fix: Don't use django-cookies-samesite on Django > 3.1

BOM-2752

lms/djangoapps/tests/test_utils.py

@@ -3,13 +3,15 @@
 """
 
 
+import importlib
+from importlib.metadata import version
 from unittest import TestCase
 
 import ddt
+import django
+from django.conf import settings
 from opaque_keys.edx.keys import CourseKey, UsageKey
 
-from lms.djangoapps.utils import _get_key
-
 
 @ddt.ddt
 class UtilsTests(TestCase):  # lint-amnesty, pylint: disable=missing-class-docstring
@@ -27,3 +29,19 @@ class UtilsTests(TestCase):  # lint-amnesty, pylint: disable=missing-class-docst
     @ddt.unpack
     def test_get_key(self, input_key, output_key, key_cls):
         assert _get_key(input_key, key_cls) == output_key
+
+    def test_same_site_cookie_version(self):
+        """
+        Make sure with django (2.2 or 3.0) django_cookies_samesite settings enabled.
+        For greater version django_cookies_samesite not required.
+        """
+        self.assertTrue(hasattr(settings, 'DCS_SESSION_COOKIE_SAMESITE_FORCE_ALL'))
+        self.assertTrue(hasattr(settings, 'DCS_SESSION_COOKIE_SAMESITE'))
+
+        if django.VERSION >= (3, 1):
+            self.assertNotIn('django_cookies_samesite.middleware.CookiesSameSite' in settings.MIDDLEWARE)
+            with self.assertRaises(importlib.metadata.PackageNotFoundError):
+                version('django-cookies-samesite')
+        else:
+            self.assertTrue(version('django-cookies-samesite'))
+            self.assertIn('django_cookies_samesite.middleware.CookiesSameSite' in settings.MIDDLEWARE)

lms/envs/common.py

@@ -32,6 +32,7 @@
 import sys
 import os
 
+import django
 from corsheaders.defaults import default_headers as corsheaders_default_headers
 from path import Path as path
 from django.utils.translation import ugettext_lazy as _
@@ -2124,6 +2125,13 @@ def _make_locale_paths(settings):  # pylint: disable=missing-function-docstring
     'openedx.core.djangoapps.site_configuration.middleware.SessionCookieDomainOverrideMiddleware',
 ]
 
+if django.VERSION >= (3, 1):
+    # Avoid issue with https://blog.heroku.com/chrome-changes-samesite-cookie
+    # Override was found here https://github.com/django/django/pull/11894
+    MIDDLEWARE.remove(
+        'django_cookies_samesite.middleware.CookiesSameSite'
+    )
+
 # Clickjacking protection can be disbaled by setting this to 'ALLOW'
 X_FRAME_OPTIONS = 'DENY'
 

requirements/edx/django32.txt

@@ -0,0 +1,2 @@
+Django>=3.2,<3.3
+

tox.ini

@@ -67,10 +67,10 @@ passenv =
     XDIST_WORKER_SECURITY_GROUP
     XDIST_WORKER_SUBNET
 deps =
-    django22: Django>=2.2,<2.3
-    django30: Django>=3.0,<3.1
-    django31: Django>=3.1,<3.2
-    django32: Django>=3.2,<4.0
+    django22: requirements/edx/django.txt
+    django30: requirements/edx/django30.txt
+    django31: requirements/edx/django31.txt
+    django32: requirements/edx/django32.txt
     -r requirements/edx/testing.txt
 whitelist_externals =
     /bin/bash