openfun
diff --git a/‎.circleci/config.yml‎
Lines changed: 0 additions & 3 deletions b/‎.circleci/config.yml‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 12 deletions b/‎README.md‎
Lines changed: 3 additions & 12 deletions
diff --git a/‎UPGRADE.md‎
Lines changed: 10 additions & 0 deletions b/‎UPGRADE.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎docs/env.md‎
Lines changed: 0 additions & 44 deletions b/‎docs/env.md‎
Lines changed: 0 additions & 44 deletions
diff --git a/‎src/backend/marsha/bbb/tests/bbb_utils/test_create.py‎
Lines changed: 5 additions & 9 deletions b/‎src/backend/marsha/bbb/tests/bbb_utils/test_create.py‎
Lines changed: 5 additions & 9 deletions
diff --git a/‎src/backend/marsha/core/serializers/base.py‎
Lines changed: 1 addition & 40 deletions b/‎src/backend/marsha/core/serializers/base.py‎
Lines changed: 1 addition & 40 deletions
diff --git a/‎src/backend/marsha/core/serializers/file.py‎
Lines changed: 1 addition & 1 deletion b/‎src/backend/marsha/core/serializers/file.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/backend/marsha/core/storage/s3.py‎
Lines changed: 0 additions & 6 deletions b/‎src/backend/marsha/core/storage/s3.py‎
Lines changed: 0 additions & 6 deletions
@@ -268,7 +268,6 @@ jobs:
           POSTGRES_PORT: 5432
           DJANGO_AWS_ACCESS_KEY_ID: aws-access-key-id
           DJANGO_AWS_SECRET_ACCESS_KEY: aws-secret-access-key
-          DJANGO_CLOUDFRONT_DOMAIN: abc.cloudfront.net
           DJANGO_SCW_EDGE_SERVICE_DOMAIN: abc.svc.edge.scw.cloud
           DJANGO_UPDATE_STATE_SHARED_SECRETS: dummy,secret
           DJANGO_AWS_MEDIALIVE_ROLE_ARN: aws:medialive:arn:role
@@ -351,7 +350,6 @@ jobs:
           POSTGRES_PORT: 5432
           DJANGO_AWS_ACCESS_KEY_ID: aws-access-key-id
           DJANGO_AWS_SECRET_ACCESS_KEY: aws-secret-access-key
-          DJANGO_CLOUDFRONT_DOMAIN: abc.cloudfront.net
           DJANGO_SCW_EDGE_SERVICE_DOMAIN: abc.svc.edge.scw.cloud
           DJANGO_UPDATE_STATE_SHARED_SECRETS: dummy,secret
           DJANGO_AWS_MEDIALIVE_ROLE_ARN: aws:medialive:arn:role
@@ -592,7 +590,6 @@ jobs:
           POSTGRES_PORT: 5432
           DJANGO_AWS_ACCESS_KEY_ID: aws-access-key-id
           DJANGO_AWS_SECRET_ACCESS_KEY: aws-secret-access-key
-          DJANGO_CLOUDFRONT_DOMAIN: abc.cloudfront.net
           DJANGO_SCW_EDGE_SERVICE_DOMAIN: abc.svc.edge.scw.cloud
           DJANGO_UPDATE_STATE_SHARED_SECRETS: dummy,secret
           DJANGO_AWS_MEDIALIVE_ROLE_ARN: aws:medialive:arn:role
 
@@ -8,6 +8,10 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Removed
+
+- Remove all legacy Cloudfront code and mentions
+
 ## [5.11.1] - 2025-07-17
 
 ### Fixed
 
@@ -38,25 +38,16 @@ Moreover, Marsha provides:
 
 ### The `Django` backend
 
-The `Django` backend is tasked with serving the LTI pages that are integrated into the LMS. It also manages all the objects with their relationships, user accounts and all authentication concerns. It exposes a JSON API to communicate with the part of the infrastructure that operates on `AWS lambdas` and the `React` frontend.
+The `Django` backend is tasked with serving the LTI pages that are integrated into the LMS. It also manages all the objects with their relationships, user accounts and all authentication concerns. It exposes a JSON API to communicate with the `React` frontend.
 
