From b2a02af8d1d2002be1b7358fc5e832e22b63c1b2 Mon Sep 17 00:00:00 2001
From: Aki Koskinen <aki@secondlion.fi>
Date: Tue, 11 Apr 2023 14:10:09 +0300
Subject: [PATCH] HP-1842 Update python-jose to version 3.3.0

Move python-jose dependency to requirements.in, as it's not just a
development dependency. It's needed by the actual server too; via
django-helusers, but still.

Use the `cryptography` backend with python-jose, which is the
recommended choice. Python-jose depends on `ecdsa`, `pyasn1` and `rsa`
packages, but it doesn't need them when the `cryptography` backend is
used. Those packages are excluded from the requirements.txt file by
using --unsafe-package arguments with pip-compile. This works for now,
since python-jose is the ONLY package that depends on those packages. If
any other package update needs any of those other dependencies, then
they need to be allwed again. There is a proposal to pip-tools [1] to
provide a better tool for this kind of use case, but it hasn't been
accepted.

In order to not get those unnecessary dependencies installed anyways,
the --no-deps argument needs to be given to `pip`. This was added to
Dockerfile.

[1] https://github.com/jazzband/pip-tools/pull/1645
---
 Dockerfile           |  2 +-
 requirements-dev.in  |  1 -
 requirements-dev.txt | 22 ----------------------
 requirements.in      |  1 +
 requirements.txt     | 28 ++++++++++++++++------------
 5 files changed, 18 insertions(+), 36 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8cadc628..f058ddb4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,7 +18,7 @@ RUN apt-install.sh \
     python3-gdal \
     postgresql-client \
     && pip install -U pip \
-    && pip install --no-cache-dir -r /app/requirements.txt \
+    && pip install --no-cache-dir --no-deps -r /app/requirements.txt \
     && pip install --no-cache-dir -r /app/requirements-prod.txt \
     && apt-cleanup.sh build-essential pkg-config
 
diff --git a/requirements-dev.in b/requirements-dev.in
index c9114760..a61e24dc 100644
--- a/requirements-dev.in
+++ b/requirements-dev.in
@@ -17,7 +17,6 @@ pytest
 pytest-cov
 pytest-django
 pytest-mock
-python-jose
 requests-mock
 pytest-factoryboy
 rope
diff --git a/requirements-dev.txt b/requirements-dev.txt
index ddd5f39a..702721c1 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -42,10 +42,6 @@ decorator==4.4.2
     #   traitlets
 distlib==0.3.0
     # via virtualenv
-ecdsa==0.16.1
-    # via
-    #   -c requirements.txt
-    #   python-jose
 entrypoints==0.3
     # via flake8
 exceptiongroup==1.0.4
@@ -68,10 +64,6 @@ flake8-polyfill==1.0.2
     # via pep8-naming
 freezegun==0.3.15
     # via -r requirements-dev.in
-future==0.17.1
-    # via
-    #   -c requirements.txt
-    #   python-jose
 identify==1.4.15
     # via pre-commit
 idna==2.9
@@ -140,10 +132,6 @@ prompt-toolkit==3.0.5
     # via ipython
 ptyprocess==0.6.0
     # via pexpect
-pyasn1==0.4.5
-    # via
-    #   -c requirements.txt
-    #   rsa
 pycodestyle==2.5.0
     # via
     #   autopep8
@@ -177,10 +165,6 @@ python-dateutil==2.8.1
     # via
     #   faker
     #   freezegun
-python-jose==3.0.1
-    # via
-    #   -c requirements.txt
-    #   -r requirements-dev.in
 pyyaml==5.4.1
     # via
     #   -c requirements.txt
@@ -193,17 +177,11 @@ requests-mock==1.8.0
     # via -r requirements-dev.in
 rope==0.16.0
     # via -r requirements-dev.in
-rsa==4.7.2
-    # via
-    #   -c requirements.txt
-    #   python-jose
 six==1.14.0
     # via
     #   -c requirements.txt
-    #   ecdsa
     #   freezegun
     #   python-dateutil
-    #   python-jose
     #   requests-mock
     #   snapshottest
     #   traitlets
diff --git a/requirements.in b/requirements.in
index af9c3112..e80040ab 100644
--- a/requirements.in
+++ b/requirements.in
@@ -14,6 +14,7 @@ graphene-federation
 git+https://github.com/City-of-Helsinki/graphene-validator.git@main
 iso3166
 psycopg2
+python-jose[cryptography]
 pyyaml>=5.3
 requests
 requests-oauthlib
diff --git a/requirements.txt b/requirements.txt
index 08af8ac3..8a1d7803 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.7
 # by the following command:
 #
-#    pip-compile requirements.in
+#    pip-compile --unsafe-package=ecdsa --unsafe-package=pyasn1 --unsafe-package=rsa requirements.in
 #
 --no-binary psycopg2
 
@@ -16,8 +16,12 @@ certifi==2020.4.5.1
     # via
     #   requests
     #   sentry-sdk
+cffi==1.15.1
+    # via cryptography
 chardet==3.0.4
     # via requests
+cryptography==40.0.1
+    # via python-jose
 database-sanitizer==1.1.0
     # via django-sanitized-dump
 deprecation==2.1.0
@@ -53,10 +57,6 @@ django-sanitized-dump==1.2.1
     # via -r requirements.in
 django-searchable-encrypted-fields==0.1.3
     # via -r requirements.in
-ecdsa==0.16.1
-    # via python-jose
-future==0.17.1
-    # via python-jose
 graphene==2.1.8
     # via
     #   graphene-django
@@ -90,12 +90,14 @@ promise==2.2.1
     #   graphql-relay
 psycopg2==2.8.3
     # via -r requirements.in
-pyasn1==0.4.5
-    # via rsa
+pycparser==2.21
+    # via cffi
 pycryptodome==3.15.0
     # via django-searchable-encrypted-fields
-python-jose==3.0.1
-    # via django-helusers
+python-jose[cryptography]==3.3.0
+    # via
+    #   -r requirements.in
+    #   django-helusers
 pytz==2019.1
     # via django
 pyyaml==5.4.1
@@ -110,8 +112,6 @@ requests==2.25.1
     #   requests-oauthlib
 requests-oauthlib==1.3.0
     # via -r requirements.in
-rsa==4.7.2
-    # via python-jose
 rx==1.6.1
     # via graphql-core
 sentry-sdk==0.10.2
@@ -128,7 +128,6 @@ six==1.14.0
     #   graphql-core
     #   graphql-relay
     #   promise
-    #   python-jose
     #   singledispatch
 sqlparse==0.4.2
     # via django
@@ -138,3 +137,8 @@ urllib3==1.26.6
     # via
     #   requests
     #   sentry-sdk
+
+# The following packages are considered to be unsafe in a requirements file:
+# ecdsa
+# pyasn1
+# rsa