From 39030c668310fcfdc163d2aa9afdeb894a675463 Mon Sep 17 00:00:00 2001 From: Will Daly Date: Wed, 31 Jul 2013 16:40:54 -0400 Subject: [PATCH 1/4] Remove CSRF middleware/processor in aws and dev settings, not common. This ensures that we load the MITX_FEATURES token BEFORE deciding to disable CSRF. --- cms/envs/aws.py | 8 ++++++++ cms/envs/common.py | 10 ++-------- cms/envs/dev.py | 9 +++++++++ lms/envs/aws.py | 12 ++++++++---- lms/envs/common.py | 10 ++-------- lms/envs/dev.py | 9 +++++++++ 6 files changed, 38 insertions(+), 20 deletions(-) diff --git a/cms/envs/aws.py b/cms/envs/aws.py index 339425fee5..17815c14ea 100644 --- a/cms/envs/aws.py +++ b/cms/envs/aws.py @@ -126,6 +126,14 @@ LOGGING = get_logger_config(LOG_DIR, #theming start: PLATFORM_NAME = ENV_TOKENS.get('PLATFORM_NAME', 'edX') +# Disable CSRF for load testing +if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): + exclude_csrf = lambda elem: not elem in \ + ['django.core.context_processors.csrf', + 'django.middleware.csrf.CsrfViewMiddleware'] + TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) + MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) + ################ SECURE AUTH ITEMS ############################### # Secret things: passwords, access keys, etc. diff --git a/cms/envs/common.py b/cms/envs/common.py index bdb3ec6fde..f5b74c326b 100644 --- a/cms/envs/common.py +++ b/cms/envs/common.py @@ -105,12 +105,9 @@ TEMPLATE_CONTEXT_PROCESSORS = ( 'django.core.context_processors.static', 'django.contrib.messages.context_processors.messages', 'django.contrib.auth.context_processors.auth', # this is required for admin + 'django.core.context_processors.csrf' ) -# add csrf support unless disabled for load testing -if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',) # necessary for csrf protection - LMS_BASE = None #################### CAPA External Code Evaluation ############################# @@ -141,6 +138,7 @@ MIDDLEWARE_CLASSES = ( 'request_cache.middleware.RequestCache', 'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.common.CommonMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'method_override.middleware.MethodOverrideMiddleware', @@ -157,10 +155,6 @@ MIDDLEWARE_CLASSES = ( 'django.middleware.transaction.TransactionMiddleware' ) -# add in csrf middleware unless disabled for load testing -if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',) - ############################ SIGNAL HANDLERS ################################ # This is imported to register the exception signal handling that logs exceptions import monitoring.exceptions # noqa diff --git a/cms/envs/dev.py b/cms/envs/dev.py index 0b0a62f05d..acabe1a4b8 100644 --- a/cms/envs/dev.py +++ b/cms/envs/dev.py @@ -182,6 +182,15 @@ SEGMENT_IO_KEY = os.environ.get('SEGMENT_IO_KEY') if SEGMENT_IO_KEY: MITX_FEATURES['SEGMENT_IO'] = True +########################## LOAD TESTING ######################## + +# Disable CSRF for load testing +if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): + exclude_csrf = lambda elem: not elem in \ + ['django.core.context_processors.csrf', + 'django.middleware.csrf.CsrfViewMiddleware'] + TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) + MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) ##################################################################### # Lastly, see if the developer has any local overrides. diff --git a/lms/envs/aws.py b/lms/envs/aws.py index e039219be8..cec2133ae9 100644 --- a/lms/envs/aws.py +++ b/lms/envs/aws.py @@ -10,7 +10,6 @@ Common traits: # We intentionally define lots of variables that aren't used, and # want to import all variables from base settings files # pylint: disable=W0401, W0614 - import json from .common import * @@ -178,9 +177,14 @@ for name, value in ENV_TOKENS.get("CODE_JAIL", {}).items(): COURSES_WITH_UNSAFE_CODE = ENV_TOKENS.get("COURSES_WITH_UNSAFE_CODE", []) -# automatic log in for load testing -MITX_FEATURES['AUTOMATIC_AUTH_FOR_LOAD_TESTING'] = ENV_TOKENS.