From e01970e9d23a241473671ea26126f8440db4dead Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Thu, 12 Jan 2023 12:47:42 +0100
Subject: [PATCH] Refs #32800 -- Removed CSRF_COOKIE_MASKED transitional
 setting per deprecation timeline.

---
 django/conf/__init__.py                      | 13 +--------
 django/conf/global_settings.py               |  4 ---
 django/middleware/csrf.py                    |  8 +-----
 docs/ref/settings.txt                        | 14 ---------
 docs/releases/4.1.txt                        | 11 ++++---
 docs/releases/5.0.txt                        |  2 ++
 tests/csrf_tests/tests.py                    | 30 --------------------
 tests/deprecation/test_csrf_cookie_masked.py | 30 --------------------
 8 files changed, 9 insertions(+), 103 deletions(-)
 delete mode 100644 tests/deprecation/test_csrf_cookie_masked.py

diff --git a/django/conf/__init__.py b/django/conf/__init__.py
index ea63a0dfb2..da461ecc02 100644
--- a/django/conf/__init__.py
+++ b/django/conf/__init__.py
@@ -16,19 +16,13 @@ from pathlib import Path
 import django
 from django.conf import global_settings
 from django.core.exceptions import ImproperlyConfigured
-from django.utils.deprecation import RemovedInDjango50Warning, RemovedInDjango51Warning
+from django.utils.deprecation import RemovedInDjango51Warning
 from django.utils.functional import LazyObject, empty
 
 ENVIRONMENT_VARIABLE = "DJANGO_SETTINGS_MODULE"
 DEFAULT_STORAGE_ALIAS = "default"
 STATICFILES_STORAGE_ALIAS = "staticfiles"
 
-# RemovedInDjango50Warning
-CSRF_COOKIE_MASKED_DEPRECATED_MSG = (
-    "The CSRF_COOKIE_MASKED transitional setting is deprecated. Support for "
-    "it will be removed in Django 5.0."
-)
-
 DEFAULT_FILE_STORAGE_DEPRECATED_MSG = (
     "The DEFAULT_FILE_STORAGE setting is deprecated. Use STORAGES instead."
 )
@@ -211,9 +205,6 @@ class Settings:
                 setattr(self, setting, setting_value)
                 self._explicit_settings.add(setting)
 
-        if self.is_overridden("CSRF_COOKIE_MASKED"):
-            warnings.warn(CSRF_COOKIE_MASKED_DEPRECATED_MSG, RemovedInDjango50Warning)
-
         if hasattr(time, "tzset") and self.TIME_ZONE:
             # When we can, attempt to validate the timezone. If we can't find
             # this file, no check happens and it's harmless.
@@ -272,8 +263,6 @@ class UserSettingsHolder:
 
     def __setattr__(self, name, value):
         self._deleted.discard(name)
-        if name == "CSRF_COOKIE_MASKED":
-            warnings.warn(CSRF_COOKIE_MASKED_DEPRECATED_MSG, RemovedInDjango50Warning)
         if name == "DEFAULT_FILE_STORAGE":
             self.STORAGES[DEFAULT_STORAGE_ALIAS] = {
                 "BACKEND": self.DEFAULT_FILE_STORAGE
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 6d4ea3db5c..4cca441560 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -568,10 +568,6 @@ CSRF_HEADER_NAME = "HTTP_X_CSRFTOKEN"
 CSRF_TRUSTED_ORIGINS = []
 CSRF_USE_SESSIONS = False
 
-# Whether to mask CSRF cookie value. It's a transitional setting helpful in
-# migrating multiple instance of the same project to Django 4.1+.
-CSRF_COOKIE_MASKED = False
-
 ############
 # MESSAGES #
 ############
diff --git a/django/middleware/csrf.py b/django/middleware/csrf.py
index d4b8eb9448..2c0d2cc120 100644
--- a/django/middleware/csrf.py
+++ b/django/middleware/csrf.py
@@ -85,13 +85,7 @@ def _add_new_csrf_cookie(request):
     csrf_secret = _get_new_csrf_string()
     request.META.update(
         {
-            # RemovedInDjango50Warning: when the deprecation ends, replace
-            # with: 'CSRF_COOKIE': csrf_secret
-            "CSRF_COOKIE": (
-                _mask_cipher_secret(csrf_secret)
-                if settings.CSRF_COOKIE_MASKED
-                else csrf_secret
-            ),
+            "CSRF_COOKIE": csrf_secret,
             "CSRF_COOKIE_NEEDS_UPDATE": True,
         }
     )
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 109cc887f7..98726e6a22 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -343,20 +343,6 @@ form input <acquiring-csrf-token-from-html>` instead of :ref:`from the cookie
 
 See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``.
 
-.. setting:: CSRF_COOKIE_MASKED
-
-``CSRF_COOKIE_MASKED``
-----------------------
-
-Default: ``False``
-
-Whether to mask the CSRF cookie. See
-:ref:`release notes <csrf-cookie-masked-usage>` for usage details.
-
-.. deprecated:: 4.1
-
-    This transitional setting is deprecated and will be removed in Django 5.0.
-
 .. setting:: CSRF_COOKIE_NAME
 
 ``CSRF_COOKIE_NAME``
diff --git a/docs/releases/4.1.txt b/docs/releases/4.1.txt
index 1a59d4ab93..0391548e63 100644
--- a/docs/releases/4.1.txt
+++ b/docs/releases/4.1.txt
@@ -98,16 +98,15 @@ See :ref:`the Forms section (below)<forms-4.1>` for full details.
 ``CSRF_COOKIE_MASKED`` setting
 ------------------------------
 
-The new :setting:`CSRF_COOKIE_MASKED` transitional setting allows specifying
-whether to mask the CSRF cookie.
+The new ``CSRF_COOKIE_MASKED`` transitional setting allows specifying whether
+to mask the CSRF cookie.
 
