From 4c15e0061173a071ce6d895c74a68bab0771ac26 Mon Sep 17 00:00:00 2001
From: Tim McCormack <tmccormack@edx.org>
Date: Mon, 5 May 2025 19:16:37 -0400
Subject: [PATCH] docs: Improve docs for HIBP settings; remove duplicated cms
 copies (#34116)

- Clarify effects of enabling each policy.
- Document the thresholds and what policies they relate to.
- Express thresholds as floating point numbers to better hint at them not
  being intended as integer values.
- Change toggle use case from temporary to open_edx for login policies (as
  we're expecting to keep those toggles long term, as an optional feature).
- Remove links to private Jira tickets. (openedx Jira is now gone, and
  these tickets are only present in 2U's private Atlassian instance.)
- Import LMS HIBP settings into CMS (rather than duplicating them) but
  mark as unused.
---
 cms/envs/common.py | 54 +++++++++---------------------------------
 lms/envs/common.py | 59 +++++++++++++++++++++++++++++++---------------
 2 files changed, 51 insertions(+), 62 deletions(-)

diff --git a/cms/envs/common.py b/cms/envs/common.py
index 787db40bd3..adb00df4be 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -123,6 +123,17 @@ from lms.envs.common import (
     AUTH_PASSWORD_VALIDATORS
 )
 from lms.envs.common import (
+    # FIXME: The HIBP settings are only used in the LMS, but CMS unit tests fail
+    # without them. Perhaps moving some code would allow us to remove these from
+    # this file.
+    ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY,
+    ENABLE_AUTHN_LOGIN_NUDGE_HIBP_POLICY,
+    ENABLE_AUTHN_REGISTER_HIBP_POLICY,
+    ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY,
+    HIBP_LOGIN_BLOCK_PASSWORD_FREQUENCY_THRESHOLD,
+    HIBP_LOGIN_NUDGE_PASSWORD_FREQUENCY_THRESHOLD,
+    HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD,
+
     USE_EXTRACTED_WORD_CLOUD_BLOCK,
     USE_EXTRACTED_ANNOTATABLE_BLOCK,
     USE_EXTRACTED_POLL_QUESTION_BLOCK,
@@ -595,49 +606,6 @@ IDA_LOGOUT_URI_LIST = []
 COURSE_AUTHORING_MICROFRONTEND_URL = None
 DISCUSSIONS_MICROFRONTEND_URL = None
 DISCUSSIONS_MFE_FEEDBACK_URL = None
-# .. toggle_name: ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY
-# .. toggle_implementation: DjangoSetting
-# .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   HIBP Policy.
-# .. toggle_use_cases: open_edx
-# .. toggle_creation_date: 2021-12-03
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-666
-ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY = False
-# .. toggle_name: ENABLE_AUTHN_REGISTER_HIBP_POLICY
-# .. toggle_implementation: DjangoSetting
-# .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   HIBP Policy on Authn MFE's registration.
-# .. toggle_use_cases: open_edx
-# .. toggle_creation_date: 2022-03-25
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-669
-ENABLE_AUTHN_REGISTER_HIBP_POLICY = False
-HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD = 3
-
-# .. toggle_name: ENABLE_AUTHN_LOGIN_NUDGE_HIBP_POLICY
-# .. toggle_implementation: DjangoSetting
-# .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   on Authn MFE's login.
-# .. toggle_use_cases: temporary
-# .. toggle_creation_date: 2022-03-29
-# .. toggle_target_removal_date: None
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-668
-ENABLE_AUTHN_LOGIN_NUDGE_HIBP_POLICY = False
-HIBP_LOGIN_NUDGE_PASSWORD_FREQUENCY_THRESHOLD = 3
-
-# .. toggle_name: ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY
-# .. toggle_implementation: DjangoSetting
-# .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   on Authn MFE's login.
-# .. toggle_use_cases: temporary
-# .. toggle_creation_date: 2022-03-29
-# .. toggle_target_removal_date: None
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-667
-ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY = False
-HIBP_LOGIN_BLOCK_PASSWORD_FREQUENCY_THRESHOLD = 5
 