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING') -MITX_FEATURES['MAX_AUTO_AUTH_USERS'] = ENV_TOKENS.get('MAX_AUTO_AUTH_USERS') +# Disable CSRF for load testing +if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): + exclude_csrf = lambda elem: not elem in \ + ['django.core.context_processors.csrf', + 'django.middleware.csrf.CsrfViewMiddleware'] + TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) + MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) + ############################## SECURE AUTH ITEMS ############### # Secret things: passwords, access keys, etc. diff --git a/lms/envs/common.py b/lms/envs/common.py index 95b2af422e..dea5d1bc7c 100644 --- a/lms/envs/common.py +++ b/lms/envs/common.py @@ -223,6 +223,7 @@ TEMPLATE_CONTEXT_PROCESSORS = ( 'django.contrib.messages.context_processors.messages', #'django.core.context_processors.i18n', 'django.contrib.auth.context_processors.auth', # this is required for admin + 'django.core.context_processors.csrf', # Added for django-wiki 'django.core.context_processors.media', @@ -235,10 +236,6 @@ TEMPLATE_CONTEXT_PROCESSORS = ( 'mitxmako.shortcuts.marketing_link_context_processor', ) -# add csrf support unless disabled for load testing -if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - TEMPLATE_CONTEXT_PROCESSORS += ('django.core.context_processors.csrf',) # necessary for csrf protection - STUDENT_FILEUPLOAD_MAX_SIZE = 4 * 1000 * 1000 # 4 MB MAX_FILEUPLOADS_PER_INPUT = 20 @@ -483,6 +480,7 @@ MIDDLEWARE_CLASSES = ( 'django.contrib.messages.middleware.MessageMiddleware', 'track.middleware.TrackMiddleware', 'mitxmako.middleware.MakoMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', 'course_wiki.course_nav.Middleware', @@ -493,10 +491,6 @@ MIDDLEWARE_CLASSES = ( 'codejail.django_integration.ConfigureCodeJailMiddleware', ) -# add in csrf middleware unless disabled for load testing -if not MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - MIDDLEWARE_CLASSES = MIDDLEWARE_CLASSES + ('django.middleware.csrf.CsrfViewMiddleware',) - ############################### Pipeline ####################################### STATICFILES_STORAGE = 'pipeline.storage.PipelineCachedStorage' diff --git a/lms/envs/dev.py b/lms/envs/dev.py index 8547db013f..090ca02a05 100644 --- a/lms/envs/dev.py +++ b/lms/envs/dev.py @@ -255,6 +255,15 @@ SEGMENT_IO_LMS_KEY = os.environ.get('SEGMENT_IO_LMS_KEY') if SEGMENT_IO_LMS_KEY: MITX_FEATURES['SEGMENT_IO_LMS'] = True +########################## LOAD TESTING ######################## + +# Disable CSRF for load testing +if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): + exclude_csrf = lambda elem: not elem in \ + ['django.core.context_processors.csrf', + 'django.middleware.csrf.CsrfViewMiddleware'] + TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) + MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) ########################## USER API ######################## EDX_API_KEY = None From ab1461542dad2d15a94d2690b658f6b390f1b49a Mon Sep 17 00:00:00 2001 From: Will Daly Date: Thu, 1 Aug 2013 09:23:39 -0400 Subject: [PATCH 2/4] Moved CSRF override into its own settings file --- cms/envs/aws.py | 8 -------- cms/envs/dev.py | 9 --------- lms/envs/aws.py | 10 +--------- lms/envs/dev.py | 9 --------- lms/envs/load_test.py | 11 +++++++++++ 5 files changed, 12 insertions(+), 35 deletions(-) create mode 100644 lms/envs/load_test.py diff --git a/cms/envs/aws.py b/cms/envs/aws.py index 17815c14ea..339425fee5 100644 --- a/cms/envs/aws.py +++ b/cms/envs/aws.py @@ -126,14 +126,6 @@ LOGGING = get_logger_config(LOG_DIR, #theming start: PLATFORM_NAME = ENV_TOKENS.get('PLATFORM_NAME', 'edX') -# Disable CSRF for load testing -if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - exclude_csrf = lambda elem: not elem in \ - ['django.core.context_processors.csrf', - 'django.middleware.csrf.CsrfViewMiddleware'] - TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) - MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) - ################ SECURE AUTH ITEMS ############################### # Secret things: passwords, access keys, etc. diff --git a/cms/envs/dev.py b/cms/envs/dev.py index acabe1a4b8..0b0a62f05d 100644 --- a/cms/envs/dev.py +++ b/cms/envs/dev.py @@ -182,15 +182,6 @@ SEGMENT_IO_KEY = os.environ.get('SEGMENT_IO_KEY') if SEGMENT_IO_KEY: MITX_FEATURES['SEGMENT_IO'] = True -########################## LOAD TESTING ######################## - -# Disable CSRF for load testing -if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - exclude_csrf = lambda elem: not elem in \ - ['django.core.context_processors.csrf', - 