Merge branch 'master' into chris/FAL-4330-history-log

Author: ChrisChV

cms/djangoapps/contentstore/rest_api/v1/views/tests/test_home.py

@@ -329,7 +329,7 @@ def test_home_page_libraries_response(self):
                     'can_edit': True,
                     'is_migrated': True,
                     'migrated_to_title': 'Test Library',
-                    'migrated_to_key': 'lib:name0:test-key',
+                    'migrated_to_key': str(self.lib_key_v2),
                     'migrated_to_collection_key': 'test-collection',
                     'migrated_to_collection_title': 'Test Collection',
                 },
@@ -364,7 +364,7 @@ def test_home_page_libraries_response(self):
                     'can_edit': True,
                     'is_migrated': True,
                     'migrated_to_title': 'Test Library',
-                    'migrated_to_key': 'lib:name0:test-key',
+                    'migrated_to_key': str(self.lib_key_v2),
                     'migrated_to_collection_key': 'test-collection',
                     'migrated_to_collection_title': 'Test Collection',
                 }

cms/djangoapps/contentstore/views/tests/test_clipboard_paste.py

@@ -5,6 +5,7 @@
 """
 import ddt
 from opaque_keys.edx.keys import UsageKey
+from openedx_content.api import signals as content_signals
 from openedx_events.content_authoring.signals import (
     LIBRARY_BLOCK_DELETED,
     XBLOCK_CREATED,
@@ -405,6 +406,7 @@ class ClipboardPasteFromV2LibraryTestCase(OpenEdxEventsTestMixin, ImmediateOnCom
     Test Clipboard Paste functionality with a "new" (as of Sumac) library
     """
     ENABLED_OPENEDX_EVENTS = [
+        content_signals.ENTITIES_DRAFT_CHANGED.event_type,  # Required for library events to work
         LIBRARY_BLOCK_DELETED.event_type,
         XBLOCK_CREATED.event_type,
         XBLOCK_DELETED.event_type,
@@ -491,7 +493,8 @@ def test_paste_from_library_read_only_tags(self):
             assert object_tag.is_copied
 
         # If we delete the upstream library block...
-        library_api.delete_library_block(self.lib_block_key)
+        with self.captureOnCommitCallbacks(execute=True):  # make event handlers fire now, within TestCase transaction
+            library_api.delete_library_block(self.lib_block_key)
 
         # ...the copied tags remain, but should no longer be marked as "copied"
         object_tags = tagging_api.get_object_tags(new_block_key)

cms/djangoapps/modulestore_migrator/tasks.py

@@ -895,13 +895,9 @@ def _migrate_container(
     ).publishable_entity_version
 
     # Publish the container
-    # Call post publish events synchronously to avoid
-    # an error when calling `wait_for_post_publish_events`
-    # inside a celery task.
     libraries_api.publish_container_changes(
         container.container_key,
         context.created_by,
-        call_post_publish_events_sync=True,
     )
     context.used_container_slugs.add(container.container_key.container_id)
     return container_publishable_entity_version, None

cms/envs/common.py

@@ -256,9 +256,6 @@
 
 MARKETING_EMAILS_OPT_IN = False
 
-############################# MICROFRONTENDS ###################################
-COURSE_AUTHORING_MICROFRONTEND_URL = None
-
 ############################# SET PATH INFORMATION #############################
 PROJECT_ROOT = path(__file__).abspath().dirname().dirname()  # /edx-platform/cms
 CMS_ROOT = REPO_ROOT / "cms"  # noqa: F405

cms/envs/help_tokens.ini

@@ -27,6 +27,7 @@ video = course_author:references/course_development/guide_to_video.html
 certificates = course_author:concepts/open_edx_platform/about_certificates.html
 content_highlights = course_author:how-tos/course_development/manage_course_highlight_emails.html
 social_sharing = course_author:how-tos/course_development/social_sharing.html
+sync_library_updates = course_author:how-tos/course_development/sync_a_library_update_to_your_course.html
 
 # below are the language directory names for the different locales
 [locales]

common/djangoapps/third_party_auth/tasks.py

@@ -16,8 +16,10 @@
 from common.djangoapps.third_party_auth.models import SAMLConfiguration, SAMLProviderConfig
 from common.djangoapps.third_party_auth.utils import (
     MetadataParseError,
+    SAMLMetadataURLError,
     create_or_update_bulk_saml_provider_data,
     parse_metadata_xml,
+    validate_saml_metadata_url,
 )
 
 log = logging.getLogger(__name__)
@@ -74,10 +76,9 @@ def fetch_saml_metadata():
     failure_messages = []  # We return the length of this array for num_failed
     for url, entity_ids in url_map.items():
         try:
+            validate_saml_metadata_url(url)
             log.info("Fetching %s", url)
-            if not url.lower().startswith('https'):
-                log.warning("This SAML metadata URL is not secure! It should use HTTPS. (%s)", url)
-            response = requests.get(url, verify=True)  # May raise HTTPError or SSLError or ConnectionError
+            response = requests.get(url, verify=True, timeout=30)  # May raise HTTPError or SSLError or ConnectionError
             response.raise_for_status()  # May raise an HTTPError
 