 It is defined using a [docker-compose file](../docker-compose.yml) for development, and can be deployed on any container environment (such as `Kubernetes`) for production.
 
 ### The storage & transcoding environment
 
-Source files (video, documents, subtitles,...) are directly uploaded to an `S3` bucket by instructors. Depending the uploaded resource a lambda will be triggered to do different jobs:
-- Launch `MediaConvert` to generate all necessary video files (various formats and fragments & manifests for adaptive-bitrate streaming) into a destination `S3` bucket. Those files are then served through the `CloudFront` CDN.
+Source files (video, documents, subtitles,...) are directly uploaded to an `S3` bucket by instructors. Depending the uploaded resource, Celery tasks will be triggered to do different jobs:
+- Transcode videos using Peertube runners to generate all necessary video files (various formats and fragments & manifests for adaptive-bitrate streaming) into a destination `S3` bucket. Those files are then served through the `Scaleway Edge service` CDN.
 - Convert any kind of subtitles (also captions and transcripts) in [WebVTT](https://www.w3.org/TR/webvtt1/) format and encode them properly.
 - Resize thumbnails in many formats.
-- Copy documents from a source to a destination `S3` Bucket accessible through the `CloudFront` CDN.
-
-Lambdas are used to manage and monitor the process and report back to the `Django` backend.
-
-This storage & transcoding environment requires `AWS` as it heavily relies on `AWS MediaConvert` to do the heavy lifting when it comes to transcoding. All the services it relies on are configured through `Terraform` and can be deployed effortlessly through a `make` command.
-
-⚠️ **Privacy concerns**
-
-Please note that the only objects we handle in `AWS` are the actual video, documents or subtitles files, from the upload to the distribution through transcoding and storage. It is not required to deploy any database or application backend to `AWS` or send any user's personal information there.
 
 ### The `React` frontend
 
 
@@ -7,6 +7,16 @@ not skip minor/major releases while upgrading (fix releases can be skipped).
 The format is inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+### 5.10.0 to 5.11.0
+
+Cloudfront signed URLs are not used anymore in the project, make sure to remove the following environment variables:
+- CLOUDFRONT_PRIVATE_KEY_PATH
+- CLOUDFRONT_SIGNED_URLS_ACTIVE
+- CLOUDFRONT_SIGNED_URLS_VALIDITY
+- CLOUDFRONT_SIGNED_URL_CACHE_DURATION
+- CLOUDFRONT_SIGNED_PUBLIC_KEY_ID
+- CLOUDFRONT_DOMAIN = values.Value(None)
+
 ### 5.7.x to 5.8.0
 
 Environment variables previously prefixed with `DJANGO_VIDEOS_STORAGE_` are now prefixed with `DJANGO_STORAGE_`. Make sure to update your configuration accordingly.
 
@@ -247,50 +247,6 @@ versions of the app can run in parallel without interfering with each other.
 - Required: No
 - Default: `staticfiles.json`
 