'django.middleware.csrf.CsrfViewMiddleware'] - TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) - MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) ##################################################################### # Lastly, see if the developer has any local overrides. diff --git a/lms/envs/aws.py b/lms/envs/aws.py index cec2133ae9..8d2ffba96e 100644 --- a/lms/envs/aws.py +++ b/lms/envs/aws.py @@ -10,6 +10,7 @@ Common traits: # We intentionally define lots of variables that aren't used, and # want to import all variables from base settings files # pylint: disable=W0401, W0614 + import json from .common import * @@ -177,15 +178,6 @@ for name, value in ENV_TOKENS.get("CODE_JAIL", {}).items(): COURSES_WITH_UNSAFE_CODE = ENV_TOKENS.get("COURSES_WITH_UNSAFE_CODE", []) -# Disable CSRF for load testing -if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - exclude_csrf = lambda elem: not elem in \ - ['django.core.context_processors.csrf', - 'django.middleware.csrf.CsrfViewMiddleware'] - TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) - MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) - - ############################## SECURE AUTH ITEMS ############### # Secret things: passwords, access keys, etc. diff --git a/lms/envs/dev.py b/lms/envs/dev.py index 090ca02a05..8547db013f 100644 --- a/lms/envs/dev.py +++ b/lms/envs/dev.py @@ -255,15 +255,6 @@ SEGMENT_IO_LMS_KEY = os.environ.get('SEGMENT_IO_LMS_KEY') if SEGMENT_IO_LMS_KEY: MITX_FEATURES['SEGMENT_IO_LMS'] = True -########################## LOAD TESTING ######################## - -# Disable CSRF for load testing -if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - exclude_csrf = lambda elem: not elem in \ - ['django.core.context_processors.csrf', - 'django.middleware.csrf.CsrfViewMiddleware'] - TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) - MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) ########################## USER API ######################## EDX_API_KEY = None diff --git a/lms/envs/load_test.py b/lms/envs/load_test.py new file mode 100644 index 0000000000..cd9a8d6257 --- /dev/null +++ b/lms/envs/load_test.py @@ -0,0 +1,11 @@ +# Settings for load testing + +from .aws import * + +# Disable CSRF for load testing +if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): + exclude_csrf = lambda elem: not elem in \ + ['django.core.context_processors.csrf', + 'django.middleware.csrf.CsrfViewMiddleware'] + TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) + MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) From 9e5d64b8dfb0f775e851edcda7144f8eb7a8563c Mon Sep 17 00:00:00 2001 From: Will Daly Date: Thu, 1 Aug 2013 09:29:58 -0400 Subject: [PATCH 3/4] Removed check for AUTOMATIC_AUTH_FOR_LOAD_TESTING because it's already implied that you're using load testing settings. --- lms/envs/load_test.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lms/envs/load_test.py b/lms/envs/load_test.py index cd9a8d6257..f7822d13b1 100644 --- a/lms/envs/load_test.py +++ b/lms/envs/load_test.py @@ -3,9 +3,8 @@ from .aws import * # Disable CSRF for load testing -if MITX_FEATURES.get('AUTOMATIC_AUTH_FOR_LOAD_TESTING'): - exclude_csrf = lambda elem: not elem in \ - ['django.core.context_processors.csrf', - 'django.middleware.csrf.CsrfViewMiddleware'] - TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) - MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) +exclude_csrf = lambda elem: not elem in \ + ['django.core.context_processors.csrf', + 'django.middleware.csrf.CsrfViewMiddleware'] +TEMPLATE_CONTEXT_PROCESSORS = filter(exclude_csrf, TEMPLATE_CONTEXT_PROCESSORS) +MIDDLEWARE_CLASSES = filter(exclude_csrf, MIDDLEWARE_CLASSES) From b78f6f7a3d17ef91a6f0b0df4a3a94552d3b22df Mon Sep 17 00:00:00 2001 From: Will Daly Date: Thu, 1 Aug 2013 09:42:31 -0400 Subject: [PATCH 4/4] Added pylint exceptions to load test settings. --- lms/envs/load_test.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lms/envs/load_test.py b/lms/envs/load_test.py index f7822d13b1..f4d3cae758 100644 --- a/lms/envs/load_test.py +++ b/lms/envs/load_test.py @@ -1,4 +1,10 @@ -# Settings for load testing +""" +Settings for load testing. +""" + +# We intentionally define lots of variables that aren't used, and +# want to import all variables from base settings files +# pylint: disable=W0401, W0614 from .aws import *