From bd8d95b1a9c14a9f782563e5d219f2dc7b01bcce Mon Sep 17 00:00:00 2001 From: tuutti Date: Thu, 15 Aug 2024 09:31:33 +0300 Subject: [PATCH 1/3] UHF-9514: TFA settings --- conf/cmi/core.extension.yml | 5 +++ conf/cmi/encrypt.profile.real_aes.yml | 15 ++++++++ conf/cmi/encrypt.settings.yml | 4 +++ conf/cmi/key.key.tfa.yml | 19 ++++++++++ conf/cmi/tfa.settings.yml | 48 +++++++++++++++++++++++++ conf/cmi/user.role.admin.yml | 4 ++- conf/cmi/user.role.authenticated.yml | 3 ++ conf/cmi/user.role.content_producer.yml | 3 ++ conf/cmi/user.role.editor.yml | 3 ++ conf/cmi/user.role.read_only.yml | 3 ++ conf/cmi/user.role.survey_editor.yml | 3 ++ 11 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 conf/cmi/encrypt.profile.real_aes.yml create mode 100644 conf/cmi/encrypt.settings.yml create mode 100644 conf/cmi/key.key.tfa.yml create mode 100644 conf/cmi/tfa.settings.yml diff --git a/conf/cmi/core.extension.yml b/conf/cmi/core.extension.yml index cb3390f47..7268f01f7 100644 --- a/conf/cmi/core.extension.yml +++ b/conf/cmi/core.extension.yml @@ -26,6 +26,7 @@ module: editor: 0 editoria11y: 0 elasticsearch_connector: 0 + encrypt: 0 entity: 0 entity_reference_revisions: 0 entity_usage: 0 @@ -84,6 +85,7 @@ module: helfi_platform_config_base: 0 helfi_proxy: 0 helfi_react_search: 0 + helfi_tfa: 0 helfi_toc: 0 helfi_tpr: 0 helfi_tpr_config: 0 @@ -97,6 +99,7 @@ module: inline_form_errors: 0 jquery_ui: 0 jquery_ui_draggable: 0 + key: 0 language: 0 link: 0 linkit: 0 @@ -134,6 +137,7 @@ module: raven: 0 rdf: 0 readonly_field_widget: 0 + real_aes: 0 redirect: 0 redis: 0 responsive_image: 0 @@ -153,6 +157,7 @@ module: taxonomy: 0 telephone: 0 text: 0 + tfa: 0 token: 0 toolbar: 0 translatable_menu_link_uri: 0 diff --git a/conf/cmi/encrypt.profile.real_aes.yml b/conf/cmi/encrypt.profile.real_aes.yml new file mode 100644 index 000000000..94b4ba516 --- /dev/null +++ b/conf/cmi/encrypt.profile.real_aes.yml @@ -0,0 +1,15 @@ +uuid: 90d7b880-aa02-4cff-aeb9-69e03db7a21b +langcode: en +status: true +dependencies: + config: + - key.key.tfa + module: + - real_aes +_core: + default_config_hash: lDV_LbRGbNBnnVa6X72NK7xH7A1T9tasNNgP2hOhHKs +id: real_aes +label: 'Real AES' +encryption_method: real_aes +encryption_key: tfa +encryption_method_configuration: { } diff --git a/conf/cmi/encrypt.settings.yml b/conf/cmi/encrypt.settings.yml new file mode 100644 index 000000000..dbd392669 --- /dev/null +++ b/conf/cmi/encrypt.settings.yml @@ -0,0 +1,4 @@ +_core: + default_config_hash: CMyccvAuba2yH-HYmcEL0pq1Seyxzq9VHhKbQKwAWY4 +check_profile_status: true +allow_deprecated_plugins: false diff --git a/conf/cmi/key.key.tfa.yml b/conf/cmi/key.key.tfa.yml new file mode 100644 index 000000000..f241a8d15 --- /dev/null +++ b/conf/cmi/key.key.tfa.yml @@ -0,0 +1,19 @@ +uuid: 05f354f6-4d19-4cb0-9d95-0d16a1573e58 +langcode: en +status: true +dependencies: { } +_core: + default_config_hash: ARfRhKTJUSFXqKkDFwUncBUg8-5v7z_we3DETbYMYB0 +id: tfa +label: TFA +description: '' +key_type: encryption +key_type_settings: + key_size: 256 +key_provider: config +key_provider_settings: + key_value: thisvaluewillbeoverridden1234567 + base64_encoded: true +key_input: text_field +key_input_settings: + base64_encoded: false diff --git a/conf/cmi/tfa.settings.yml b/conf/cmi/tfa.settings.yml new file mode 100644 index 000000000..3fc08b579 --- /dev/null +++ b/conf/cmi/tfa.settings.yml @@ -0,0 +1,48 @@ +_core: + default_config_hash: JyIkFj38h-aTLsrCfejAfP277qBJ61tlaLEBH44IHhg +langcode: en +enabled: true +required_roles: + content_producer: content_producer + editor: editor + admin: admin + super_administrator: super_administrator + survey_editor: survey_editor +send_plugins: { } +login_plugins: { } +login_plugin_settings: + tfa_trusted_browser: + cookie_allow_subdomains: true + cookie_expiration: 30 + cookie_name: tfa-trusted-browser +allowed_validation_plugins: + tfa_totp: tfa_totp +default_validation_plugin: tfa_totp +validation_plugin_settings: + tfa_recovery_code: + recovery_codes_amount: 10 + tfa_hotp: + counter_window: 10 + site_name_prefix: 1 + name_prefix: TFA + issuer: Drupal + tfa_totp: + time_skew: 2 + site_name_prefix: 1 + name_prefix: TFA + issuer: Hel.fi +validation_skip: 3 +users_without_tfa_redirect: false +reset_pass_skip_enabled: true +encryption: real_aes +tfa_flood_uid_only: 1 +tfa_flood_window: 300 +tfa_flood_threshold: 6 +help_text: 'Contact support to reset your access' +mail: + tfa_enabled_configuration: + subject: 'Your [site:name] account now has two-factor authentication' + body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team" + tfa_disabled_configuration: + subject: 'Your [site:name] account no longer has two-factor authentication' + body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team" diff --git a/conf/cmi/user.role.admin.yml b/conf/cmi/user.role.admin.yml index 47385c658..0649d059e 100644 --- a/conf/cmi/user.role.admin.yml +++ b/conf/cmi/user.role.admin.yml @@ -43,13 +43,13 @@ dependencies: - pathauto - publication_date - redirect - - rest - role_delegation - scheduler - simple_sitemap - siteimprove - system - taxonomy + - tfa - toolbar - view_unpublished - views_bulk_edit @@ -145,6 +145,7 @@ permissions: - 'delete project revisions' - 'delete remote entities' - 'delete terms in keywords' + - 'disable own tfa' - 'edit any announcement content' - 'edit any district content' - 'edit any file media' @@ -185,6 +186,7 @@ permissions: - 'set announcement published on date' - 'set landing_page published on date' - 'set page published on date' + - 'setup own tfa' - 'translate announcement node' - 'translate any entity' - 'translate configuration' diff --git a/conf/cmi/user.role.authenticated.yml b/conf/cmi/user.role.authenticated.yml index 64f8dea72..f9fb5edc1 100644 --- a/conf/cmi/user.role.authenticated.yml +++ b/conf/cmi/user.role.authenticated.yml @@ -14,6 +14,7 @@ dependencies: - paragraphs - rest - system + - tfa - toolbar _core: default_config_hash: 83Nuup-6oYkkdAsvg3nrR2pBOgtTXEV1JrzpCCLkYLM @@ -25,8 +26,10 @@ permissions: - 'access content' - 'access toolbar' - 'delete own files' + - 'disable own tfa' - 'display eu cookie compliance popup' - 'restful get helfi_global_mobile_menu' + - 'setup own tfa' - 'view helfi_announcements external entity' - 'view helfi_news external entity' - 'view helfi_news_groups external entity' diff --git a/conf/cmi/user.role.content_producer.yml b/conf/cmi/user.role.content_producer.yml index e2d0aeb3f..e1813b9aa 100644 --- a/conf/cmi/user.role.content_producer.yml +++ b/conf/cmi/user.role.content_producer.yml @@ -35,6 +35,7 @@ dependencies: - siteimprove - system - taxonomy + - tfa - toolbar - view_unpublished _core: @@ -84,6 +85,7 @@ permissions: - 'delete own page content' - 'delete own project content' - 'delete own remote_video media' + - 'disable own tfa' - 'edit any announcement content' - 'edit any district content' - 'edit any file media' @@ -116,6 +118,7 @@ permissions: - 'set announcement published on date' - 'set landing_page published on date' - 'set page published on date' + - 'setup own tfa' - 'translate editable entities' - 'translate file media' - 'translate image media' diff --git a/conf/cmi/user.role.editor.yml b/conf/cmi/user.role.editor.yml index 8d9789ddc..82929205d 100644 --- a/conf/cmi/user.role.editor.yml +++ b/conf/cmi/user.role.editor.yml @@ -38,6 +38,7 @@ dependencies: - siteimprove - system - taxonomy + - tfa - toolbar - view_unpublished id: editor @@ -110,6 +111,7 @@ permissions: - 'delete project revisions' - 'delete remote entities' - 'delete terms in keywords' + - 'disable own tfa' - 'edit any announcement content' - 'edit any district content' - 'edit any file media' @@ -145,6 +147,7 @@ permissions: - 'set announcement published on date' - 'set landing_page published on date' - 'set page published on date' + - 'setup own tfa' - 'translate announcement node' - 'translate any entity' - 'translate editable entities' diff --git a/conf/cmi/user.role.read_only.yml b/conf/cmi/user.role.read_only.yml index b3c0357f6..a9932b4ae 100644 --- a/conf/cmi/user.role.read_only.yml +++ b/conf/cmi/user.role.read_only.yml @@ -11,6 +11,7 @@ dependencies: - helfi_tpr - node - paragraphs + - tfa - toolbar - view_unpublished id: read_only @@ -20,6 +21,8 @@ is_admin: null permissions: - 'access toolbar' - 'delete own files' + - 'disable own tfa' + - 'setup own tfa' - 'view any unpublished announcement content' - 'view any unpublished landing_page content' - 'view any unpublished page content' diff --git a/conf/cmi/user.role.survey_editor.yml b/conf/cmi/user.role.survey_editor.yml index 7ba1bc811..1a67bdb51 100644 --- a/conf/cmi/user.role.survey_editor.yml +++ b/conf/cmi/user.role.survey_editor.yml @@ -8,6 +8,7 @@ dependencies: - content_translation - node - publication_date + - tfa _core: default_config_hash: CliaTgzCQcvNF9ot3u_EbHnydymXh8bvNgNFlSffj9s id: survey_editor @@ -19,9 +20,11 @@ permissions: - 'delete any survey content' - 'delete own survey content' - 'delete survey revisions' + - 'disable own tfa' - 'edit any survey content' - 'edit own survey content' - 'revert survey revisions' - 'set survey published on date' + - 'setup own tfa' - 'translate survey node' - 'view survey revisions' From 16e027800e9453bb5f93d4373afc24cea5ddebaa Mon Sep 17 00:00:00 2001 From: teroelonen <2276077+teroelonen@users.noreply.github.com> Date: Thu, 15 Aug 2024 09:08:20 +0000 Subject: [PATCH 2/3] Update configuration --- composer.lock | 12 ++++++------ conf/cmi/encrypt.profile.real_aes.yml | 2 +- ...ties.external_entity_type.helfi_announcements.yml | 2 +- ...l_entities.external_entity_type.helfi_surveys.yml | 2 +- conf/cmi/language/fi/key.key.tfa.yml | 1 + conf/cmi/language/fi/tfa.settings.yml | 6 ++++++ .../core.base_field_override.node.survey.promote.yml | 4 ++++ .../core.base_field_override.node.survey.status.yml | 4 ++++ .../cmi/language/ru/field.field.node.survey.body.yml | 1 + .../ru/field.field.node.survey.field_survey_link.yml | 1 + ...raph.service_list.field_service_list_services.yml | 1 + ...raph.service_list.field_service_list_services.yml | 1 + conf/cmi/language/sv/tfa.settings.yml | 8 ++++++++ 13 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 conf/cmi/language/fi/key.key.tfa.yml create mode 100644 conf/cmi/language/fi/tfa.settings.yml create mode 100644 conf/cmi/language/ru/core.base_field_override.node.survey.promote.yml create mode 100644 conf/cmi/language/ru/core.base_field_override.node.survey.status.yml create mode 100644 conf/cmi/language/ru/field.field.node.survey.body.yml create mode 100644 conf/cmi/language/ru/field.field.node.survey.field_survey_link.yml create mode 100644 conf/cmi/language/ru/field.field.paragraph.service_list.field_service_list_services.yml create mode 100644 conf/cmi/language/sv/field.field.paragraph.service_list.field_service_list_services.yml create mode 100644 conf/cmi/language/sv/tfa.settings.yml diff --git a/composer.lock b/composer.lock index cda019259..d63a07637 100644 --- a/composer.lock +++ b/composer.lock @@ -4117,16 +4117,16 @@ }, { "name": "drupal/hdbt", - "version": "6.6.3", + "version": "6.6.4", "source": { "type": "git", "url": "https://github.com/City-of-Helsinki/drupal-hdbt.git", - "reference": "260ed89837be3b1ae9a19248a0e21717b9597885" + "reference": "d8e011aa97b4449d3c7eaca723fff9d2111c6db4" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/City-of-Helsinki/drupal-hdbt/zipball/260ed89837be3b1ae9a19248a0e21717b9597885", - "reference": "260ed89837be3b1ae9a19248a0e21717b9597885", + "url": "https://api.github.com/repos/City-of-Helsinki/drupal-hdbt/zipball/d8e011aa97b4449d3c7eaca723fff9d2111c6db4", + "reference": "d8e011aa97b4449d3c7eaca723fff9d2111c6db4", "shasum": "" }, "require": { @@ -4144,10 +4144,10 @@ "Drupal" ], "support": { - "source": "https://github.com/City-of-Helsinki/drupal-hdbt/tree/6.6.3", + "source": "https://github.com/City-of-Helsinki/drupal-hdbt/tree/6.6.4", "issues": "https://github.com/City-of-Helsinki/drupal-hdbt/issues" }, - "time": "2024-08-14T08:40:02+00:00" + "time": "2024-08-15T08:46:48+00:00" }, { "name": "drupal/hdbt_admin", diff --git a/conf/cmi/encrypt.profile.real_aes.yml b/conf/cmi/encrypt.profile.real_aes.yml index 94b4ba516..c9887b015 100644 --- a/conf/cmi/encrypt.profile.real_aes.yml +++ b/conf/cmi/encrypt.profile.real_aes.yml @@ -11,5 +11,5 @@ _core: id: real_aes label: 'Real AES' encryption_method: real_aes -encryption_key: tfa encryption_method_configuration: { } +encryption_key: tfa diff --git a/conf/cmi/external_entities.external_entity_type.helfi_announcements.yml b/conf/cmi/external_entities.external_entity_type.helfi_announcements.yml index 8bd8bfb7c..c607771d0 100644 --- a/conf/cmi/external_entities.external_entity_type.helfi_announcements.yml +++ b/conf/cmi/external_entities.external_entity_type.helfi_announcements.yml @@ -8,8 +8,8 @@ id: helfi_announcements label: 'Helfi: Announcements' label_plural: 'Helfi: Announcements' description: '' -generate_aliases: null read_only: true +generate_aliases: null field_mapper_id: jsonpath field_mapper_config: field_mappings: diff --git a/conf/cmi/external_entities.external_entity_type.helfi_surveys.yml b/conf/cmi/external_entities.external_entity_type.helfi_surveys.yml index 2a9fc5698..8308d9f65 100644 --- a/conf/cmi/external_entities.external_entity_type.helfi_surveys.yml +++ b/conf/cmi/external_entities.external_entity_type.helfi_surveys.yml @@ -8,8 +8,8 @@ id: helfi_surveys label: 'Helfi: Survey' label_plural: 'Helfi: Surveys' description: '' -generate_aliases: null read_only: true +generate_aliases: null field_mapper_id: jsonpath field_mapper_config: field_mappings: diff --git a/conf/cmi/language/fi/key.key.tfa.yml b/conf/cmi/language/fi/key.key.tfa.yml new file mode 100644 index 000000000..8875cd6bd --- /dev/null +++ b/conf/cmi/language/fi/key.key.tfa.yml @@ -0,0 +1 @@ +label: TFA diff --git a/conf/cmi/language/fi/tfa.settings.yml b/conf/cmi/language/fi/tfa.settings.yml new file mode 100644 index 000000000..01a1f48f9 --- /dev/null +++ b/conf/cmi/language/fi/tfa.settings.yml @@ -0,0 +1,6 @@ +help_text: 'Contact support to reset your access' +mail: + tfa_enabled_configuration: + body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team" + tfa_disabled_configuration: + body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team" diff --git a/conf/cmi/language/ru/core.base_field_override.node.survey.promote.yml b/conf/cmi/language/ru/core.base_field_override.node.survey.promote.yml new file mode 100644 index 000000000..2ca6a6cc3 --- /dev/null +++ b/conf/cmi/language/ru/core.base_field_override.node.survey.promote.yml @@ -0,0 +1,4 @@ +label: 'Помещено на главную страницу' +settings: + on_label: 'On' + off_label: 'Off' diff --git a/conf/cmi/language/ru/core.base_field_override.node.survey.status.yml b/conf/cmi/language/ru/core.base_field_override.node.survey.status.yml new file mode 100644 