-#### DJANGO_CLOUDFRONT_SIGNED_PUBLIC_KEY_ID
-
-The public key id saved in AWS cloudfront public keys management. This public key is created by terraform and you can pick
-the id using `terraform output cloudfront_publick_key_id`
-
-- Type: string
-- Required:
-  - Yes when `DJANGO_CLOUDFRONT_SIGNED_URLS_ACTIVE` is `True`;
-  - No otherwise.
-- Default: None;
-
-#### DJANGO_CLOUDFRONT_PRIVATE_KEY_PATH
-
-Path to a private key corresponding to the public key ID in `DJANGO_CLOUDFRONT_SIGNED_PUBLIC_KEY_ID`. Also used to sign Cloudfront URLs.
-The private key can be retrieve from the terraform output `terraform output cloudfront_ssh_private_key`
-
-- Type: string
-- Required:
-  - Yes when `DJANGO_CLOUDFRONT_SIGNED_URLS_ACTIVE` is `True` and the key is not located in the default path;
-  - No otherwise.
-- Default: `src/backend/.ssh/cloudfront_private_key`
-
-#### DJANGO_CLOUDFRONT_SIGNED_URLS_ACTIVE
-
-Whether Cloudfront URLs for MP4 files and timed text tracks should be cryptographically signed.
-
-Note: Preview images are never signed as a matter of policy; adaptive streaming formats pose technical challenges when it comes to signed URLs, so we're not doing any signing there for now.
-
-- Type: Boolean
-- Required: No
-- Default: Varies depending on the environment:
-  - `False` in development and test;
-  - `True` in all other environments.
-- Choices: `True` or `False`
-
-#### DJANGO_CLOUDFRONT_DOMAIN
-
-The domain for the AWS Cloudfront distribution for the relevant AWS deployment. This is the domain
-that will be used to distribute processed files to end users.
-
-- Type: string
-- Required: Yes
-- Default: None
-
 #### DJANGO_SCW_EDGE_SERVICE_DOMAIN
 
 The domain for the Scaleway Edge Service.
 
@@ -609,9 +609,7 @@ def test_bbb_create_existing_classroom(self):
         self.assertEqual(classroom.started, False)
 
     @responses.activate
-    @override_settings(
-        MEDIA_URL="https://abc.cloudfront.net/",
-    )
+    @override_settings(MEDIA_URL="https://abc.svc.edge.scw.cloud/")
     def test_bbb_create_new_classroom_with_document(self):
         """Create a classroom with one document."""
         now = datetime(2018, 8, 8, tzinfo=timezone.utc)
@@ -706,7 +704,7 @@ def test_bbb_create_new_classroom_with_document(self):
             responses.calls[0].request.body,
             b'<modules><module name="presentation">'
             b"<document "
-            b'url="https://abc.cloudfront.net/classroom/9b3df0bd-240c-49fe-85e0-caa47420f3eb/'
+            b'url="https://abc.svc.edge.scw.cloud/classroom/9b3df0bd-240c-49fe-85e0-caa47420f3eb/'
             b'classroomdocument/c5c84f7b-7f1a-4689-8da8-28fae7c7e8d9/file.pdf" '
             b'filename="file.pdf" '
             b'current="true" '
@@ -737,9 +735,7 @@ def test_bbb_create_new_classroom_with_document(self):
         self.assertEqual(classroom.started, True)
         self.assertEqual(classroom.ended, False)
 
-    @override_settings(
-        MEDIA_URL="https://abc.cloudfront.net/",
-    )
+    @override_settings(MEDIA_URL="https://abc.svc.edge.scw.cloud/")
     @responses.activate
     def test_bbb_create_new_classroom_with_documents(self):
         """Create a classroom with multiple documents."""
@@ -843,13 +839,13 @@ def test_bbb_create_new_classroom_with_documents(self):
             responses.calls[0].request.body,
             b'<modules><module name="presentation">'
             b"<document "
-            b'url="https://abc.cloudfront.net/classroom/9b3df0bd-240c-49fe-85e0-caa47420f3eb/'
+            b'url="https://abc.svc.edge.scw.cloud/classroom/9b3df0bd-240c-49fe-85e0-caa47420f3eb/'
             b'classroomdocument/a753faf5-5d6a-4091-856b-71d2c600e1cd/file2.pdf" '
             b'filename="file2.pdf" '
             b'current="false" '
             b"/>"
             b"<document "
-            b'url="https://abc.cloudfront.net/classroom/9b3df0bd-240c-49fe-85e0-caa47420f3eb/'
+            b'url="https://abc.svc.edge.scw.cloud/classroom/9b3df0bd-240c-49fe-85e0-caa47420f3eb/'
             b'classroomdocument/c5c84f7b-7f1a-4689-8da8-28fae7c7e8d9/file.pdf" '
             b'filename="file.pdf" '
             b'current="true" '
 
@@ -1,12 +1,8 @@
 """This module holds serializers and constants used across the Marsha project."""
 