             try:
@@ -96,7 +97,13 @@ def fetch_saml_metadata():
                     num_updated += 1
                 else:
                     log.info(f"→ Updated existing SAMLProviderData. Nothing has changed for entityID {entity_id}")
-        except (exceptions.SSLError, exceptions.HTTPError, exceptions.RequestException, MetadataParseError) as error:
+        except (
+            exceptions.SSLError,
+            exceptions.HTTPError,
+            exceptions.RequestException,
+            MetadataParseError,
+            SAMLMetadataURLError,
+        ) as error:
             # Catch and process exception in case of errors during fetching and processing saml metadata.
             # Here is a description of each exception.
             # SSLError is raised in case of errors caused by SSL (e.g. SSL cer verification failure etc.)

common/djangoapps/third_party_auth/tests/test_utils.py

@@ -6,19 +6,23 @@
 from unittest.mock import MagicMock
 
 import ddt
+import pytest
+from django.test import override_settings
 from lxml import etree
 
 from common.djangoapps.student.tests.factories import UserFactory
 from common.djangoapps.third_party_auth.models import SAMLProviderData
 from common.djangoapps.third_party_auth.tests.testutil import TestCase
 from common.djangoapps.third_party_auth.utils import (
+    SAMLMetadataURLError,
     create_or_update_bulk_saml_provider_data,
     get_associated_user_by_email_response,
     get_user_from_email,
     is_enterprise_customer_user,
     is_oauth_provider,
     parse_metadata_xml,
     user_exists,
+    validate_saml_metadata_url,
 )
 from openedx.core.djangolib.testing.utils import skip_unless_lms
 from openedx.features.enterprise_support.tests.factories import (
@@ -272,3 +276,60 @@ def test_multiple_keys(self):
             entity_id='http://entity1',
         ).count()
         assert count == 2
+
+
+@ddt.ddt
+@skip_unless_lms
+class TestValidateSAMLMetadataURL(TestCase):
+    """Tests for validate_saml_metadata_url."""
+
+    @ddt.data(
+        'https://idp.example.com/metadata',
+        'https://1.1.1.1/metadata',
+    )
+    def test_valid_urls_pass(self, url):
+        validate_saml_metadata_url(url)  # should not raise
+
+    @ddt.data(
+        ('http://idp.example.com/metadata', 'must use HTTPS'),
+        ('ftp://idp.example.com/metadata', 'must use HTTPS'),
+        ('https://', 'no hostname'),
+    )
+    @ddt.unpack
+    def test_invalid_scheme_or_missing_hostname(self, url, expected_fragment):
+        with pytest.raises(SAMLMetadataURLError, match=expected_fragment):
+            validate_saml_metadata_url(url)
+
+    @ddt.data(
+        'https://127.0.0.1/metadata',       # IPv4 loopback
+        'https://[::1]/metadata',            # IPv6 loopback
+        'https://169.254.169.254/latest',    # AWS metadata endpoint
+        'https://169.254.0.1/metadata',      # other link-local
+        'https://[fe80::1]/metadata',        # IPv6 link-local
+        'https://240.0.0.1/metadata',        # reserved (Class E)
+    )
+    def test_always_blocked_regardless_of_setting(self, url):
+        for allow_private in (False, True):
+            with override_settings(SAML_METADATA_URL_ALLOW_PRIVATE_IPS=allow_private):
+                with pytest.raises(SAMLMetadataURLError):
+                    validate_saml_metadata_url(url)
+
+    @ddt.data(
+        'https://10.0.0.1/metadata',
+        'https://172.16.0.1/metadata',
+        'https://192.168.1.1/metadata',
+        'https://[fc00::1]/metadata',        # IPv6 unique local
+    )
+    def test_private_ip_blocked_by_default(self, url):
+        with pytest.raises(SAMLMetadataURLError):
+            validate_saml_metadata_url(url)
+
+    @ddt.data(
+        'https://10.0.0.1/metadata',
+        'https://172.16.0.1/metadata',
+        'https://192.168.1.1/metadata',
+        'https://[fc00::1]/metadata',        # IPv6 unique local
+    )
+    @override_settings(SAML_METADATA_URL_ALLOW_PRIVATE_IPS=True)
+    def test_private_ip_allowed_when_setting_enabled(self, url):
+        validate_saml_metadata_url(url)  # should not raise

common/djangoapps/third_party_auth/utils.py

@@ -3,9 +3,12 @@
 """
 
 import datetime
+import ipaddress
+from urllib.parse import urlparse
 from zoneinfo import ZoneInfo
 
 import dateutil.parser
+from django.conf import settings
 from django.contrib.auth.models import User  # lint-amnesty, pylint: disable=imported-auth-user
 from django.utils.timezone import now
 from enterprise.models import EnterpriseCustomerIdentityProvider, EnterpriseCustomerUser
@@ -27,6 +30,67 @@ class MetadataParseError(Exception):
     pass  # lint-amnesty, pylint: disable=unnecessary-pass
 
