City-of-Helsinki · hyrsky · Nov 1, 2024 · Oct 30, 2024 · Oct 30, 2024 · Oct 30, 2024
diff --git a/conf/cmi/block.block.userlogin.yml b/conf/cmi/block.block.userlogin.yml
@@ -12,7 +12,7 @@ theme: infofinland
 region: footer_bottom
 weight: -4
 provider: null
-plugin: user_login_block
+plugin: tfa_user_login_block
 settings:
   id: user_login_block
   label: Kirjaudu

diff --git a/conf/cmi/core.extension.yml b/conf/cmi/core.extension.yml
@@ -25,6 +25,7 @@ module:
   dynamic_page_cache: 0
   editor: 0
   elasticsearch_connector: 0
+  encrypt: 0
   entity: 0
   entity_browser: 0
   entity_browser_entity_form: 0
@@ -45,6 +46,7 @@ module:
   helfi_azure_fs: 0
   helfi_ckeditor: 0
   helfi_platform_config: 0
+  helfi_tfa: 0
   helfi_user_roles: 0
   helfi_users: 0
   help: 0
@@ -60,6 +62,7 @@ module:
   jsonapi_extras: 0
   jsonapi_menu_items: 0
   jsonapi_resources: 0
+  key: 0
   language: 0
   legal: 0
   link: 0
@@ -97,6 +100,7 @@ module:
   queue_ui: 0
   raven: 0
   readonly_field_widget: 0
+  real_aes: 0
   redirect: 0
   redirect_404: 0
   redirect_domain: 0
@@ -118,6 +122,7 @@ module:
   system: 0
   taxonomy: 0
   text: 0
+  tfa: 0
   token: 0
   toolbar: 0
   twig_tweak: 0

diff --git a/conf/cmi/encrypt.profile.real_aes.yml b/conf/cmi/encrypt.profile.real_aes.yml
@@ -0,0 +1,15 @@
+uuid: 90d7b880-aa02-4cff-aeb9-69e03db7a21b
+langcode: en
+status: true
+dependencies:
+  config:
+    - key.key.tfa
+  module:
+    - real_aes
+_core:
+  default_config_hash: lDV_LbRGbNBnnVa6X72NK7xH7A1T9tasNNgP2hOhHKs
+id: real_aes
+label: 'Real AES'
+encryption_method: real_aes
+encryption_key: tfa
+encryption_method_configuration: {  }
diff --git a/conf/cmi/encrypt.settings.yml b/conf/cmi/encrypt.settings.yml
@@ -0,0 +1,4 @@
+_core:
+  default_config_hash: CMyccvAuba2yH-HYmcEL0pq1Seyxzq9VHhKbQKwAWY4
+check_profile_status: true
+allow_deprecated_plugins: false
diff --git a/conf/cmi/key.key.tfa.yml b/conf/cmi/key.key.tfa.yml
@@ -0,0 +1,19 @@
+uuid: 05f354f6-4d19-4cb0-9d95-0d16a1573e58
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: ARfRhKTJUSFXqKkDFwUncBUg8-5v7z_we3DETbYMYB0
+id: tfa
+label: TFA
+description: ''
+key_type: encryption
+key_type_settings:
+  key_size: 256
+key_provider: config
+key_provider_settings:
+  key_value: thisvaluewillbeoverridden1234567
+  base64_encoded: true
+key_input: text_field
+key_input_settings:
+  base64_encoded: false
diff --git a/conf/cmi/purge.logger_channels.yml b/conf/cmi/purge.logger_channels.yml
@@ -11,3 +11,7 @@ channels:
       - 0
       - 2
       - 3
+  -
+    id: diagnostics
+    grants:
+      - 3
diff --git a/conf/cmi/tfa.settings.yml b/conf/cmi/tfa.settings.yml
@@ -0,0 +1,53 @@
+_core:
+  default_config_hash: JyIkFj38h-aTLsrCfejAfP277qBJ61tlaLEBH44IHhg
+langcode: en
+enabled: true
+required_roles:
+  admin: admin
+  infofinland_user: infofinland_user
+  content_producer: content_producer
+  editor: editor
+  municipal_editor: municipal_editor
+  infofinland_admin: infofinland_admin
+  super_administrator: super_administrator
+  authenticated: '0'
+  read_only: '0'
+  nextjs: '0'
+send_plugins: {  }
+login_plugins: {  }
+login_plugin_settings:
+  tfa_trusted_browser:
+    cookie_allow_subdomains: true
+    cookie_expiration: 30
+    cookie_name: tfa-trusted-browser
+allowed_validation_plugins:
+  tfa_totp: tfa_totp
+default_validation_plugin: tfa_totp
+validation_plugin_settings:
+  tfa_hotp:
+    counter_window: 10
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: Drupal
+  tfa_recovery_code:
+    recovery_codes_amount: 10
+  tfa_totp:
+    time_skew: 2
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: Hel.fi
+validation_skip: 3
+users_without_tfa_redirect: false
+reset_pass_skip_enabled: true
+encryption: real_aes
+tfa_flood_uid_only: 1
+tfa_flood_window: 300
+tfa_flood_threshold: 6
+help_text: 'Contact support to reset your access'
+mail:
+  tfa_enabled_configuration:
+    subject: 'Your [site:name] account now has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team"
+  tfa_disabled_configuration:
+    subject: 'Your [site:name] account no longer has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team"
diff --git a/conf/cmi/ultimate_cron.job.simple_oauth_cron.yml b/conf/cmi/ultimate_cron.job.simple_oauth_cron.yml
@@ -13,7 +13,7 @@ scheduler:
   id: simple
   configuration:
     rules:
-      - '0+@ */6 * * *'
+      - '*/5+@ * * * *'
 launcher:
   id: serial
   configuration:

