Merge pull request #5410 from edx/mjames/MoreSecureByDefault

edX Solutions Team: Default LMS security settings changes (Matasano)

Merge pull request #5410 from edx/mjames/MoreSecureByDefault
edX Solutions Team: Default LMS security settings changes (Matasano)
a4ed1323 · Martyn James · df5dd1a4 · 1faa7328 · a4ed1323 · a4ed1323
Commit a4ed1323 authored Jan 14, 2015 by Martyn James
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 8 deletions

lms/envs/common.py
+8 -8

lms/envs/devstack.py
+9 -0

lms/envs/test.py
+11 -0

No files found.
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -227,7 +227,7 @@ FEATURES = {
    'ENABLE_S3_GRADE_DOWNLOADS': False,
    # whether to use password policy enforcement or not
-    'ENFORCE_PASSWORD_POLICY': False,
+    'ENFORCE_PASSWORD_POLICY': True,
    # Give course staff unrestricted access to grade downloads (if set to False,
    # only edX superusers can perform the downloads)
@@ -236,10 +236,10 @@ FEATURES = {
    'ENABLED_PAYMENT_REPORTS': ["refund_report", "itemized_purchase_report", "university_revenue_share", "certificate_status"],
    # Turn off account locking if failed login attempts exceeds a limit
-    'ENABLE_MAX_FAILED_LOGIN_ATTEMPTS': False,
+    'ENABLE_MAX_FAILED_LOGIN_ATTEMPTS': True,
    # Hide any Personally Identifiable Information from application logs
-    'SQUELCH_PII_IN_LOGS': False,
+    'SQUELCH_PII_IN_LOGS': True,
    # Toggles the embargo functionality, which enable embargoing for particular courses
    'EMBARGO': False,
@@ -263,10 +263,10 @@ FEATURES = {
    'ENABLE_MKTG_SITE': False,
    # Prevent concurrent logins per user
-    'PREVENT_CONCURRENT_LOGINS': False,
+    'PREVENT_CONCURRENT_LOGINS': True,
-    # Turn off Advanced Security by default
+    # Turn on Advanced Security by default
-    'ADVANCED_SECURITY': False,
+    'ADVANCED_SECURITY': True,
    # Show a "Download your certificate" on the Progress page if the lowest
    # nonzero grade cutoff is met
@@ -1664,9 +1664,9 @@ PROGRESS_SUCCESS_BUTTON_TEXT_OVERRIDE = None
 #### PASSWORD POLICY SETTINGS #####
-PASSWORD_MIN_LENGTH = None
+PASSWORD_MIN_LENGTH = 8
 PASSWORD_MAX_LENGTH = None
-PASSWORD_COMPLEXITY = {}
+PASSWORD_COMPLEXITY = { "UPPER":  1, "LOWER":  1, "DIGITS": 1 }
 PASSWORD_DICTIONARY_EDIT_DISTANCE_THRESHOLD = None
 PASSWORD_DICTIONARY = []

--- a/lms/envs/devstack.py
+++ b/lms/envs/devstack.py
@@ -95,6 +95,15 @@ CC_PROCESSOR = {
 FEATURES['ENABLE_MOBILE_REST_API'] = True
 FEATURES['ENABLE_VIDEO_ABSTRACTION_LAYER_API'] = True
+########################## SECURITY #######################
+FEATURES['ENFORCE_PASSWORD_POLICY'] = False
+FEATURES['ENABLE_MAX_FAILED_LOGIN_ATTEMPTS'] = False
+FEATURES['SQUELCH_PII_IN_LOGS'] = False
+FEATURES['PREVENT_CONCURRENT_LOGINS'] = False
+FEATURES['ADVANCED_SECURITY'] = False
+PASSWORD_MIN_LENGTH = None
+PASSWORD_COMPLEXITY = {}
 #####################################################################
 # See if the developer has any local overrides.
 try:

--- a/lms/envs/test.py
+++ b/lms/envs/test.py
@@ -213,6 +213,17 @@ filterwarnings('ignore', message='No request passed to the backend, unable to ra
 # or "error" to convert all into errors
 simplefilter('ignore')
+############################# SECURITY SETTINGS ################################
+# Default to advanced security in common.py, so tests can reset here to use
+# a simpler security model
+FEATURES['ENFORCE_PASSWORD_POLICY'] = False
+FEATURES['ENABLE_MAX_FAILED_LOGIN_ATTEMPTS'] = False
+FEATURES['SQUELCH_PII_IN_LOGS'] = False
+FEATURES['PREVENT_CONCURRENT_LOGINS'] = False
+FEATURES['ADVANCED_SECURITY'] = False
+PASSWORD_MIN_LENGTH = None
+PASSWORD_COMPLEXITY = {}
 ######### Third-party auth ##########
 FEATURES['ENABLE_THIRD_PARTY_AUTH'] = True