extract out cors_origin from server and conditioned xblock j2 files

CHANGELOG.md

@@ -235,3 +235,118 @@
 
 - Role: edxapp
   - Added `EDXAPP_BLOCK_STRUCTURES_SETTINGS` to configure S3-backed Course Block Structures.
+
+- Role: insights
+  - Removed `INSIGHTS_FEEDBACK_EMAIL` which is no longer used, as it was deemed redundant with `INSIGHTS_SUPPORT_EMAIL`.
+
+- Role: insights
+  - Removed `SUPPORT_EMAIL` setting from `INSIGHTS_CONFIG`, as it is was replaced by `SUPPORT_URL`.
+
+- Role: insights
+  - Added `INSIGHTS_DOMAIN` to configure the domain Insights is deployed on
+  - Added `INSIGHTS_CLOUDFRONT_DOMAIN` to configure the domain static files can be served from
+  - Added `INSIGHTS_CORS_ORIGIN_WHITELIST_EXTRA` to configure allowing CORS on domains other than the `INSIGHTS_DOMAIN`
+
+- Role: edxapp
+  - Added `EDXAPP_VIDEO_IMAGE_SETTINGS` to configure S3-backed video images.
+
+- Role: edxapp
+  - Added `EDXAPP_BASE_COOKIE_DOMAIN` for sharing cookies across edx domains.
+
+- Role: insights
+  - Removed `bower install` task
+  - Replaced r.js build task with webpack build task
+  - Removed `./manage.py compress` task
+
+- Role: insights
+  - Moved `THEME_SCSS` from `INSIGHTS_CONFIG` to `insights_environment`
+
+- Role: analytics_api
+  - Added a number of `ANALYTICS_API_DEFAULT_*` and `ANALYTICS_API_REPORTS_*` variables to allow more selective specification of database parameters (rather than
+      overriding the whole structure).
+
+- Role: edxapp
+  - Remove EDXAPP_ANALYTICS_API_KEY, EDXAPP_ANALYTICS_SERVER_URL, EDXAPP_ANALYTICS_DATA_TOKEN, EDXAPP_ANALYTICS_DATA_URL since they are old and
+  no longer consumed.
+
+- Role: edxapp
+  - Added `PASSWORD_MIN_LENGTH` for password minimum length validation on reset page.
+  - Added `PASSWORD_MAX_LENGTH` for password maximum length validation on reset page.
+
+- Role: credentials
+  - Replaced `CREDENTIALS_OAUTH_URL_ROOT` with `COMMON_OAUTH_URL_ROOT` from `common_vars`
+  - Replaced `CREDENTIALS_OIDC_LOGOUT_URL` with `COMMON_OAUTH_LOGOUT_URL` from `common_vars`
+  - Replaced `CREDENTIALS_JWT_AUDIENCE` with `COMMON_JWT_AUDIENCE` from `common_vars`
+  - Replaced `CREDENTIALS_JWT_ISSUER` with `COMMON_JWT_ISSUER` from `common_vars`
+  - Replaced `CREDENTIALS_JWT_SECRET_KEY` with `COMMON_JWT_SECRET_KEY` from `common_vars`
+  - Replaced `CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_ISSUER` with `COMMON_JWT_ISSUER` from `common_vars`
+
+- Role: ecommerce
+  - Replaced `ECOMMERCE_OAUTH_URL_ROOT` with `COMMON_OAUTH_URL_ROOT` from `common_vars`
+  - Replaced `ECOMMERCE_OIDC_LOGOUT_URL` with `COMMON_OAUTH_LOGOUT_URL` from `common_vars`
+  - Replaced `ECOMMERCE_JWT_SECRET_KEY` with `COMMON_JWT_SECRET_KEY` from `common_vars`
+  - Replaced `ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_ISSUER` with `COMMON_JWT_ISSUER` from `common_vars`
+
+- Role: edxapp
+  - Added `EDXAPP_VIDEO_TRANSCRIPTS_SETTINGS` to configure S3-backed video transcripts.
+  - Removed unused `EDXAPP_BOOK_URL` setting
+
+- Role: insights
+  - Removed `INSIGHTS_FEEDBACK_EMAIL` which is no longer used, as it was deemed redundant with `INSIGHTS_SUPPORT_EMAIL`.
+
+- Role: insights
+  - Removed `SUPPORT_EMAIL` setting from `INSIGHTS_CONFIG`, as it is was replaced by `SUPPORT_URL`.
+
+- Role: insights
+  - Added `INSIGHTS_DOMAIN` to configure the domain Insights is deployed on
+  - Added `INSIGHTS_CLOUDFRONT_DOMAIN` to configure the domain static files can be served from
+  - Added `INSIGHTS_CORS_ORIGIN_WHITELIST_EXTRA` to configure allowing CORS on domains other than the `INSIGHTS_DOMAIN`
+
+- Role: edxapp
+  - Added `EDXAPP_VIDEO_IMAGE_SETTINGS` to configure S3-backed video images.
+
+- Role: edxapp
+  - Added `EDXAPP_BASE_COOKIE_DOMAIN` for sharing cookies across edx domains.
+
+- Role: insights
+  - Removed `bower install` task
+  - Replaced r.js build task with webpack build task
+  - Removed `./manage.py compress` task
+
+- Role: insights
+  - Moved `THEME_SCSS` from `INSIGHTS_CONFIG` to `insights_environment`
+
+- Role: analytics_api
+  - Added a number of `ANALYTICS_API_DEFAULT_*` and `ANALYTICS_API_REPORTS_*` variables to allow more selective specification of database parameters (rather than
+      overriding the whole structure).
+
+- Role: edxapp
+  - Remove EDXAPP_ANALYTICS_API_KEY, EDXAPP_ANALYTICS_SERVER_URL, EDXAPP_ANALYTICS_DATA_TOKEN, EDXAPP_ANALYTICS_DATA_URL since they are old and
+  no longer consumed.
+
+- Role: edxapp
+  - Added `PASSWORD_MIN_LENGTH` for password minimum length validation on reset page.
+  - Added `PASSWORD_MAX_LENGTH` for password maximum length validation on reset page.
+
+- Role: credentials
+  - Replaced `CREDENTIALS_OAUTH_URL_ROOT` with `COMMON_OAUTH_URL_ROOT` from `common_vars`
+  - Replaced `CREDENTIALS_OIDC_LOGOUT_URL` with `COMMON_OAUTH_LOGOUT_URL` from `common_vars`
+  - Replaced `CREDENTIALS_JWT_AUDIENCE` with `COMMON_JWT_AUDIENCE` from `common_vars`
+  - Replaced `CREDENTIALS_JWT_ISSUER` with `COMMON_JWT_ISSUER` from `common_vars`
+  - Replaced `CREDENTIALS_JWT_SECRET_KEY` with `COMMON_JWT_SECRET_KEY` from `common_vars`
+  - Replaced `CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_ISSUER` with `COMMON_JWT_ISSUER` from `common_vars`
+
+- Role: ecommerce
+  - Replaced `ECOMMERCE_OAUTH_URL_ROOT` with `COMMON_OAUTH_URL_ROOT` from `common_vars`
+  - Replaced `ECOMMERCE_OIDC_LOGOUT_URL` with `COMMON_OAUTH_LOGOUT_URL` from `common_vars`
+  - Replaced `ECOMMERCE_JWT_SECRET_KEY` with `COMMON_JWT_SECRET_KEY` from `common_vars`
+  - Replaced `ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_ISSUER` with `COMMON_JWT_ISSUER` from `common_vars`
+
+- Role: edxapp
+  - Added `EDXAPP_VIDEO_TRANSCRIPTS_SETTINGS` to configure S3-backed video transcripts.
+  - Removed unused `EDXAPP_BOOK_URL` setting
+
+- Role: nginx
+  - Added `EDXAPP_ENV_EXTRA`, with default value as it was in the server template.
+  - Added `SCORM_PKG_STORAGE_DIR`, with default value as it was in the server template.
+  - Added `NGINX_EDXAPP_LMS_APP_EXTRA`, with default value as it was in the server template.

