feat!: upgrade pyjwt to version 2.1.0

Makefile

@@ -91,8 +91,30 @@ REQ_FILES = \
 	requirements/edx/development \
 	scripts/xblock/requirements
 
+define COMMON_CONSTRAINTS_TEMP_COMMENT
+# This is a temporary solution to override the real common_constraints.txt\n# In edx-lint, until the pyjwt constraint in edx-lint has been removed.\n# See BOM-2721 for more details.\n# Below is the copied and edited version of common_constraints\n
+endef
+
+COMMON_CONSTRAINTS_TXT=requirements/common_constraints.txt
+.PHONY: $(COMMON_CONSTRAINTS_TXT)
+$(COMMON_CONSTRAINTS_TXT):
+	wget -O "$(@)" https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt || touch "$(@)"
+	echo "$(COMMON_CONSTRAINTS_TEMP_COMMENT)" | cat - $(@) > temp && mv temp $(@)
+
 compile-requirements: export CUSTOM_COMPILE_COMMAND=make upgrade
-compile-requirements: ## Re-compile *.in requirements to *.txt
+compile-requirements: $(COMMON_CONSTRAINTS_TXT) ## Re-compile *.in requirements to *.txt
+	# This is a temporary solution to override the real common_constraints.txt
+	# In edx-lint, until the pyjwt constraint in edx-lint has been removed.
+	# See BOM-271 for more details.
+	sed 's/pyjwt\[crypto\]<2.0.0//g' requirements/common_constraints.txt > requirements/common_constraints.tmp
+	mv requirements/common_constraints.tmp requirements/common_constraints.txt
+	sed 's/social-auth-core<4.0.3//g' requirements/common_constraints.txt > requirements/common_constraints.tmp
+	mv requirements/common_constraints.tmp requirements/common_constraints.txt
+	sed 's/edx-drf-extensions<7.0.0//g' requirements/common_constraints.txt > requirements/common_constraints.tmp
+	mv requirements/common_constraints.tmp requirements/common_constraints.txt
+	sed 's/edx-auth-backends<4.0.0//g' requirements/common_constraints.txt > requirements/common_constraints.tmp
+	mv requirements/common_constraints.tmp requirements/common_constraints.txt
+
 	@ export REBUILD='--rebuild'; \
 	for f in $(REQ_FILES); do \
 		echo ; \
@@ -108,7 +130,7 @@ compile-requirements: ## Re-compile *.in requirements to *.txt
 	sed '/^[dD]jango==/d' requirements/edx/testing.txt > requirements/edx/testing.tmp
 	mv requirements/edx/testing.tmp requirements/edx/testing.txt
 
-upgrade: pre-requirements ## update the pip requirements files to use the latest releases satisfying our constraints
+upgrade: pre-requirements  ## update the pip requirements files to use the latest releases satisfying our constraints
 	$(MAKE) compile-requirements COMPILE_OPTS="--upgrade"
 
 check-types: ## run static type-checking tests

lms/djangoapps/edxnotes/tests.py

@@ -1077,7 +1077,12 @@ def test_get_id_token(self):
         response = self.client.get(self.get_token_url)
         assert response.status_code == 200
         client = Application.objects.get(name='edx-notes')
-        jwt.decode(response.content, client.client_secret, audience=client.client_id)
+        jwt.decode(
+            response.content,
+            client.client_secret,
+            audience=client.client_id,
+            algorithms=[settings.JWT_AUTH['JWT_ALGORITHM']]
+        )
 
     @patch.dict("django.conf.settings.FEATURES", {"ENABLE_EDXNOTES": True})
     def test_get_id_token_anonymous(self):

openedx/core/djangoapps/oauth_dispatch/tests/mixins.py

@@ -46,8 +46,10 @@ def _decode_jwt(verify_expiration):
                 algorithms=[settings.JWT_AUTH['JWT_ALGORITHM']],
                 audience=audience,
                 issuer=issuer,
-                verify_expiration=verify_expiration,
-                options={'verify_signature': False},
+                options={
+                    'verify_signature': False,
+                    "verify_exp": verify_expiration
+                },
             )
 