-from datetime import timedelta
 import re
 
-from django.conf import settings
-from django.core.cache import cache
 from django.core.exceptions import ValidationError
-from django.utils import timezone
 from django.utils.text import slugify
 
 from rest_framework import serializers
@@ -23,7 +19,7 @@
     STATE_CHOICES,
 )
 from marsha.core.models import TimedTextTrack
-from marsha.core.utils import cloudfront_utils, time_utils
+from marsha.core.utils import time_utils
 from marsha.core.utils.api_utils import get_uploadable_models_s3_mapping
 
 
@@ -48,41 +44,6 @@
 KEY_REGEX = re.compile(KEY_PATTERN)
 
 
-def get_resource_cloudfront_url_params(resource_kind, resource_id):
-    """
-    Generate the policy and sign it to allow accessing to all sub resources
-    for a given resource id.
-    Parameters
-    ----------
-    resource_kind: str
-        Only used to define the cache key.
-    resource_id: str
-        The "parent" resource ID
-    """
-    resource = (
-        f"{settings.AWS_S3_URL_PROTOCOL}://{settings.CLOUDFRONT_DOMAIN}/{resource_id}/*"
-    )
-    cache_key = f"cloudfront_signed_url:{resource_kind}:{resource_id}:{resource}"
-    date_less_than = timezone.now() + timedelta(
-        seconds=settings.CLOUDFRONT_SIGNED_URLS_VALIDITY
-    )
-    if (params := cache.get(cache_key)) is None:
-        params = cloudfront_utils.generate_cloudfront_urls_signed_parameters(
-            resource,
-            date_less_than=date_less_than,
-        )
-        cache.set(cache_key, params, settings.CLOUDFRONT_SIGNED_URL_CACHE_DURATION)
-
-    return params
-
-
-def get_video_cloudfront_url_params(video_id):
-    """
-    Generate the policy and sign it to allow accessing to all resources for a given video id.
-    """
-    return get_resource_cloudfront_url_params("video", video_id)
-
-
 class ReadOnlyModelSerializer(serializers.ModelSerializer):
     """A base serializer whose fields are all readonly."""
 
 
@@ -100,7 +100,7 @@ def get_url(self, obj):
         Returns
         -------
         String or None
-            the url to fetch the document on CloudFront
+            the url to fetch the document on storage
             None if the document is still not uploaded to S3 with success
 
         """
 
@@ -11,7 +11,6 @@
     MARKDOWN_DOCUMENT_STORAGE_BASE_DIRECTORY,
     TMP_STORAGE_BASE_DIRECTORY,
 )
-from marsha.core.utils.cloudfront_utils import get_cloudfront_private_key
 from marsha.core.utils.s3_utils import create_presigned_post
 from marsha.core.utils.time_utils import to_timestamp
 
@@ -37,11 +36,6 @@ class S3FileStorage(S3Storage):
     custom_domain = settings.SCW_EDGE_SERVICE_DOMAIN
     url_protocol = "https:"
 
-    if settings.CLOUDFRONT_SIGNED_URLS_ACTIVE:
-        cloudfront_key_id = settings.CLOUDFRONT_SIGNED_PUBLIC_KEY_ID
-        cloudfront_key = get_cloudfront_private_key()
-        querystring_expire = settings.CLOUDFRONT_SIGNED_URLS_VALIDITY
-
     def url(self, name, parameters=None, expire=None, http_method=None):
         """
         Override the url method to remove signature part of the url if the resource