playbooks/roles/nginx/defaults/main.yml

@@ -146,3 +146,29 @@ NGINX_CREATE_HTPASSWD_FILE: >
     XQUEUE_ENABLE_BASIC_AUTH|bool or
     XSERVER_ENABLE_BASIC_AUTH|bool
   }}
+# Extra settings to add to site configuration for Studio
+NGINX_EDXAPP_CMS_APP_EXTRA: ""
+# Extra settings to add to site configuration for LMS
+NGINX_EDXAPP_LMS_APP_EXTRA: ""
+
+# Extra settings to add to site configuration for Studio
+NGINX_EDXAPP_CMS_APP_EXTRA: ""
+# Extra settings to add to site configuration for LMS
+NGINX_EDXAPP_LMS_APP_EXTRA: ""
+NGINX_EDXAPP_LMS_APP_EXTRA: ""
+
+EDXAPP_ENV_EXTRA:
+  XBLOCK_SETTINGS:
+    ScormXBlock:
+      SCORM_PLAYER_LOCAL_STORAGE_ROOT: ""
+      SCORM_PLAYER_BACKENDS:
+        ssla:
+          name: ""
+          location: ""
+          configuration: {}
+      SCORM_PKG_STORAGE_DIR: ""
+  CORS_ORIGIN_WHITELIST: []
+
+# Scorm Xblock configurations
+SCORM_PKG_STORAGE_DIR: "scorms"
+SCORM_PLAYER_LOCAL_STORAGE_ROOT: "scormplayers"

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/extra_locations_lms.j2

+{% if EDXAPP_ENV_EXTRA.XBLOCK_SETTINGS.ScormXBlock %}
+    location ~ ^/{{ EDXAPP_MEDIA_URL }}/{{ EDXAPP_ENV_EXTRA.XBLOCK_SETTINGS.ScormXBlock.SCORM_PKG_STORAGE_DIR }}/(?P<file>.*) {
+        add_header 'Access-Control-Allow-Origin' $cors_origin;
+        add_header 'Access-Control-Allow-Credentials' 'true';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
 
