UHF-9514: TFA settings

conf/cmi/core.extension.yml

@@ -26,6 +26,7 @@ module:
   editor: 0
   editoria11y: 0
   elasticsearch_connector: 0
+  encrypt: 0
   entity: 0
   entity_reference_revisions: 0
   entity_usage: 0
@@ -84,6 +85,7 @@ module:
   helfi_platform_config_base: 0
   helfi_proxy: 0
   helfi_react_search: 0
+  helfi_tfa: 0
   helfi_toc: 0
   helfi_tpr: 0
   helfi_tpr_config: 0
@@ -97,6 +99,7 @@ module:
   inline_form_errors: 0
   jquery_ui: 0
   jquery_ui_draggable: 0
+  key: 0
   language: 0
   link: 0
   linkit: 0
@@ -134,6 +137,7 @@ module:
   raven: 0
   rdf: 0
   readonly_field_widget: 0
+  real_aes: 0
   redirect: 0
   redis: 0
   responsive_image: 0
@@ -153,6 +157,7 @@ module:
   taxonomy: 0
   telephone: 0
   text: 0
+  tfa: 0
   token: 0
   toolbar: 0
   translatable_menu_link_uri: 0

conf/cmi/encrypt.profile.real_aes.yml

@@ -0,0 +1,15 @@
+uuid: 90d7b880-aa02-4cff-aeb9-69e03db7a21b
+langcode: en
+status: true
+dependencies:
+  config:
+    - key.key.tfa
+  module:
+    - real_aes
+_core:
+  default_config_hash: lDV_LbRGbNBnnVa6X72NK7xH7A1T9tasNNgP2hOhHKs
+id: real_aes
+label: 'Real AES'
+encryption_method: real_aes
+encryption_key: tfa
+encryption_method_configuration: {  }

conf/cmi/encrypt.settings.yml

@@ -0,0 +1,4 @@
+_core:
+  default_config_hash: CMyccvAuba2yH-HYmcEL0pq1Seyxzq9VHhKbQKwAWY4
+check_profile_status: true
+allow_deprecated_plugins: false

conf/cmi/key.key.tfa.yml

@@ -0,0 +1,19 @@
+uuid: 05f354f6-4d19-4cb0-9d95-0d16a1573e58
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: ARfRhKTJUSFXqKkDFwUncBUg8-5v7z_we3DETbYMYB0
+id: tfa
+label: TFA
+description: ''
+key_type: encryption
+key_type_settings:
+  key_size: 256
+key_provider: config
+key_provider_settings:
+  key_value: thisvaluewillbeoverridden1234567
+  base64_encoded: true
+key_input: text_field
+key_input_settings:
+  base64_encoded: false

conf/cmi/tfa.settings.yml

@@ -0,0 +1,48 @@
+_core:
+  default_config_hash: JyIkFj38h-aTLsrCfejAfP277qBJ61tlaLEBH44IHhg
+langcode: en
+enabled: true
+required_roles:
+  content_producer: content_producer
+  editor: editor
+  admin: admin
+  super_administrator: super_administrator
+  survey_editor: survey_editor
+send_plugins: {  }
+login_plugins: {  }
+login_plugin_settings:
+  tfa_trusted_browser:
+    cookie_allow_subdomains: true
+    cookie_expiration: 30
+    cookie_name: tfa-trusted-browser
+allowed_validation_plugins:
+  tfa_totp: tfa_totp
+default_validation_plugin: tfa_totp
+validation_plugin_settings:
+  tfa_recovery_code:
+    recovery_codes_amount: 10
+  tfa_hotp:
+    counter_window: 10
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: Drupal
+  tfa_totp:
+    time_skew: 2
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: Hel.fi
+validation_skip: 3
+users_without_tfa_redirect: false
+reset_pass_skip_enabled: true
+encryption: real_aes
+tfa_flood_uid_only: 1
+tfa_flood_window: 300
+tfa_flood_threshold: 6
+help_text: 'Contact support to reset your access'
+mail:
+  tfa_enabled_configuration:
+    subject: 'Your [site:name] account now has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team"
+  tfa_disabled_configuration:
+    subject: 'Your [site:name] account no longer has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team"