index 000000000..b726f3de0 --- /dev/null +++ b/conf/cmi/language/ru/core.base_field_override.node.survey.status.yml @@ -0,0 +1,4 @@ +label: Опубликовано +settings: + on_label: 'On' + off_label: 'Off' diff --git a/conf/cmi/language/ru/field.field.node.survey.body.yml b/conf/cmi/language/ru/field.field.node.survey.body.yml new file mode 100644 index 000000000..7e34baf6d --- /dev/null +++ b/conf/cmi/language/ru/field.field.node.survey.body.yml @@ -0,0 +1 @@ +label: Body diff --git a/conf/cmi/language/ru/field.field.node.survey.field_survey_link.yml b/conf/cmi/language/ru/field.field.node.survey.field_survey_link.yml new file mode 100644 index 000000000..aa4eeb3f7 --- /dev/null +++ b/conf/cmi/language/ru/field.field.node.survey.field_survey_link.yml @@ -0,0 +1 @@ +label: Link diff --git a/conf/cmi/language/ru/field.field.paragraph.service_list.field_service_list_services.yml b/conf/cmi/language/ru/field.field.paragraph.service_list.field_service_list_services.yml new file mode 100644 index 000000000..436c693ff --- /dev/null +++ b/conf/cmi/language/ru/field.field.paragraph.service_list.field_service_list_services.yml @@ -0,0 +1 @@ +label: Services diff --git a/conf/cmi/language/sv/field.field.paragraph.service_list.field_service_list_services.yml b/conf/cmi/language/sv/field.field.paragraph.service_list.field_service_list_services.yml new file mode 100644 index 000000000..436c693ff --- /dev/null +++ b/conf/cmi/language/sv/field.field.paragraph.service_list.field_service_list_services.yml @@ -0,0 +1 @@ +label: Services diff --git a/conf/cmi/language/sv/tfa.settings.yml b/conf/cmi/language/sv/tfa.settings.yml new file mode 100644 index 000000000..67899d557 --- /dev/null +++ b/conf/cmi/language/sv/tfa.settings.yml @@ -0,0 +1,8 @@ +help_text: 'Contact support to reset your access' +mail: + tfa_enabled_configuration: + subject: 'Your [site:name] account now has two-factor authentication' + body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team" + tfa_disabled_configuration: + subject: 'Your [site:name] account no longer has two-factor authentication' + body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team" From aa7adf05a1e03fe66b70c6a4f25651492f539b6d Mon Sep 17 00:00:00 2001 From: Tero Elonen Date: Thu, 15 Aug 2024 12:27:08 +0300 Subject: [PATCH 3/3] Remove translation configuration of the tfa module that wasn't doing any translating --- conf/cmi/language/fi/tfa.settings.yml | 6 ------ conf/cmi/language/sv/tfa.settings.yml | 8 -------- 2 files changed, 14 deletions(-) delete mode 100644 conf/cmi/language/fi/tfa.settings.yml delete mode 100644 conf/cmi/language/sv/tfa.settings.yml diff --git a/conf/cmi/language/fi/tfa.settings.yml b/conf/cmi/language/fi/tfa.settings.yml deleted file mode 100644 index 01a1f48f9..000000000 --- a/conf/cmi/language/fi/tfa.settings.yml +++ /dev/null @@ -1,6 +0,0 @@ -help_text: 'Contact support to reset your access' -mail: - tfa_enabled_configuration: - body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team" - tfa_disabled_configuration: - body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team" diff --git a/conf/cmi/language/sv/tfa.settings.yml b/conf/cmi/language/sv/tfa.settings.yml deleted file mode 100644 index 67899d557..000000000 --- a/conf/cmi/language/sv/tfa.settings.yml +++ /dev/null @@ -1,8 +0,0 @@ -help_text: 'Contact support to reset your access' -mail: - tfa_enabled_configuration: - subject: 'Your [site:name] account now has two-factor authentication' - body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team" - tfa_disabled_configuration: - subject: 'Your [site:name] account no longer has two-factor authentication' - body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team"