unity-sds · pymonger · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,22 +1,22 @@
 fail_fast: true
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       # Git style
       - id: check-merge-conflict
       - id: check-symlinks
       - id: trailing-whitespace
 
   - repo: https://github.com/pycqa/isort
-    rev: 5.13.2
+    rev: 6.0.1
     hooks:
       - id: isort
         args: ["--profile", "black", "--filter-files"]
 
   # Using this mirror lets us use mypyc-compiled black, which is about 2x faster
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.4.2
+    rev: 25.1.0
     hooks:
       - id: black
         # It is recommended to specify the latest version of Python
@@ -27,24 +27,24 @@ repos:
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.4.5
+    rev: v0.12.3
     hooks:
       - id: ruff
         args: ["--ignore", "E501,E402"]
 
   - repo: https://github.com/PyCQA/bandit
-    rev: "1.7.8" # you must change this to newest version
+    rev: "1.8.6" # you must change this to newest version
     hooks:
       - id: bandit
         args: ["--severity-level=high", "--confidence-level=high"]
 
   - repo: https://github.com/PyCQA/prospector
-    rev: v1.10.3
+    rev: v1.17.2
     hooks:
       - id: prospector
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.90.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.99.5 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       # Terraform Tests
       - id: terraform_fmt

diff --git a/.prospector.yaml b/.prospector.yaml
@@ -10,6 +10,11 @@ pylint:
   disable:
     - import-error
     - django-not-available
+    - import-outside-toplevel
+    - no-else-return
+    - consider-using-sys-exit
+    - too-many-arguments
+    - too-many-positional-arguments
   options:
     max-line-length: 159
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,32 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [X.Y.Z] - 2022-MM-DD
+## [0.0.2] - 2024-12-19
+
+### Added
+
+- Cognito token authentication support with automatic refresh
+- Bearer token authentication for enhanced security
+- `TokenManager` class for token lifecycle management
+- `fetch_cognito_token()` function for Cognito integration
+- `get_auth_headers()` utility for authentication headers
+- Comprehensive test coverage for authentication features
+- Example scripts demonstrating token usage
+- Updated documentation for authentication configuration
+
+### Changed
+
+- Enhanced `SubmitDagByID` action to support multiple authentication methods
+- Added `httpx` dependency for modern HTTP client functionality
+- Maintained backward compatibility with existing basic auth
+
+### Security
+
+- Replaced basic authentication with more secure Bearer token authentication
+- Added automatic token refresh to prevent authentication failures
+- Implemented token caching to reduce API calls to Cognito
+
+## [0.0.1] - 2022-MM-DD
 
 ### Added
 

diff --git a/README.md b/README.md
@@ -160,6 +160,86 @@ and a trigger event payload for a new file that was triggered:
 
 In this case, the router sees that the action is `submit_dag_by_id` and thus makes a REST call to SPS to submit the URL payload, payload info, and `on_success` parameters as a DAG run. If the evaulator, running now as a DAG in SPS instead of an AWS Lambda function, successfully evaluates that everything is ready for this input file, it can proceed to submit a DAG run for the `submit_nisar_l0a_te_dag` DAG in the underlying SPS.
 
+### Authentication for Airflow DAG Submissions
+
+The `submit_dag_by_id` action supports multiple authentication methods for connecting to Airflow REST APIs. The authentication method is determined by the parameters provided in the router configuration:
+
+#### 1. Bearer Token Authentication (Recommended)
+Use a direct bearer token for authentication. This is the most secure method:
+
+```yaml
+actions:
+  - name: submit_dag_by_id
+    params:
+      dag_id: example_dag
+      airflow_base_api_endpoint: https://airflow.example.com/api/v1
+      airflow_token: ${AIRFLOW_BEARER_TOKEN}  # Bearer token
+```
+
+#### 2. OAuth2 Authentication (For Proxy Servers)
+Use OAuth2 authorization code flow for proxy authentication:
+
+```yaml
+actions:
+  - name: submit_dag_by_id
+    params:
+      dag_id: example_dag
+      airflow_base_api_endpoint: https://proxy.example.com/api/v1
+      oauth2_cognito_domain: your-domain.auth.us-west-2.amazoncognito.com
+      oauth2_client_id: your-oauth2-client-id
+      oauth2_redirect_uri: https://your-app.com/callback
+      oauth2_scope: openid email profile  # Optional, defaults to "openid email profile"
+      oauth2_region: us-west-2  # Optional, defaults to us-west-2
+      oauth2_verify_ssl: true  # Optional, defaults to true for security
+```
+
+**OAuth2 Flow Setup**:
+1. Use the provided `oauth2_token_init.py` script to initialize tokens
+2. The script will guide you through the authorization flow
+3. Tokens are automatically refreshed when needed
+
+#### 3. Cognito Token Authentication
+Use Unity Cognito credentials to automatically fetch and refresh tokens:
+
+```yaml
+actions:
+  - name: submit_dag_by_id
+    params:
+      dag_id: example_dag
+      airflow_base_api_endpoint: https://airflow.example.com/api/v1
+      unity_username: ${UNITY_USERNAME}
+      unity_password: ${UNITY_PASSWORD}
+      unity_client_id: ${UNITY_CLIENT_ID}
+      unity_region: us-west-2  # Optional, defaults to us-west-2
+```
+
+#### 4. Basic Authentication (Legacy)
+Use username/password for basic authentication (less secure):
+
+```yaml
+actions:
+  - name: submit_dag_by_id
+    params:
+      dag_id: example_dag
+      airflow_base_api_endpoint: https://airflow.example.com/api/v1
+      airflow_username: ${AIRFLOW_USERNAME}
+      airflow_password: ${AIRFLOW_PASSWORD}
+```
+
+#### Authentication Priority
+The system will use authentication in this order:
+1. **Bearer token** (if `airflow_token` is provided)
+2. **OAuth2 token** (if OAuth2 credentials are provided)
+3. **Cognito token** (if Unity credentials are provided)
+4. **Basic auth** (if username/password are provided)
+5. **No authentication** (if no credentials are provided)
+
+#### Token Management
+When using Cognito authentication:
+- Tokens are automatically cached and refreshed 5 minutes before expiration
+- Failed token refresh attempts fall back to credential-based fetching
+- No manual token management required
+
 <!-- ☝️ Replace with a more detailed description of your repository, including why it was made and whom its intended for.  ☝️ -->
 
 <!-- example links>