 # .. toggle_name: ENABLE_DYNAMIC_REGISTRATION_FIELDS
 # .. toggle_implementation: DjangoSetting
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 763bd83b9d..0114bc249c 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -5060,49 +5060,70 @@ DISCUSSIONS_MFE_FEEDBACK_URL = None
 # .. setting_default: None
 # .. setting_description: Base URL of the exams dashboard micro-frontend for instructors.
 EXAMS_DASHBOARD_MICROFRONTEND_URL = None
+
 # .. toggle_name: ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY
 # .. toggle_implementation: DjangoSetting
 # .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   HIBP Policy.
+# .. toggle_description: When enabled, this toggle prevents the use of known-vulnerable passwords in
+#   the password reset flow.
+#   See ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY for more details.
 # .. toggle_use_cases: open_edx
 # .. toggle_creation_date: 2021-12-03
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-666
 ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY = False
+
 # .. toggle_name: ENABLE_AUTHN_REGISTER_HIBP_POLICY
 # .. toggle_implementation: DjangoSetting
 # .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   HIBP Policy on Authn MFE's registration.
+# .. toggle_description: When enabled, this toggle prevents the use of known-vulnerable passwords in
+#   the registration flow if their frequency exceeds a threshold.
+#   See ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY for more details.
 # .. toggle_use_cases: open_edx
 # .. toggle_creation_date: 2022-03-25
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-669
 ENABLE_AUTHN_REGISTER_HIBP_POLICY = False
-HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD = 3
+# .. setting_name: HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD
+# .. setting_default: 3.0
+# .. setting_description: Log10 threshold in effect for ENABLE_AUTHN_REGISTER_HIBP_POLICY.
+#   See ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY for more details.
+HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD = 3.0
 
 # .. toggle_name: ENABLE_AUTHN_LOGIN_NUDGE_HIBP_POLICY
 # .. toggle_implementation: DjangoSetting
 # .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   on Authn MFE's login.
-# .. toggle_use_cases: temporary
+# .. toggle_description: When enabled, the login flow detects vulnerable passwords
+#   and prompts users to change their password if their frequency exceeds a threshold.
+#   See ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY for more details.
+# .. toggle_use_cases: open_edx
 # .. toggle_creation_date: 2022-03-29
-# .. toggle_target_removal_date: None
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-668
 ENABLE_AUTHN_LOGIN_NUDGE_HIBP_POLICY = False
-HIBP_LOGIN_NUDGE_PASSWORD_FREQUENCY_THRESHOLD = 3
+# .. setting_name: HIBP_LOGIN_NUDGE_PASSWORD_FREQUENCY_THRESHOLD
+# .. setting_default: 3.0
+# .. setting_description: Log10 threshold in effect for ENABLE_AUTHN_LOGIN_NUDGE_HIBP_POLICY.
+#   See ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY for more details.
+HIBP_LOGIN_NUDGE_PASSWORD_FREQUENCY_THRESHOLD = 3.0
 
 # .. toggle_name: ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY
 # .. toggle_implementation: DjangoSetting
 # .. toggle_default: False
-# .. toggle_description: When enabled, this toggle activates the use of the password validation
-#   on Authn MFE's login.
-# .. toggle_use_cases: temporary
+# .. toggle_description: When enabled, this toggle prevents the use of known-vulnerable passwords in
+#   the login flow if their frequency exceeds a threshold. Passwords are assessed by calling the
+#   Pwned Passwords service using a k-anonymity method that does not expose the password. The
+#   service tells us whether the password has been seen in any data breaches, and if so, how
+#   often. This count is converted to a "frequency" by taking the logarithm base 10. The login flow
+#   can reject all vulnerable passwords, or only passwords with a frequency above a configured
+#   threshold. In existing deployments, the threshold should be set high and tightened
+#   gradually in order to avoid large spikes in password resets and support requests. For example,
+#   setting ``HIBP_LOGIN_BLOCK_PASSWORD_FREQUENCY_THRESHOLD`` to 5 would reject logins when the
+#   password has been seen 100,000 or more times in the Pwned Passwords dataset. The goal should be
+#   to gradually reduce this to 0, meaning even a single occurrence will cause a rejection. (The
+#   threshold can take any real-number value.)
+# .. toggle_use_cases: open_edx
 # .. toggle_creation_date: 2022-03-29
-# .. toggle_target_removal_date: None
-# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-667
 ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY = False
-HIBP_LOGIN_BLOCK_PASSWORD_FREQUENCY_THRESHOLD = 5
+# .. setting_name: HIBP_LOGIN_BLOCK_PASSWORD_FREQUENCY_THRESHOLD
+# .. setting_default: 5.0
+# .. setting_description: Log10 threshold in effect for ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY.
+#   See ENABLE_AUTHN_LOGIN_BLOCK_HIBP_POLICY for more details.
+HIBP_LOGIN_BLOCK_PASSWORD_FREQUENCY_THRESHOLD = 5.0
 
 # .. toggle_name: ENABLE_DYNAMIC_REGISTRATION_FIELDS
 # .. toggle_implementation: DjangoSetting