diff --git a/Makefile b/Makefile index f5e14cf03b..39a48333a7 100644 --- a/Makefile +++ b/Makefile @@ -91,8 +91,30 @@ REQ_FILES = \ requirements/edx/development \ scripts/xblock/requirements +define COMMON_CONSTRAINTS_TEMP_COMMENT +# This is a temporary solution to override the real common_constraints.txt\n# In edx-lint, until the pyjwt constraint in edx-lint has been removed.\n# See BOM-2721 for more details.\n# Below is the copied and edited version of common_constraints\n +endef + +COMMON_CONSTRAINTS_TXT=requirements/common_constraints.txt +.PHONY: $(COMMON_CONSTRAINTS_TXT) +$(COMMON_CONSTRAINTS_TXT): + wget -O "$(@)" https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt || touch "$(@)" + echo "$(COMMON_CONSTRAINTS_TEMP_COMMENT)" | cat - $(@) > temp && mv temp $(@) + compile-requirements: export CUSTOM_COMPILE_COMMAND=make upgrade -compile-requirements: ## Re-compile *.in requirements to *.txt +compile-requirements: $(COMMON_CONSTRAINTS_TXT) ## Re-compile *.in requirements to *.txt + # This is a temporary solution to override the real common_constraints.txt + # In edx-lint, until the pyjwt constraint in edx-lint has been removed. + # See BOM-271 for more details. + sed 's/pyjwt\[crypto\]<2.0.0//g' requirements/common_constraints.txt > requirements/common_constraints.tmp + mv requirements/common_constraints.tmp requirements/common_constraints.txt + sed 's/social-auth-core<4.0.3//g' requirements/common_constraints.txt > requirements/common_constraints.tmp + mv requirements/common_constraints.tmp requirements/common_constraints.txt + sed 's/edx-drf-extensions<7.0.0//g' requirements/common_constraints.txt > requirements/common_constraints.tmp + mv requirements/common_constraints.tmp requirements/common_constraints.txt + sed 's/edx-auth-backends<4.0.0//g' requirements/common_constraints.txt > requirements/common_constraints.tmp + mv requirements/common_constraints.tmp requirements/common_constraints.txt + @ export REBUILD='--rebuild'; \ for f in $(REQ_FILES); do \ echo ; \ @@ -108,7 +130,7 @@ compile-requirements: ## Re-compile *.in requirements to *.txt sed '/^[dD]jango==/d' requirements/edx/testing.txt > requirements/edx/testing.tmp mv requirements/edx/testing.tmp requirements/edx/testing.txt -upgrade: pre-requirements ## update the pip requirements files to use the latest releases satisfying our constraints +upgrade: pre-requirements ## update the pip requirements files to use the latest releases satisfying our constraints $(MAKE) compile-requirements COMPILE_OPTS="--upgrade" check-types: ## run static type-checking tests diff --git a/lms/djangoapps/edxnotes/tests.py b/lms/djangoapps/edxnotes/tests.py index 162f3562d0..313395aab6 100644 --- a/lms/djangoapps/edxnotes/tests.py +++ b/lms/djangoapps/edxnotes/tests.py @@ -1077,7 +1077,12 @@ class EdxNotesViewsTest(ModuleStoreTestCase): response = self.client.get(self.get_token_url) assert response.status_code == 200 client = Application.objects.get(name='edx-notes') - jwt.decode(response.content, client.client_secret, audience=client.client_id) + jwt.decode( + response.content, + client.client_secret, + audience=client.client_id, + algorithms=[settings.JWT_AUTH['JWT_ALGORITHM']] + ) @patch.dict("django.conf.settings.FEATURES", {"ENABLE_EDXNOTES": True}) def test_get_id_token_anonymous(self): diff --git a/openedx/core/djangoapps/oauth_dispatch/tests/mixins.py b/openedx/core/djangoapps/oauth_dispatch/tests/mixins.py index 67cf1ed99b..ae4a40bc0a 100644 --- a/openedx/core/djangoapps/oauth_dispatch/tests/mixins.py +++ b/openedx/core/djangoapps/oauth_dispatch/tests/mixins.py @@ -46,8 +46,10 @@ class AccessTokenMixin: algorithms=[settings.JWT_AUTH['JWT_ALGORITHM']], audience=audience, issuer=issuer, - verify_expiration=verify_expiration, - options={'verify_signature': False}, + options={ + 'verify_signature': False, + "verify_exp": verify_expiration + }, ) # Note that if we expect the claims to have expired diff --git a/openedx/features/discounts/tests/test_views.py