-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #787 from City-of-Helsinki/UHF-9514
UHF-9514: TFA
- Loading branch information
Showing
8 changed files
with
211 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Hel.fi: TFA | ||
|
||
Provides default configuration for TFA module. | ||
|
||
## Installation | ||
|
||
1. Generate a random 256-bit key: `dd if=/dev/urandom bs=32 count=1 | base64 -i -` | ||
2. Add a new secret called `TFA-ENCRYPTION-KEY` to Azure KeyVault and copy the key as value | ||
3. Enable `helfi_tfa` module | ||
|
||
## Reset TFA settings for other users | ||
|
||
At the moment, users logging-in using Tunnistamo cannot reset/disable TFA for other users due to password requirements. | ||
|
||
You can use Drush to reset TFA settings until this is fixed: | ||
|
||
```bash | ||
drush tfa:reset-user --uid xyz | ||
``` | ||
|
||
## Exclude roles | ||
|
||
Go to Configuration -> TFA Settings (`/admin/config/people/tfa`) and uncheck the role from `Roles required to set up TFA` and save the form. | ||
|
||
Alternatively, you can override the roles setting in `all.settings.php`: | ||
```php | ||
$config['tfa.settings']['required_roles'] = [ | ||
'content_producer' => 'content_producer', | ||
'admin' => 'admin', | ||
'read_only' => '0', | ||
]; | ||
``` | ||
Setting the value to `0` means the role does not require TFA. | ||
|
||
## Testing on local | ||
|
||
Modify `local.settings.php` file and add: | ||
|
||
```php | ||
$config['key.key.tfa']['key_provider_settings']['key_value'] = 'your-base64-encoded-random-256-bit-key'; | ||
$config['key.key.tfa']['key_provider_settings']['base64_encoded'] = TRUE; | ||
``` |
13 changes: 13 additions & 0 deletions
13
modules/helfi_tfa/config/install/encrypt.profile.real_aes.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
uuid: 90d7b880-aa02-4cff-aeb9-69e03db7a21b | ||
langcode: en | ||
status: true | ||
dependencies: | ||
config: | ||
- key.key.tfa | ||
module: | ||
- real_aes | ||
id: real_aes | ||
label: 'Real AES' | ||
encryption_method: real_aes | ||
encryption_method_configuration: { } | ||
encryption_key: tfa |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
uuid: 05f354f6-4d19-4cb0-9d95-0d16a1573e58 | ||
langcode: en | ||
status: true | ||
dependencies: { } | ||
id: tfa | ||
label: TFA | ||
description: '' | ||
key_type: encryption | ||
key_type_settings: | ||
key_size: 256 | ||
key_provider: config | ||
key_provider_settings: | ||
key_value: thisvaluewillbeoverridden1234567 | ||
base64_encoded: true | ||
key_input: text_field | ||
key_input_settings: | ||
base64_encoded: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
langcode: en | ||
enabled: true | ||
send_plugins: { } | ||
login_plugins: { } | ||
login_plugin_settings: | ||
tfa_trusted_browser: | ||
cookie_allow_subdomains: true | ||
cookie_expiration: 30 | ||
cookie_name: tfa-trusted-browser | ||
allowed_validation_plugins: | ||
tfa_totp: tfa_totp | ||
default_validation_plugin: tfa_totp | ||
validation_plugin_settings: | ||
tfa_recovery_code: | ||
recovery_codes_amount: 10 | ||
tfa_hotp: | ||
counter_window: 10 | ||
site_name_prefix: 1 | ||
name_prefix: TFA | ||
issuer: Drupal | ||
tfa_totp: | ||
time_skew: 2 | ||
site_name_prefix: 1 | ||
name_prefix: TFA | ||
issuer: Hel.fi | ||
validation_skip: 3 | ||
users_without_tfa_redirect: false | ||
reset_pass_skip_enabled: true | ||
encryption: real_aes | ||
tfa_flood_uid_only: 1 | ||
tfa_flood_window: 300 | ||
tfa_flood_threshold: 6 | ||
help_text: 'Contact support to reset your access' | ||
mail: | ||
tfa_enabled_configuration: | ||
subject: 'Your [site:name] account now has two-factor authentication' | ||
body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team" | ||
tfa_disabled_configuration: | ||
subject: 'Your [site:name] account no longer has two-factor authentication' | ||
body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
name: Hel.fi TFA | ||
type: module | ||
description: 'Integrates Hel.fi user roles module with TFA' | ||
package: Custom | ||
core_version_requirement: ^10 || ^11 | ||
dependencies: | ||
- helfi_user_roles:helfi_user_roles | ||
- real_aes:real_aes | ||
- tfa:tfa |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
<?php | ||
|
||
/** | ||
* @file | ||
* Contains installation logic for Hel.fi TFA module. | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
use Drupal\Core\Session\AccountInterface; | ||
use Drupal\user\Entity\Role; | ||
|
||
/** | ||
* Implements hook_requirements(). | ||
*/ | ||
function helfi_tfa_requirements($phase) : array { | ||
if ($phase !== 'runtime') { | ||
return []; | ||
} | ||
|
||
$requirements = []; | ||
|
||
$key = \Drupal::config('key.key.tfa')->get('key_provider_settings'); | ||
|
||
if (empty($key['key_value']) || $key['key_value'] === 'thisvaluewillbeoverridden1234567') { | ||
$requirements['helfi_tfa'] = [ | ||
'title' => t('Hel.fi: TFA'), | ||
'severity' => REQUIREMENT_ERROR, | ||
'value' => t('The TFA key is not set or is using the default value.'), | ||
]; | ||
} | ||
return $requirements; | ||
} | ||
|
||
/** | ||
* Grants required permissions. | ||
*/ | ||
function helfi_tfa_grant_permissions() : void { | ||
$roles = Role::loadMultiple(); | ||
$permissions = []; | ||
|
||
// Require all roles to setup TFA. | ||
foreach ($roles as $role) { | ||
if ($role->id() === AccountInterface::ANONYMOUS_ROLE) { | ||
continue; | ||
} | ||
$permissions[$role->id()] = [ | ||
'setup own tfa', | ||
'disable own tfa', | ||
]; | ||
} | ||
|
||
helfi_platform_config_grant_permissions($permissions); | ||
} | ||
|
||
/** | ||
* Implements hook_install(). | ||
*/ | ||
function helfi_tfa_install($is_syncing) : void { | ||
// Do not perform following steps if the module is being installed as part | ||
// of a configuration import. | ||
if ($is_syncing) { | ||
return; | ||
} | ||
$roles = Role::loadMultiple(); | ||
$requiredRoles = []; | ||
|
||
$bypassRoles = [ | ||
AccountInterface::ANONYMOUS_ROLE, | ||
AccountInterface::AUTHENTICATED_ROLE, | ||
'read_only', | ||
]; | ||
// Require all roles except 'read_only' to setup TFA. | ||
foreach ($roles as $role) { | ||
if (in_array($role->id(), $bypassRoles)) { | ||
continue; | ||
} | ||
$requiredRoles[$role->id()] = $role->id(); | ||
} | ||
$config = \Drupal::configFactory()->getEditable('tfa.settings'); | ||
$config->set('required_roles', $requiredRoles) | ||
->save(); | ||
|
||
helfi_tfa_grant_permissions(); | ||
} |