From 238954f66d0fcff74051ea03a68bf831771b5a48 Mon Sep 17 00:00:00 2001
From: Marcos <mrigoli@2u.com>
Date: Thu, 23 Jan 2025 12:41:37 -0300
Subject: [PATCH] fix: Removed JWT constants from CMS and added comments on how
 to generate them

---
 cms/envs/common.py                 |  9 ---------
 cms/envs/test.py                   | 31 ------------------------------
 lms/envs/common.py                 |  6 ++++++
 openedx/core/lib/tests/test_jwt.py |  3 +++
 requirements/edx/base.txt          |  5 +++--
 requirements/edx/development.txt   |  4 ----
 requirements/edx/doc.txt           |  2 --
 requirements/edx/testing.txt       |  2 --
 8 files changed, 12 insertions(+), 50 deletions(-)

diff --git a/cms/envs/common.py b/cms/envs/common.py
index 8f068a5c0072..591247388a9d 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -2530,15 +2530,6 @@
 EXAMS_SERVICE_URL = 'http://localhost:18740/api/v1'
 EXAMS_SERVICE_USERNAME = 'edx_exams_worker'
 
-############## Settings for JWT token handling ##############
-TOKEN_SIGNING = {
-    'JWT_ISSUER': 'http://127.0.0.1:8740',
-    'JWT_SIGNING_ALGORITHM': 'RS512',
-    'JWT_SUPPORTED_VERSION': '1.2.0',
-    'JWT_PRIVATE_SIGNING_JWK': None,
-    'JWT_PUBLIC_SIGNING_JWK_SET': None,
-}
-
 FINANCIAL_REPORTS = {
     'STORAGE_TYPE': 'localfs',
     'BUCKET': None,
diff --git a/cms/envs/test.py b/cms/envs/test.py
index d391ccba5e98..49db50608858 100644
--- a/cms/envs/test.py
+++ b/cms/envs/test.py
@@ -343,34 +343,3 @@
         }
     }
 }
-
-############## Settings for JWT token handling ##############
-TOKEN_SIGNING = {
-    'JWT_ISSUER': 'token-test-issuer',
-    'JWT_SIGNING_ALGORITHM': 'RS512',
-    'JWT_SUPPORTED_VERSION': '1.2.0',
-    'JWT_PRIVATE_SIGNING_JWK': '''{
-        "e": "AQAB",
-        "d": "HIiV7KNjcdhVbpn3KT-I9n3JPf5YbGXsCIedmPqDH1d4QhBofuAqZ9zebQuxkRUpmqtYMv0Zi6ECSUqH387GYQF_XvFUFcjQRPycISd8TH0DAKaDpGr-AYNshnKiEtQpINhcP44I1AYNPCwyoxXA1fGTtmkKChsuWea7o8kytwU5xSejvh5-jiqu2SF4GEl0BEXIAPZsgbzoPIWNxgO4_RzNnWs6nJZeszcaDD0CyezVSuH9QcI6g5QFzAC_YuykSsaaFJhZ05DocBsLczShJ9Omf6PnK9xlm26I84xrEh_7x4fVmNBg3xWTLh8qOnHqGko93A1diLRCrKHOvnpvgQ",
-        "n": "o5cn3ljSRi6FaDEKTn0PS-oL9EFyv1pI7dRgffQLD1qf5D6sprmYfWWokSsrWig8u2y0HChSygR6Jn5KXBqQn6FpM0dDJLnWQDRXHLl3Ey1iPYgDSmOIsIGrV9ZyNCQwk03wAgWbfdBTig3QSDYD-sTNOs3pc4UD_PqAvU2nz_1SS2ZiOwOn5F6gulE1L0iE3KEUEvOIagfHNVhz0oxa_VRZILkzV-zr6R_TW1m97h4H8jXl_VJyQGyhMGGypuDrQ9_vaY_RLEulLCyY0INglHWQ7pckxBtI5q55-Vio2wgewe2_qYcGsnBGaDNbySAsvYcWRrqDiFyzrJYivodqTQ",
-        "q": "3T3DEtBUka7hLGdIsDlC96Uadx_q_E4Vb1cxx_4Ss_wGp1Loz3N3ZngGyInsKlmbBgLo1Ykd6T9TRvRNEWEtFSOcm2INIBoVoXk7W5RuPa8Cgq2tjQj9ziGQ08JMejrPlj3Q1wmALJr5VTfvSYBu0WkljhKNCy1KB6fCby0C9WE",
-        "p": "vUqzWPZnDG4IXyo-k5F0bHV0BNL_pVhQoLW7eyFHnw74IOEfSbdsMspNcPSFIrtgPsn7981qv3lN_staZ6JflKfHayjB_lvltHyZxfl0dvruShZOx1N6ykEo7YrAskC_qxUyrIvqmJ64zPW3jkuOYrFs7Ykj3zFx3Zq1H5568G0",
-        "kid": "token-test-sign", "kty": "RSA"
-    }''',
-    'JWT_PUBLIC_SIGNING_JWK_SET': '''{
-        "keys": [
-            {
-                "kid":"token-test-wrong-key",
-                "e": "AQAB",
-                "kty": "RSA",
-                "n": "o5cn3ljSRi6FaDEKTn0PS-oL9EFyv1pI7dffgRQLD1qf5D6sprmYfWVokSsrWig8u2y0HChSygR6Jn5KXBqQn6FpM0dDJLnWQDRXHLl3Ey1iPYgDSmOIsIGrV9ZyNCQwk03wAgWbfdBTig3QSDYD-sTNOs3pc4UD_PqAvU2nz_1SS2ZiOwOn5F6gulE1L0iE3KEUEvOIagfHNVhz0oxa_VRZILkzV-zr6R_TW1m97h4H8jXl_VJyQGyhMGGypuDrQ9_vaY_RLEulLCyY0INglHWQ7pckxBtI5q55-Vio2wgewe2_qYcGsnBGaDNbySAsvYcWRrqDiFyzrJYivodqTQ"
-            },
-            {
-                "kid":"token-test-sign",
-                "e": "AQAB",
-                "kty": "RSA",
-                "n": "o5cn3ljSRi6FaDEKTn0PS-oL9EFyv1pI7dRgffQLD1qf5D6sprmYfWWokSsrWig8u2y0HChSygR6Jn5KXBqQn6FpM0dDJLnWQDRXHLl3Ey1iPYgDSmOIsIGrV9ZyNCQwk03wAgWbfdBTig3QSDYD-sTNOs3pc4UD_PqAvU2nz_1SS2ZiOwOn5F6gulE1L0iE3KEUEvOIagfHNVhz0oxa_VRZILkzV-zr6R_TW1m97h4H8jXl_VJyQGyhMGGypuDrQ9_vaY_RLEulLCyY0INglHWQ7pckxBtI5q55-Vio2wgewe2_qYcGsnBGaDNbySAsvYcWRrqDiFyzrJYivodqTQ"
-            }
-        ]
-    }''',
-}
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 8c966e67f6d0..b89f20e3fe85 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -4320,6 +4320,12 @@ def _make_locale_paths(settings):  # pylint: disable=missing-function-docstring
     'JWT_PUBLIC_SIGNING_JWK_SET': None,
 }
 