b/openedx/features/discounts/tests/test_views.py index a5ed4060cd..d5021802e1 100644 --- a/openedx/features/discounts/tests/test_views.py +++ b/openedx/features/discounts/tests/test_views.py @@ -46,7 +46,7 @@ class TestCourseUserDiscount(ModuleStoreTestCase): assert expected_payload['discount_applicable'] == response.data['discount_applicable'] # make sure that the response matches the expected response - response_payload = jwt.decode(response.data['jwt'], verify=False) + response_payload = jwt.decode(response.data['jwt'], options={"verify_signature": False}) assert all(item in list(response_payload.items()) for item in expected_payload.items()) def test_course_user_discount_no_user(self): diff --git a/requirements/common_constraints.txt b/requirements/common_constraints.txt new file mode 100644 index 0000000000..153332c5a2 --- /dev/null +++ b/requirements/common_constraints.txt @@ -0,0 +1,48 @@ +# This is a temporary solution to override the real common_constraints.txt +# In edx-lint, until the pyjwt constraint in edx-lint has been removed. +# See BOM-2721 for more details. +# Below is the copied and edited version of common_constraints + +# A central location for most common version constraints +# (across edx repos) for pip-installation. +# +# Similar to other constraint files this file doesn't install any packages. +# It specifies version constraints that will be applied if a package is needed. +# When pinning something here, please provide an explanation of why it is a good +# idea to pin this package across all edx repos, Ideally, link to other information +# that will help people in the future to remove the pin when possible. +# Writing an issue against the offending project and linking to it here is good. +# +# Note: Changes to this file will automatically be used by other repos, referencing +# this file from Github directly. It does not require packaging in edx-lint. + + +# using LTS django version +Django<2.3 + +# latest version is causing e2e failures in edx-platform. +# See pyjwt[crypto]<2.0.0 comment. +drf-jwt<1.19.1 + +# 4.0.0 requires pyjwt[crypto] 2.1.0. See pyjwt[crypto]<2.0.0 comment. +edx-auth-backends<4.0.0 + +# 7.0.0 requires pyjwt[crypto] 2.1.0. See pyjwt[crypto]<2.0.0 comment. +edx-drf-extensions<7.0.0 + +# PyJWT[crypto] 2.0.0 has a number of breaking changes that we are +# actively working to fix. A number of the active constraints are all related +# to this effort. Additionally, your IDA/service may also be affected directly +# by these changes. You should not upgrade without knowing what you are doing. +pyjwt[crypto]<2.0.0 + +# 5.0.0+ of social-auth-app-django requires social-auth-core>=4.1.0 +social-auth-app-django<5.0.0 + +# latest version requires PyJWT>=2.0.0 but drf-jwt requires PyJWT[crypto]<2.0.0,>=1.5.2. +# See pyjwt[crypto]<2.0.0 comment. +social-auth-core<4.0.3 + +# elasticsearch>=7.14.0 includes breaking changes in it which caused issues in discovery upgrade process. +# elastic search changelog: https://www.elastic.co/guide/en/enterprise-search/master/release-notes-7.14.0.html +elasticsearch<7.14.0 diff --git a/requirements/constraints.txt b/requirements/constraints.txt index d1c76f069b..68b44ff32f 100644 --- a/requirements/constraints.txt +++ b/requirements/constraints.txt @@ -10,7 +10,7 @@ # This file contains all common constraints for edx-repos --c https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt +-c common_constraints.txt # celert>5.0.0 hasn't been tested yet, so the constraint will be removed after testing latest version celery<5.0.0 @@ -83,10 +83,6 @@ python-slugify<5.0.0 # greater version has breaking changes and requires some migration steps. django-webpack-loader==0.7.0 -# edx-proctoring==3.11.4 (latest) requires PyJWT<2.0.0 -PyJWT[crypto]<2.0.0 -social-auth-core<4.0.0 # social-auth-core>=4.0.0 requires PYJWT>=2.0.0 - # celery requires click<8.0.0 which would be fixed once https://github.com/celery/celery/issues/6753 is done. click<8.0.0