From bf0cc89323d0247a1d333602ec17a5387c9f3106 Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Mon, 12 Aug 2024 16:57:05 +0300 Subject: [PATCH 01/11] Add Content-Security-Policy header to nginx config --- .../nginx/templates/edx/app/nginx/sites-available/lms.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 index f159b9e5cad..cb5fe33d3de 100644 --- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 +++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 @@ -121,6 +121,11 @@ error_page {{ k }} {{ v }}; # prevent the browser from doing MIME-type sniffing add_header X-Content-Type-Options nosniff; + {% if EDXAPP_LMS_IFRAME_ENABLED %} + # Allow iFrame for the provided hosts + add_header Content-Security-Policy "frame-ancestors 'self' {{ EDXAPP_LMS_FRAME-ANCESTORS }}"; + {% endif %} + # Prevent invalid display courseware in IE 10+ with high privacy settings add_header P3P '{{ NGINX_P3P_MESSAGE }}'; From ec5184560fe3afca5cda3dca6ee8f04134ab5e2c Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 11:00:48 +0300 Subject: [PATCH 02/11] Try to use newer version of python for test workflow --- .github/workflows/playbook-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index 119c2d0d3a0..e1e81b9e59b 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -19,7 +19,7 @@ jobs: strategy: max-parallel: 4 matrix: - python-version: [3.5] + python-version: [3.7.13] steps: - uses: actions/checkout@v2 From 515085bd4949a1a0c301b5897194d7d0364c494e Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 11:18:46 +0300 Subject: [PATCH 03/11] Downgrade the setuptools version to install demjson --- .github/workflows/playbook-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index e1e81b9e59b..66ff4e6b0bd 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -29,6 +29,7 @@ jobs: python-version: ${{ matrix.python-version }} - name: Install Dependencies run: | + pip install "setuptools==58.0.0" pip install demjson pip install -r requirements.txt - name: Run Make test.syntax From bd9505133e77f2a331dc79a2cec3ce36e59d9d49 Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 11:21:56 +0300 Subject: [PATCH 04/11] Add wheel installation step --- .github/workflows/playbook-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index 66ff4e6b0bd..90f412ec9b8 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -29,7 +29,7 @@ jobs: python-version: ${{ matrix.python-version }} - name: Install Dependencies run: | - pip install "setuptools==58.0.0" + pip install "setuptools<58.0.0" wheel pip install demjson pip install -r requirements.txt - name: Run Make test.syntax From 6c42fe5705c5fbde14b022ce36266ac5c263acb9 Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 11:34:49 +0300 Subject: [PATCH 05/11] Use ubuntu-20.04 for github action runner --- .github/workflows/playbook-test.yml | 5 ++--- .github/workflows/syntax-test.yml | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index 90f412ec9b8..aa71681689f 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -15,11 +15,11 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 strategy: max-parallel: 4 matrix: - python-version: [3.7.13] + python-version: [3.5] steps: - uses: actions/checkout@v2 @@ -29,7 +29,6 @@ jobs: python-version: ${{ matrix.python-version }} - name: Install Dependencies run: | - pip install "setuptools<58.0.0" wheel pip install demjson pip install -r requirements.txt - name: Run Make test.syntax diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml index 05b5c0eb711..f17d1d2fd1b 100644 --- a/.github/workflows/syntax-test.yml +++ b/.github/workflows/syntax-test.yml @@ -15,7 +15,7 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 strategy: max-parallel: 4 matrix: @@ -33,4 +33,4 @@ jobs: pip install -r requirements.txt - name: Run Make test.syntax run: | - timeout 90m make --keep-going test.syntax + timeout 90m make --keep-going test.syntax From fdd8cd562548b32f62c3a6b62b04ad66a68b53a1 Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 11:40:11 +0300 Subject: [PATCH 06/11] Add trusted host workaround for tests workflow --- .github/workflows/playbook-test.yml | 2 ++ .github/workflows/syntax-test.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index aa71681689f..472c4928092 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -27,6 +27,8 @@ jobs: uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} + env: + PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | pip install demjson diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml index f17d1d2fd1b..f429ca50e1f 100644 --- a/.github/workflows/syntax-test.yml +++ b/.github/workflows/syntax-test.yml @@ -27,6 +27,8 @@ jobs: uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} + env: + PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | pip install demjson From c468f065424c3bc5639f97c2ac9d1fbbb8ac3063 Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 11:50:53 +0300 Subject: [PATCH 07/11] Freeze setuptools version to 57.4.0 --- .github/workflows/playbook-test.yml | 1 + .github/workflows/syntax-test.