+# NOTE: In order to create both JWT_PRIVATE_SIGNING_JWK and JWT_PUBLIC_SIGNING_JWK_SET,
+# start devstack on an lms shell and then run the command:
+# > python manage.py lms generate_jwt_signing_key
+# This will output asymmetric JWTs to use here. Read more on this on:
+# https://github.com/openedx/edx-platform/blob/master/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0008-use-asymmetric-jwts.rst
+
 COURSE_CATALOG_URL_ROOT = 'http://localhost:8008'
 COURSE_CATALOG_API_URL = f'{COURSE_CATALOG_URL_ROOT}/api/v1'
 
diff --git a/openedx/core/lib/tests/test_jwt.py b/openedx/core/lib/tests/test_jwt.py
index 79caf0207fa1..7a678dd3c09b 100644
--- a/openedx/core/lib/tests/test_jwt.py
+++ b/openedx/core/lib/tests/test_jwt.py
@@ -7,6 +7,7 @@
 from jwkest import BadSignature, Expired, Invalid, MissingKey, jwk
 from jwkest.jws import JWS
 
+from openedx.core.djangolib.testing.utils import skip_unless_lms
 from openedx.core.lib.jwt import _encode_and_sign, create_jwt, unpack_jwt
 
 
@@ -24,6 +25,7 @@
 }
 
 
+@skip_unless_lms
 class TestSign(unittest.TestCase):
     """
     Tests for JWT creation and signing.
@@ -66,6 +68,7 @@ def _verify_jwt(jwt_token):
     return decoded
 
 
+@skip_unless_lms
 class TestUnpack(unittest.TestCase):
     """
     Tests for JWT unpacking.
diff --git a/requirements/edx/base.txt b/requirements/edx/base.txt
index c8f2af138c64..bd412f92132a 100644
--- a/requirements/edx/base.txt
+++ b/requirements/edx/base.txt
@@ -80,6 +80,9 @@ boto3==1.36.3
     #   ora2
 botocore==1.36.3
     # via
+    #   -r requirements/edx/kernel.in
+    #   boto3
+    #   s3transfer
 bridgekeeper==0.9
     # via -r requirements/edx/kernel.in
 cachecontrol==0.14.2
@@ -534,8 +537,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via -r requirements/edx/kernel.in
 edx-when==2.5.1
     # via
     #   -r requirements/edx/kernel.in
diff --git a/requirements/edx/development.txt b/requirements/edx/development.txt
index 61305f1cbc5b..6a8c617d41be 100644
--- a/requirements/edx/development.txt
+++ b/requirements/edx/development.txt
@@ -844,10 +844,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via
-    #   -r requirements/edx/doc.txt
-    #   -r requirements/edx/testing.txt
 edx-when==2.5.1
     # via
     #   -r requirements/edx/doc.txt
diff --git a/requirements/edx/doc.txt b/requirements/edx/doc.txt
index c08b5b6fb396..66bd24f8fcfc 100644
--- a/requirements/edx/doc.txt
+++ b/requirements/edx/doc.txt
@@ -628,8 +628,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via -r requirements/edx/base.txt
 edx-when==2.5.1
     # via
     #   -r requirements/edx/base.txt
diff --git a/requirements/edx/testing.txt b/requirements/edx/testing.txt
index ae5aed4234f4..27fe32c152b2 100644
--- a/requirements/edx/testing.txt
+++ b/requirements/edx/testing.txt
@@ -651,8 +651,6 @@ edx-toggles==5.2.0
     #   edxval
     #   event-tracking
     #   ora2
-edx-token-utils==0.2.1
-    # via -r requirements/edx/base.txt
 edx-when==2.5.1
     # via
     #   -r requirements/edx/base.txt