:

• chalice: 1.18.1 => 1.20.1
• cryptography: 3.1 => 3.1.1

✳️ Detect and refresh JWT Cookie upon profile update

• If a user is added to a group update the profile in JWT cookie

✳️ Updated Documentation

• Added a Table of Contents, refreshed contented, added new deploy.sh fast-deploy bootstrap script

✳️ EULA non-agreement behavior was slightly changed

• EULA error now populates new template variables for better downstream error handling

✳️ Application Bucket access issues error changed from 500 to 400

✳️ New Egress Lambda Name output parameter for Cumulus

✳️ Resolved an issue that manifested as a fatal error when buckets had the string 'bucket' in the name

CloudFormation Template changes

• EgressLamdaName output added.

Terraform Module Changes

• egress_lambda_name output added.

⚠️⚠️⚠️ BREAKING CHANGES! ⚠️⚠️⚠️

• var.stack_name value is now limited to 35 characters