 :class:`~django.middleware.csrf.CsrfViewMiddleware` no longer masks the CSRF
 cookie like it does the CSRF token in the DOM. If you are upgrading multiple
 instances of the same project to Django 4.1, you should set
-:setting:`CSRF_COOKIE_MASKED` to ``True`` during the transition, in
-order to allow compatibility with the older versions of Django. Once the
-transition to 4.1 is complete you can stop overriding
-:setting:`CSRF_COOKIE_MASKED`.
+``CSRF_COOKIE_MASKED`` to ``True`` during the transition, in order to allow
+compatibility with the older versions of Django. Once the transition to 4.1 is
+complete you can stop overriding ``CSRF_COOKIE_MASKED``.
 
 This setting is deprecated as of this release and will be removed in Django
 5.0.
diff --git a/docs/releases/5.0.txt b/docs/releases/5.0.txt
index f5b4f532a9..0a5ab35501 100644
--- a/docs/releases/5.0.txt
+++ b/docs/releases/5.0.txt
@@ -306,3 +306,5 @@ See :ref:`deprecated-features-4.1` for details on these changes, including how
 to remove usage of these features.
 
 * The ``SitemapIndexItem.__str__()`` method is removed.
+
+* The ``CSRF_COOKIE_MASKED`` transitional setting is removed.
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 6db67c9190..3abd70ee0d 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -23,8 +23,6 @@ from django.middleware.csrf import (
     rotate_token,
 )
 from django.test import SimpleTestCase, override_settings
-from django.test.utils import ignore_warnings
-from django.utils.deprecation import RemovedInDjango50Warning
 from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
 
 from .views import (
@@ -1494,31 +1492,3 @@ class CsrfInErrorHandlingViewsTests(CsrfFunctionTestMixin, SimpleTestCase):
         token2 = response.content.decode("ascii")
         secret2 = _unmask_cipher_token(token2)
         self.assertMaskedSecretCorrect(token1, secret2)
-
-
-@ignore_warnings(category=RemovedInDjango50Warning)
-class CsrfCookieMaskedTests(CsrfFunctionTestMixin, SimpleTestCase):
-    @override_settings(CSRF_COOKIE_MASKED=True)
-    def test_get_token_csrf_cookie_not_set(self):
-        request = HttpRequest()
-        self.assertNotIn("CSRF_COOKIE", request.META)
-        self.assertNotIn("CSRF_COOKIE_NEEDS_UPDATE", request.META)
-        token = get_token(request)
-        cookie = request.META["CSRF_COOKIE"]
-        self.assertEqual(len(cookie), CSRF_TOKEN_LENGTH)
-        unmasked_cookie = _unmask_cipher_token(cookie)
-        self.assertMaskedSecretCorrect(token, unmasked_cookie)
-        self.assertIs(request.META["CSRF_COOKIE_NEEDS_UPDATE"], True)
-
-    @override_settings(CSRF_COOKIE_MASKED=True)
-    def test_rotate_token(self):
-        request = HttpRequest()
-        request.META["CSRF_COOKIE"] = MASKED_TEST_SECRET1
-        self.assertNotIn("CSRF_COOKIE_NEEDS_UPDATE", request.META)
-        rotate_token(request)
-        # The underlying secret was changed.
-        cookie = request.META["CSRF_COOKIE"]
-        self.assertEqual(len(cookie), CSRF_TOKEN_LENGTH)
-        unmasked_cookie = _unmask_cipher_token(cookie)
-        self.assertNotEqual(unmasked_cookie, TEST_SECRET)
-        self.assertIs(request.META["CSRF_COOKIE_NEEDS_UPDATE"], True)
diff --git a/tests/deprecation/test_csrf_cookie_masked.py b/tests/deprecation/test_csrf_cookie_masked.py
deleted file mode 100644
index d06feb9e47..0000000000
--- a/tests/deprecation/test_csrf_cookie_masked.py
+++ /dev/null
@@ -1,30 +0,0 @@
-import sys
-from types import ModuleType
-
-from django.conf import CSRF_COOKIE_MASKED_DEPRECATED_MSG, Settings, settings
-from django.test import SimpleTestCase
-from django.utils.deprecation import RemovedInDjango50Warning
-
-
-class CsrfCookieMaskedDeprecationTests(SimpleTestCase):
-    msg = CSRF_COOKIE_MASKED_DEPRECATED_MSG
-
-    def test_override_settings_warning(self):
-        with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
-            with self.settings(CSRF_COOKIE_MASKED=True):
-                pass
-
-    def test_settings_init_warning(self):
-        settings_module = ModuleType("fake_settings_module")
-        settings_module.USE_TZ = False
-        settings_module.CSRF_COOKIE_MASKED = True
-        sys.modules["fake_settings_module"] = settings_module
-        try:
-            with self.assertRaisesMessage(RemovedInDjango50Warning, self.msg):
-                Settings("fake_settings_module")
-        finally:
-            del sys.modules["fake_settings_module"]
-
-    def test_access(self):
-        # Warning is not raised on access.
-        self.assertEqual(settings.CSRF_COOKIE_MASKED, False)