         # Note that if we expect the claims to have expired

openedx/features/discounts/tests/test_views.py

@@ -46,7 +46,7 @@ def test_course_user_discount(self):
         assert expected_payload['discount_applicable'] == response.data['discount_applicable']
 
         # make sure that the response matches the expected response
-        response_payload = jwt.decode(response.data['jwt'], verify=False)
+        response_payload = jwt.decode(response.data['jwt'], options={"verify_signature": False})
         assert all(item in list(response_payload.items()) for item in expected_payload.items())
 
     def test_course_user_discount_no_user(self):

requirements/common_constraints.txt

@@ -0,0 +1,48 @@
+# This is a temporary solution to override the real common_constraints.txt
+# In edx-lint, until the pyjwt constraint in edx-lint has been removed.
+# See BOM-2721 for more details.
+# Below is the copied and edited version of common_constraints
+
+# A central location for most common version constraints
+# (across edx repos) for pip-installation.
+#
+# Similar to other constraint files this file doesn't install any packages.
+# It specifies version constraints that will be applied if a package is needed.
+# When pinning something here, please provide an explanation of why it is a good
+# idea to pin this package across all edx repos, Ideally, link to other information
+# that will help people in the future to remove the pin when possible.
+# Writing an issue against the offending project and linking to it here is good.
+#
+# Note: Changes to this file will automatically be used by other repos, referencing
+#  this file from Github directly. It does not require packaging in edx-lint.
+
+
+# using LTS django version
+Django<2.3
+
+# latest version is causing e2e failures in edx-platform.
+# See pyjwt[crypto]<2.0.0 comment.
+drf-jwt<1.19.1
+
+# 4.0.0 requires pyjwt[crypto] 2.1.0. See pyjwt[crypto]<2.0.0 comment.
+edx-auth-backends<4.0.0
+
+# 7.0.0 requires pyjwt[crypto] 2.1.0. See pyjwt[crypto]<2.0.0 comment.
+edx-drf-extensions<7.0.0
+
+# PyJWT[crypto] 2.0.0 has a number of breaking changes that we are
+# actively working to fix. A number of the active constraints are all related
+# to this effort. Additionally, your IDA/service may also be affected directly
+# by these changes. You should not upgrade without knowing what you are doing.
+pyjwt[crypto]<2.0.0
+
+# 5.0.0+ of social-auth-app-django requires social-auth-core>=4.1.0
+social-auth-app-django<5.0.0
+
+# latest version requires PyJWT>=2.0.0 but drf-jwt requires PyJWT[crypto]<2.0.0,>=1.5.2.
+# See pyjwt[crypto]<2.0.0 comment.
+social-auth-core<4.0.3
+
+# elasticsearch>=7.14.0 includes breaking changes in it which caused issues in discovery upgrade process.
+# elastic search changelog: https://www.elastic.co/guide/en/enterprise-search/master/release-notes-7.14.0.html
+elasticsearch<7.14.0

requirements/constraints.txt

@@ -10,7 +10,7 @@
 
 
 # This file contains all common constraints for edx-repos
--c https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt
+-c common_constraints.txt
 
 # celert>5.0.0 hasn't been tested yet, so the constraint will be removed after testing latest version
 celery<5.0.0
@@ -83,10 +83,6 @@ python-slugify<5.0.0
 # greater version has breaking changes and requires some migration steps.
 django-webpack-loader==0.7.0
 
-# edx-proctoring==3.11.4 (latest) requires PyJWT<2.0.0
-PyJWT[crypto]<2.0.0
-social-auth-core<4.0.0  # social-auth-core>=4.0.0 requires PYJWT>=2.0.0
-
 # celery requires click<8.0.0 which would be fixed once https://github.com/celery/celery/issues/6753 is done.
 click<8.0.0