conf/cmi/user.role.admin.yml

@@ -43,13 +43,13 @@ dependencies:
     - pathauto
     - publication_date
     - redirect
-    - rest
     - role_delegation
     - scheduler
     - simple_sitemap
     - siteimprove
     - system
     - taxonomy
+    - tfa
     - toolbar
     - view_unpublished
     - views_bulk_edit
@@ -145,6 +145,7 @@ permissions:
   - 'delete project revisions'
   - 'delete remote entities'
   - 'delete terms in keywords'
+  - 'disable own tfa'
   - 'edit any announcement content'
   - 'edit any district content'
   - 'edit any file media'
@@ -185,6 +186,7 @@ permissions:
   - 'set announcement published on date'
   - 'set landing_page published on date'
   - 'set page published on date'
+  - 'setup own tfa'
   - 'translate announcement node'
   - 'translate any entity'
   - 'translate configuration'

conf/cmi/user.role.authenticated.yml

@@ -14,6 +14,7 @@ dependencies:
     - paragraphs
     - rest
     - system
+    - tfa
     - toolbar
 _core:
   default_config_hash: 83Nuup-6oYkkdAsvg3nrR2pBOgtTXEV1JrzpCCLkYLM
@@ -25,8 +26,10 @@ permissions:
   - 'access content'
   - 'access toolbar'
   - 'delete own files'
+  - 'disable own tfa'
   - 'display eu cookie compliance popup'
   - 'restful get helfi_global_mobile_menu'
+  - 'setup own tfa'
   - 'view helfi_announcements external entity'
   - 'view helfi_news external entity'
   - 'view helfi_news_groups external entity'

conf/cmi/user.role.content_producer.yml

@@ -35,6 +35,7 @@ dependencies:
     - siteimprove
     - system
     - taxonomy
+    - tfa
     - toolbar
     - view_unpublished
 _core:
@@ -84,6 +85,7 @@ permissions:
   - 'delete own page content'
   - 'delete own project content'
   - 'delete own remote_video media'
+  - 'disable own tfa'
   - 'edit any announcement content'
   - 'edit any district content'
   - 'edit any file media'
@@ -116,6 +118,7 @@ permissions:
   - 'set announcement published on date'
   - 'set landing_page published on date'
   - 'set page published on date'
+  - 'setup own tfa'
   - 'translate editable entities'
   - 'translate file media'
   - 'translate image media'

conf/cmi/user.role.editor.yml

@@ -38,6 +38,7 @@ dependencies:
     - siteimprove
     - system
     - taxonomy
+    - tfa
     - toolbar
     - view_unpublished
 id: editor
@@ -110,6 +111,7 @@ permissions:
   - 'delete project revisions'
   - 'delete remote entities'
   - 'delete terms in keywords'
+  - 'disable own tfa'
   - 'edit any announcement content'
   - 'edit any district content'
   - 'edit any file media'
@@ -145,6 +147,7 @@ permissions:
   - 'set announcement published on date'
   - 'set landing_page published on date'
   - 'set page published on date'
+  - 'setup own tfa'
   - 'translate announcement node'
   - 'translate any entity'
   - 'translate editable entities'

conf/cmi/user.role.read_only.yml

@@ -11,6 +11,7 @@ dependencies:
     - helfi_tpr
     - node
     - paragraphs
+    - tfa
     - toolbar
     - view_unpublished
 id: read_only
@@ -20,6 +21,8 @@ is_admin: null
 permissions:
   - 'access toolbar'
   - 'delete own files'
+  - 'disable own tfa'
+  - 'setup own tfa'
   - 'view any unpublished announcement content'
   - 'view any unpublished landing_page content'
   - 'view any unpublished page content'

conf/cmi/user.role.survey_editor.yml

@@ -8,6 +8,7 @@ dependencies:
     - content_translation
     - node
     - publication_date
+    - tfa
 _core:
   default_config_hash: CliaTgzCQcvNF9ot3u_EbHnydymXh8bvNgNFlSffj9s
 id: survey_editor
@@ -19,9 +20,11 @@ permissions:
   - 'delete any survey content'
   - 'delete own survey content'
   - 'delete survey revisions'
+  - 'disable own tfa'
   - 'edit any survey content'
   - 'edit own survey content'
   - 'revert survey revisions'
   - 'set survey published on date'
+  - 'setup own tfa'
   - 'translate survey node'
   - 'view survey revisions'