diff --git a/conf/cmi/user.role.authenticated.yml b/conf/cmi/user.role.authenticated.yml
@@ -13,6 +13,7 @@ dependencies:
     - media
     - paragraphs_type_permissions
     - system
+    - tfa
 _core:
   default_config_hash: 83Nuup-6oYkkdAsvg3nrR2pBOgtTXEV1JrzpCCLkYLM
 id: authenticated
@@ -22,6 +23,8 @@ is_admin: false
 permissions:
   - 'access content'
   - 'delete own files'
+  - 'disable own tfa'
+  - 'setup own tfa'
   - 'use text format full_html'
   - 'use text format simple_html'
   - 'use text format webform_default'

diff --git a/conf/cmi/user.role.content_producer.yml b/conf/cmi/user.role.content_producer.yml
@@ -7,6 +7,7 @@ dependencies:
   module:
     - file
     - filter
+    - tfa
 _core:
   default_config_hash: EVzxFtbOrGVTXWw2GTh1fEzzqruPEqSo84k10-BF6eA
 id: content_producer
@@ -15,4 +16,6 @@ weight: 3
 is_admin: null
 permissions:
   - 'delete own files'
+  - 'disable own tfa'
+  - 'setup own tfa'
   - 'use text format simple_html'
diff --git a/conf/cmi/user.role.editor.yml b/conf/cmi/user.role.editor.yml
@@ -1,7 +1,9 @@
 uuid: c6a73a1b-05c1-4edc-95b4-ad2b33467af7
 langcode: en
 status: true
-dependencies: {  }
+dependencies:
+  module:
+    - tfa
 _core:
   default_config_hash: NCarMlsKnDtHl8NrvTJRPEF3KAztLAHBHDo-H2Om7So
 id: editor
@@ -12,3 +14,5 @@ permissions:
   - 'access user profiles'
   - 'cancel account'
   - 'change own username'
+  - 'disable own tfa'
+  - 'setup own tfa'
diff --git a/conf/cmi/user.role.infofinland_admin.yml b/conf/cmi/user.role.infofinland_admin.yml
@@ -49,6 +49,7 @@ dependencies:
     - scheduler
     - system
     - taxonomy
+    - tfa
     - toolbar
     - webform
 id: infofinland_admin
@@ -168,6 +169,7 @@ permissions:
   - 'delete terms in language'
   - 'delete terms in municipalitys'
   - 'delete terms in organisaatiot'
+  - 'disable own tfa'
   - 'edit any file media'
   - 'edit any image media'
   - 'edit any landing_page content'
@@ -200,6 +202,7 @@ permissions:
   - 'revert office_contact_info revisions'
   - 'revert page revisions'
   - 'schedule publishing of nodes'
+  - 'setup own tfa'
   - 'translate any entity'
   - 'translate file media'
   - 'translate image media'

diff --git a/conf/cmi/user.role.infofinland_user.yml b/conf/cmi/user.role.infofinland_user.yml
@@ -3,6 +3,7 @@ langcode: en
 status: true
 dependencies:
   config:
+    - entity_browser.browser.media_entity_browser_modal
     - environment_indicator.switcher.development
     - environment_indicator.switcher.stage
     - environment_indicator.switcher.test
@@ -45,6 +46,7 @@ dependencies:
     - simple_sitemap
     - system
     - taxonomy
+    - tfa
     - toolbar
     - webform
 id: infofinland_user
@@ -156,6 +158,7 @@ permissions:
   - 'delete terms in language'
   - 'delete terms in municipalitys'
   - 'delete terms in organisaatiot'
+  - 'disable own tfa'
   - 'edit any file media'
   - 'edit any image media'
   - 'edit any landing_page content'
@@ -188,6 +191,7 @@ permissions:
   - 'revert office_contact_info revisions'
   - 'revert page revisions'
   - 'schedule publishing of nodes'
+  - 'setup own tfa'
   - 'translate any entity'
   - 'translate file media'
   - 'translate image media'