 
+class SAMLMetadataURLError(Exception):
+    """ A SAML metadata URL failed security validation """
+    pass  # lint-amnesty, pylint: disable=unnecessary-pass
+
+
+def validate_saml_metadata_url(url):
+    """
+    Validate that a SAML metadata URL is safe to fetch.
+
+    Enforces HTTPS and blocks requests to loopback, link-local, and reserved IP
+    addresses. Link-local specifically covers cloud instance metadata endpoints
+    (169.254.0.0/16, e.g. the AWS metadata service at 169.254.169.254).
+    Reserved addresses (e.g. 240.0.0.0/4) are IETF-assigned ranges that are
+    never routable on real networks.
+
+    Private IP ranges (RFC 1918: 10.x, 172.16.x, 192.168.x) are also blocked by
+    default, since most Open edX deployments fetch SAML metadata from public IdPs.
+    Operators running in a private network where the SAML IdP has a private IP can
+    opt out by setting SAML_METADATA_URL_ALLOW_PRIVATE_IPS = True in Django settings.
+
+    Limitation: IP address checks only apply to literal IPs in the URL. Hostname-
+    based URLs are not validated against the IP blocklists. Operators are encouraged
+    to complement this with network-level egress filtering that blocks outbound
+    connections from the Open edX server to link-local (169.254.0.0/16) and RFC
+    1918 private address ranges.
+
+    Raises SAMLMetadataURLError if the URL fails validation.
+    """
+    parsed = urlparse(url)
+
+    if parsed.scheme != 'https':
+        raise SAMLMetadataURLError(
+            f"SAML metadata URL must use HTTPS, got scheme: {parsed.scheme!r}"
+        )
+
+    hostname = parsed.hostname
+    if not hostname:
+        raise SAMLMetadataURLError("SAML metadata URL has no hostname")
+
+    try:
+        addr = ipaddress.ip_address(hostname)
+    except ValueError:
+        # hostname is a domain name, not a numeric IP literal — pass through.
+        return
+
+    # Loopback, link-local, and reserved ranges are never legitimate SAML IdP
+    # addresses regardless of deployment topology.
+    if addr.is_loopback or addr.is_link_local or addr.is_reserved:
+        raise SAMLMetadataURLError(
+            f"SAML metadata URL hostname is a forbidden IP address: {addr}"
+        )
+
+    # Private ranges are blocked by default but can be allowed via Django settings
+    # for deployments where the SAML IdP lives on the same private network.
+    if addr.is_private and not settings.SAML_METADATA_URL_ALLOW_PRIVATE_IPS:
+        raise SAMLMetadataURLError(
+            f"SAML metadata URL hostname is a private IP address: {addr}. "
+            "Set SAML_METADATA_URL_ALLOW_PRIVATE_IPS = True in Django settings to allow this."
+        )
+
+
 def parse_metadata_xml(xml, entity_id):
     """
     Given an XML document containing SAML 2.0 metadata, parse it and return a tuple of

lms/djangoapps/certificates/data.py

@@ -57,11 +57,12 @@ class CertificateStatuses:
     requesting = 'requesting'
 
     readable_statuses = {
-        downloadable: "already received",
-        notpassing: "didn't receive",
-        error: "error states",
-        audit_passing: "audit passing states",
-        audit_notpassing: "audit not passing states",
+        downloadable: "Received",
+        notpassing: "Not Received",
+        unavailable: "Invalidated",
+        error: "Error State",
+        audit_passing: "Audit - Passing",
+        audit_notpassing: "Audit - Not Passing",
     }
 
     PASSED_STATUSES = (downloadable, generating)

lms/djangoapps/certificates/models.py

@@ -588,7 +588,7 @@ def get_certificate_generation_candidates(self):
         if not task_input.strip():
             # if task input is empty, it means certificates were generated for all learners
             # Translators: This string represents task was executed for all learners.
-            return _("All learners")
+            return _("All Learners")
 
         task_input_json = json.loads(task_input)
 
@@ -607,9 +607,9 @@ def get_certificate_generation_candidates(self):
         # for backwards compatibility.
         if 'student_set' in task_input_json or 'students' in task_input_json:
             # Translators: This string represents task was executed for students having exceptions.
-            return _("For exceptions")
+            return _("Granted Exceptions")
         else:
-            return _("All learners")
+            return _("All Learners")
 
     class Meta:
         app_label = "certificates"