-# The Origin request header indicates where a fetch originates from. It doesn't include any path information,
-# but only the server name (e.g. https://www.example.com).
-# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin for details.
-#
-# Here we set the value that is included in the Access-Control-Allow-Origin response header. If the origin is one
-# of our known hosts--served via HTTP or HTTPS--we allow for CORS. Otherwise, we set the "null" value, disallowing CORS.
-map $http_origin $cors_origin {
-default "null";
-{% for host in CORS_ORIGIN_WHITELIST %}
-  "~*^https?:\/\/{{ host|replace('.', '\.') }}$" $http_origin;
-{% endfor %}
-}
-
-location ~ ^/{{ EDXAPP_MEDIA_URL }}/{{ XBLOCK_SETTINGS.ScormXBlock.SCORM_PKG_STORAGE_DIR }}/(?P<file>.*) {
-    add_header 'Access-Control-Allow-Origin' $cors_origin;
-    add_header 'Access-Control-Allow-Credentials' 'true';
-    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-
-    root {{ edxapp_media_dir }}/{{ XBLOCK_SETTINGS.ScormXBlock.SCORM_PKG_STORAGE_DIR }};
-    try_files /$file =404;
-    expires 31536000s;
-}
\ No newline at end of file
+        root {{ edxapp_media_dir }}/{{ EDXAPP_ENV_EXTRA.XBLOCK_SETTINGS.ScormXBlock.SCORM_PKG_STORAGE_DIR or SCORM_PKG_STORAGE_DIR}};
+        try_files /$file =404;
+        expires 31536000s;
+    }
+{% endif %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -43,6 +43,23 @@ geo $http_x_forwarded_for $embargo {
 }
 {%- endif %}
 
+
+{% if EDXAPP_ENV_EXTRA.XBLOCK_SETTINGS.ScormXBlock %}
+  # The Origin request header indicates where a fetch originates from. It doesn't include any path information,
+  # but only the server name (e.g. https://www.example.com).
+  # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin for details.
+  #
+  # Here we set the value that is included in the Access-Control-Allow-Origin response header. If the origin is one
+  # of our known hosts--served via HTTP or HTTPS--we allow for CORS. Otherwise, we set the "null" value, disallowing CORS.
+  map $http_origin $cors_origin {
+  default "null";
+  {% for host in EDXAPP_ENV_EXTRA.CORS_ORIGIN_WHITELIST %}
+    "~*^https?:\/\/{{ host|replace('.', '\.') }}$" $http_origin;
+  {% endfor %}
+  }
+{% endif %}
+
+
 server {
   # LMS configuration file for nginx, templated by ansible
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/static-files-extra.j2

+{% if EDXAPP_ENV_EXTRA.XBLOCK_SETTINGS.ScormXBlock %}
+  # w/in scorm/, override default return 403 for these file types
+  location ~ ^/static/scorm/(?:.*)(?:\.xml|\.json) {
+      try_files /{{ EDXAPP_ENV_EXTRA.XBLOCK_SETTINGS.ScormXBlock.SCORM_PLAYER_LOCAL_STORAGE_ROOT }}/$file =404;
+  }
 
-# The Origin request header indicates where a fetch originates from. It doesn't include any path information,
-# but only the server name (e.g. https://www.example.com).
-# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin for details.
-#
-# Here we set the value that is included in the Access-Control-Allow-Origin response header. If the origin is one
-# of our known hosts--served via HTTP or HTTPS--we allow for CORS. Otherwise, we set the "null" value, disallowing CORS.
-map $http_origin $cors_origin {
-default "null";
-{% for host in CORS_ORIGIN_WHITELIST %}
-  "~*^https?:\/\/{{ host|replace('.', '\.') }}$" $http_origin;
-{% endfor %}
-}
-
-# w/in scorm/, override default return 403 for these file types
-location ~ ^/static/scorm/(?:.*)(?:\.xml|\.json) {
-    try_files /{{ XBLOCK_SETTINGS.ScormXBlock.SCORM_PLAYER_LOCAL_STORAGE_ROOT }}/$file =404;
-}
-
-location ~ "/scorm/(?P<file>.*)" {
-  add_header 'Access-Control-Allow-Origin' $cors_origin;
-  add_header 'Access-Control-Allow-Credentials' 'true';
-  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-  try_files /{{ XBLOCK_SETTINGS.ScormXBlock.SCORM_PLAYER_LOCAL_STORAGE_ROOT }}/$file =404;
-}
\ No newline at end of file
+  location ~ "/scorm/(?P<file>.*)" {
+    add_header 'Access-Control-Allow-Origin' $cors_origin;
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+    try_files /{{ EDXAPP_ENV_EXTRA.XBLOCK_SETTINGS.ScormXBlock.SCORM_PLAYER_LOCAL_STORAGE_ROOT or SCORM_PLAYER_LOCAL_STORAGE_ROOT}}/$file =404;
+  }
+{% endif %}