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index 472c4928092..5fc496bf70d 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -31,6 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | + pip install setuptools==57.4.0 pip install demjson pip install -r requirements.txt - name: Run Make test.syntax diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml index f429ca50e1f..4dfa9e9320d 100644 --- a/.github/workflows/syntax-test.yml +++ b/.github/workflows/syntax-test.yml @@ -31,6 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | + pip install setuptools==57.4.0 pip install demjson pip install -r requirements.txt - name: Run Make test.syntax From ad85aaf6d35098e864fc90ff2f68f675740dbf5b Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 11:58:39 +0300 Subject: [PATCH 08/11] Use setuptools<58 --- .github/workflows/playbook-test.yml | 2 +- .github/workflows/syntax-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index 5fc496bf70d..cc2ed1dfd4f 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -31,7 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install setuptools==57.4.0 + pip install setuptools<58 pip install demjson pip install -r requirements.txt - name: Run Make test.syntax diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml index 4dfa9e9320d..ef36e527d1f 100644 --- a/.github/workflows/syntax-test.yml +++ b/.github/workflows/syntax-test.yml @@ -31,7 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install setuptools==57.4.0 + pip install setuptools<57.4.0 pip install demjson pip install -r requirements.txt - name: Run Make test.syntax From 446fab6c79a0e31b3177f5c6e031434a046802dd Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 12:04:18 +0300 Subject: [PATCH 09/11] Use quotes for "setuptools<58" --- .github/workflows/playbook-test.yml | 2 +- .github/workflows/syntax-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index cc2ed1dfd4f..5b545cc4c32 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -31,7 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install setuptools<58 + pip install "setuptools<58" pip install demjson pip install -r requirements.txt - name: Run Make test.syntax diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml index ef36e527d1f..636fbb47c97 100644 --- a/.github/workflows/syntax-test.yml +++ b/.github/workflows/syntax-test.yml @@ -31,7 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install setuptools<57.4.0 + pip install "setuptools<58" pip install demjson pip install -r requirements.txt - name: Run Make test.syntax From 82fbe2e5f745ea1d267b35db08ebbc1da929f810 Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 12:27:02 +0300 Subject: [PATCH 10/11] Add wheel installation --- .github/workflows/playbook-test.yml | 2 +- .github/workflows/syntax-test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index 5b545cc4c32..3dcc354c0fa 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -31,7 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install "setuptools<58" + pip install "setuptools<58" wheel pip install demjson pip install -r requirements.txt - name: Run Make test.syntax diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml index 636fbb47c97..fbf839ba786 100644 --- a/.github/workflows/syntax-test.yml +++ b/.github/workflows/syntax-test.yml @@ -31,7 +31,7 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install "setuptools<58" + pip install "setuptools<58" wheel pip install demjson pip install -r requirements.txt - name: Run Make test.syntax From cd3d7f756b3f2335256dd7ce39a3df91800b00de Mon Sep 17 00:00:00 2001 From: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”> Date: Tue, 13 Aug 2024 12:57:20 +0300 Subject: [PATCH 11/11] Revert workflow changes and update changelog --- .github/workflows/playbook-test.yml | 3 +-- .github/workflows/syntax-test.yml | 5 +---- CHANGELOG.md | 4 ++++ 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml index 3dcc354c0fa..980ec0a2807 100644 --- a/.github/workflows/playbook-test.yml +++ b/.github/workflows/playbook-test.yml @@ -15,7 +15,7 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest strategy: max-parallel: 4 matrix: @@ -31,7 +31,6 @@ jobs: PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install "setuptools<58" wheel pip install demjson pip install -r requirements.txt - name: Run Make test.syntax diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml index fbf839ba786..690a90b9ee8 100644 --- a/.github/workflows/syntax-test.yml +++ b/.github/workflows/syntax-test.yml @@ -15,7 +15,7 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest strategy: max-parallel: 4 matrix: @@ -27,11 +27,8 @@ jobs: uses: actions/setup-python@v3 with: python-version: ${{ matrix.python-version }} - env: - PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org" - name: Install Dependencies run: | - pip install "setuptools<58" wheel pip install demjson pip install -r requirements.txt - name: Run Make test.syntax diff --git a/CHANGELOG.md b/CHANGELOG.md index 80855cf4846..21c74be4008 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. Add any new changes to the top(right below this line). +- Role: nginx + - Add the possibility to add the header `Content-Security-Policy frame-ancestors`. This is configured by the + EDXAPP_LMS_IFRAME_ENABLED switcher and EDXAPP_LMS_FRAME-ANCESTORS value. + - Role: edxapp BREAKING_CHANGE - The sandbox environment that runs instructor written python code used to run python 2.7. We update the default to python 3.5 but provide a new variable to be able to go back to the old setting. If `edxapp_sandbox_python_version`