Merge pull request #30122 from openedx/shafqat/VAN-669

feat: VAN-669 - Disallow bad passwords on Registration
2022-03-25 15:18:36 +05:00
parent 8633249853 df22dfbe0d
commit 935c01c9ee
4 changed files with 40 additions and 5 deletions
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -531,6 +531,16 @@ LIBRARY_AUTHORING_MICROFRONTEND_URL = None
 # .. toggle_creation_date: 2021-12-03
 # .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-666
 ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY = False
+# .. toggle_name: ENABLE_AUTHN_REGISTER_HIBP_POLICY
+# .. toggle_implementation: DjangoSetting
+# .. toggle_default: False
+# .. toggle_description: When enabled, this toggle activates the use of the password validation
+#   HIBP Policy on Authn MFE's registration.
+# .. toggle_use_cases: open_edx
+# .. toggle_creation_date: 2022-03-25
+# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-669
+ENABLE_AUTHN_REGISTER_HIBP_POLICY = False
+HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD = 3

 ############################# SOCIAL MEDIA SHARING #############################
 SOCIAL_SHARING_SETTINGS = {
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -4822,6 +4822,16 @@ DISCUSSIONS_MFE_FEEDBACK_URL = None
 # .. toggle_creation_date: 2021-12-03
 # .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-666
 ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY = False
+# .. toggle_name: ENABLE_AUTHN_REGISTER_HIBP_POLICY
+# .. toggle_implementation: DjangoSetting
+# .. toggle_default: False
+# .. toggle_description: When enabled, this toggle activates the use of the password validation
+#   HIBP Policy on Authn MFE's registration.
+# .. toggle_use_cases: open_edx
+# .. toggle_creation_date: 2022-03-25
+# .. toggle_tickets: https://openedx.atlassian.net/browse/VAN-669
+ENABLE_AUTHN_REGISTER_HIBP_POLICY = False
+HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD = 3

 ############### Settings for the ace_common plugin #################
 ACE_ENABLED_CHANNELS = ['django_email']
--- a/openedx/core/djangoapps/user_api/accounts/api.py
+++ b/openedx/core/djangoapps/user_api/accounts/api.py
@@ -641,12 +641,17 @@ def _validate_password(password, username=None, email=None, reset_password_page=
    except ValidationError as validation_err:
        raise errors.AccountPasswordInvalid(' '.join(validation_err.messages))

-    # TODO: VAN-666 - Restrict this feature to reset password page for now until it is
-    #  enabled on account sign in and register.
-    if settings.ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY and reset_password_page:
+    if (
+        (settings.ENABLE_AUTHN_RESET_PASSWORD_HIBP_POLICY and reset_password_page) or
+        (settings.ENABLE_AUTHN_REGISTER_HIBP_POLICY and not reset_password_page)
+    ):
        pwned_response = check_pwned_password(password)
        if pwned_response.get('vulnerability', 'no') == 'yes':
-            raise errors.AccountPasswordInvalid(accounts.AUTHN_PASSWORD_COMPROMISED_MSG)
+            if (
+                reset_password_page or
+                pwned_response.get('frequency', 0) >= settings.HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD
+            ):
+                raise errors.AccountPasswordInvalid(accounts.AUTHN_PASSWORD_COMPROMISED_MSG)


 def _validate_country(country):
--- a/openedx/core/djangoapps/user_authn/views/registration_form.py
+++ b/openedx/core/djangoapps/user_authn/views/registration_form.py
@@ -21,7 +21,7 @@ from common.djangoapps.edxmako.shortcuts import marketing_link
 from openedx.core.djangoapps.site_configuration import helpers as configuration_helpers
 from openedx.core.djangoapps.user_api import accounts
 from openedx.core.djangoapps.user_api.helpers import FormDescription
-from openedx.core.djangoapps.user_authn.utils import is_registration_api_v1 as is_api_v1
+from openedx.core.djangoapps.user_authn.utils import check_pwned_password, is_registration_api_v1 as is_api_v1
 from openedx.core.djangolib.markup import HTML, Text
 from openedx.features.enterprise_support.api import enterprise_customer_for_request
 from common.djangoapps.student.models import (
@@ -238,6 +238,16 @@ class AccountCreationForm(forms.Form):
            email = self.cleaned_data.get('email')
            temp_user = User(username=username, email=email) if username else None
            validate_password(password, temp_user)
+
+            if settings.ENABLE_AUTHN_REGISTER_HIBP_POLICY:
+                # Checks the Pwned Databases for password vulnerability.
+                pwned_response = check_pwned_password(password)
+
+                if (
+                    pwned_response.get('vulnerability', 'no') == 'yes' and
+                    pwned_response.get('frequency', 0) >= settings.HIBP_REGISTRATION_PASSWORD_FREQUENCY_THRESHOLD
+                ):
+                    raise ValidationError(accounts.AUTHN_PASSWORD_COMPROMISED_MSG)
        return password

    def clean_email(self):