update schema

Author: pymonger

CHANGELOG.md

@@ -5,7 +5,32 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [X.Y.Z] - 2022-MM-DD
+## [0.0.2] - 2024-12-19
+
+### Added
+
+- Cognito token authentication support with automatic refresh
+- Bearer token authentication for enhanced security
+- `TokenManager` class for token lifecycle management
+- `fetch_cognito_token()` function for Cognito integration
+- `get_auth_headers()` utility for authentication headers
+- Comprehensive test coverage for authentication features
+- Example scripts demonstrating token usage
+- Updated documentation for authentication configuration
+
+### Changed
+
+- Enhanced `SubmitDagByID` action to support multiple authentication methods
+- Added `httpx` dependency for modern HTTP client functionality
+- Maintained backward compatibility with existing basic auth
+
+### Security
+
+- Replaced basic authentication with more secure Bearer token authentication
+- Added automatic token refresh to prevent authentication failures
+- Implemented token caching to reduce API calls to Cognito
+
+## [0.0.1] - 2022-MM-DD
 
 ### Added
 

README.md

@@ -160,6 +160,63 @@ and a trigger event payload for a new file that was triggered:
 
 In this case, the router sees that the action is `submit_dag_by_id` and thus makes a REST call to SPS to submit the URL payload, payload info, and `on_success` parameters as a DAG run. If the evaulator, running now as a DAG in SPS instead of an AWS Lambda function, successfully evaluates that everything is ready for this input file, it can proceed to submit a DAG run for the `submit_nisar_l0a_te_dag` DAG in the underlying SPS.
 
+### Authentication for Airflow DAG Submissions
+
+The `submit_dag_by_id` action supports multiple authentication methods for connecting to Airflow REST APIs. The authentication method is determined by the parameters provided in the router configuration:
+
+#### 1. Bearer Token Authentication (Recommended)
+Use a direct bearer token for authentication. This is the most secure method:
+
+```yaml
+actions:
+  - name: submit_dag_by_id
+    params:
+      dag_id: example_dag
+      airflow_base_api_endpoint: https://airflow.example.com/api/v1
+      airflow_token: ${AIRFLOW_BEARER_TOKEN}  # Bearer token
+```
+
+#### 2. Cognito Token Authentication
+Use Unity Cognito credentials to automatically fetch and refresh tokens:
+
+```yaml
+actions:
+  - name: submit_dag_by_id
+    params:
+      dag_id: example_dag
+      airflow_base_api_endpoint: https://airflow.example.com/api/v1
+      unity_username: ${UNITY_USERNAME}
+      unity_password: ${UNITY_PASSWORD}
+      unity_client_id: ${UNITY_CLIENT_ID}
+      unity_region: us-west-2  # Optional, defaults to us-west-2
+```
+
+#### 3. Basic Authentication (Legacy)
+Use username/password for basic authentication (less secure):
+
+```yaml
+actions:
+  - name: submit_dag_by_id
+    params:
+      dag_id: example_dag
+      airflow_base_api_endpoint: https://airflow.example.com/api/v1
+      airflow_username: ${AIRFLOW_USERNAME}
+      airflow_password: ${AIRFLOW_PASSWORD}
+```
+
+#### Authentication Priority
+The system will use authentication in this order:
+1. **Bearer token** (if `airflow_token` is provided)
+2. **Cognito token** (if Unity credentials are provided)
+3. **Basic auth** (if username/password are provided)
+4. **No authentication** (if no credentials are provided)
+
+#### Token Management
+When using Cognito authentication:
+- Tokens are automatically cached and refreshed 5 minutes before expiration
+- Failed token refresh attempts fall back to credential-based fetching
+- No manual token management required
+
 <!-- ☝️ Replace with a more detailed description of your repository, including why it was made and whom its intended for.  ☝️ -->
 
 <!-- example links>

src/unity_initiator/resources/routers_schema.yaml

@@ -44,6 +44,15 @@ submit_dag_by_id_action:
   params:
     dag_id: str()
     airflow_base_api_endpoint: str(required=False)
+    # Authentication parameters - supports multiple methods:
+    # 1. Bearer token authentication (preferred)
+    airflow_token: str(required=False)
+    # 2. Cognito token authentication
+    unity_username: str(required=False)
+    unity_password: str(required=False)
+    unity_client_id: str(required=False)
+    unity_region: str(required=False)
+    # 3. Basic authentication (fallback)
     airflow_username: str(required=False)
     airflow_password: str(required=False)
     on_success: include("on_success_actions", required=False)