diff --git a/conf/cmi/user.role.municipal_editor.yml b/conf/cmi/user.role.municipal_editor.yml
@@ -3,6 +3,7 @@ langcode: en
 status: true
 dependencies:
   config:
+    - entity_browser.browser.media_entity_browser_modal
     - filter.format.simple_html
     - media.type.image
     - media.type.remote_video
@@ -20,6 +21,7 @@ dependencies:
     - node
     - paragraphs_type_permissions
     - system
+    - tfa
     - toolbar
 id: municipal_editor
 label: Kuntapäivittäjä
@@ -64,12 +66,14 @@ permissions:
   - 'delete paragraph content list_of_links'
   - 'delete paragraph content remote_video'
   - 'delete paragraph content text'
+  - 'disable own tfa'
   - 'edit any image media'
   - 'edit own image media'
   - 'edit own link content'
   - 'edit own office_contact_info content'
   - 'edit own page content'
   - 'edit own remote_video media'
+  - 'setup own tfa'
   - 'translate editable entities'
   - 'translate image media'
   - 'translate link node'

diff --git a/conf/cmi/user.role.nextjs.yml b/conf/cmi/user.role.nextjs.yml
@@ -6,6 +6,7 @@ dependencies:
     - file
     - node
     - subrequests
+    - tfa
 id: nextjs
 label: Nextjs
 weight: 4
@@ -14,4 +15,6 @@ permissions:
   - 'access user profiles'
   - 'bypass node access'
   - 'delete own files'
+  - 'disable own tfa'
   - 'issue subrequests'
+  - 'setup own tfa'
diff --git a/conf/cmi/user.role.read_only.yml b/conf/cmi/user.role.read_only.yml
@@ -1,11 +1,15 @@
 uuid: 372a4da0-8ce4-4835-9487-df069ffb6bd6
 langcode: en
 status: true
-dependencies: {  }
+dependencies:
+  module:
+    - tfa
 _core:
   default_config_hash: deQJrlqgsebK2qYi7RWmSwYprA60SnU9obIWHY77pjI
 id: read_only
 label: 'Read only'
 weight: 2
 is_admin: null
-permissions: {  }
+permissions:
+  - 'disable own tfa'
+  - 'setup own tfa'
diff --git a/public/modules/custom/infofinland_common/infofinland_common.links.task.yml b/public/modules/custom/infofinland_common/infofinland_common.links.task.yml
diff --git a/public/modules/custom/infofinland_common/infofinland_common.module b/public/modules/custom/infofinland_common/infofinland_common.module
@@ -503,23 +503,23 @@ function infofinland_common_media_presave(Media $entity) {
 /**
  * Implements hook_form_FORM_ID_alter().
  */
-function infofinland_common_form_user_login_form_alter(&$form, FormStateInterface $form_state) {
-  $form['#submit'][] = 'infofinland_common_user_login_submit';
+function infofinland_common_form_user_login_form_alter(&$form, FormStateInterface $form_state): void {
+  array_unshift($form['#submit'], 'infofinland_common_user_login_submit');
 }
 
 /**
  * Form submission handler for user_login_form().
  *
  * Redirects the user to the content page after logging in.
  */
-function infofinland_common_user_login_submit(&$form, FormStateInterface $form_state) {
+function infofinland_common_user_login_submit(&$form, FormStateInterface $form_state): void {
   $url = Url::fromRoute('view.content.page_1');
 
   // Check if a destination was set, probably on an exception controller.
   // @see \Drupal\user\Form\UserLoginForm::submitForm()
   $request = \Drupal::service('request_stack')->getCurrentRequest();
   if (!$request->request->has('destination')) {
-    $form_state->setRedirectUrl($url);
+    $request->query->set('destination', $url->toString());
   }
   else {
     $request->query->set('destination', $request->request->get('destination'));

diff --git a/public/sites/default/local.services.yml b/public/sites/default/local.services.yml
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,3 +11,7 @@ channels: @@
           - 0
           - 2
           - 3
+      -
+        id: diagnostics
+        grants:
+          - 3