[GOVCMSD9-160] Add required modules and default configurations (#121)

mingsong-hu · Mingsong Hu · Mingsong Hu · web-flow · commit 2f3a5508faf1 · 2021-03-09T11:49:53.000+11:00
* [GOVCMSD9-160] Add required modules and default configurations

* [GOVCMSD9-37] Automatically enable TFA

* [GOVCMSD9-160] Move TFA configuration to test folder and import them for Tugboat testing

* [GOVCMSD9-160] Correct Drush import command for Tugboat

* [GOVCMSD9-160] Remove duplicated drush import command

* [GOVCMSD9-160] Copy test configurations to install folder instead of partial importing

* [GOVCMSD9-160] Correct the option of cp command

* Copy the test configs before linking it to the web folder

Co-authored-by: Mingsong Hu &lt;mingsonghu@Mingsongs-MBP.gateway&gt;
Co-authored-by: Mingsong Hu &lt;mingsonghu@Mingsongs-MBP-2.home&gt;
diff --git a/.tugboat/config.yml b/.tugboat/config.yml
@@ -44,6 +44,9 @@ services:
         # Create the Drupal private and public files directories.
         - mkdir -p "${TUGBOAT_ROOT}/files-private" "${DOCROOT}/sites/default/files"
 
+        # Copy test configurations to install folder.
+        - cp -af "${TUGBOAT_ROOT}/config/test/." "${TUGBOAT_ROOT}/config/install/"
+
         # Link the config and private files paths.
         - ln -snf "${TUGBOAT_ROOT}/config" "${DOCROOT}/../config"
         - ln -snf "${TUGBOAT_ROOT}/files-private" "${DOCROOT}/../files-private"
@@ -71,6 +74,7 @@ services:
       build:
         - COMPOSER_MEMORY_LIMIT=-1 composer update
         - drush cache:rebuild
-        - drush config:import --partial -y
+        # Partial importing is still having some issues with Druah 10 and Drupal 9.
+        #- drush config-import --partial --source="${TUGBOAT_ROOT}/config/test" -y
         - drush updatedb -y
         - drush cache:rebuild
diff --git a/config/install/encrypt.settings.yml b/config/install/encrypt.settings.yml
@@ -0,0 +1,2 @@
+check_profile_status: true
+allow_deprecated_plugins: false
diff --git a/config/test/encrypt.profile.tfa_encryption.yml b/config/test/encrypt.profile.tfa_encryption.yml
@@ -0,0 +1,12 @@
+langcode: en
+status: true
+dependencies:
+  config:
+    - key.key.tfa_key
+  module:
+    - real_aes
+id: tfa_encryption
+label: 'TFA Encryption'
+encryption_method: real_aes
+encryption_key: tfa_key
+encryption_method_configuration: {  }
diff --git a/config/test/key.key.tfa_key.yml b/config/test/key.key.tfa_key.yml
@@ -0,0 +1,16 @@
+langcode: en
+status: true
+dependencies: {  }
+id: tfa_key
+label: 'TFA Key'
+description: ''
+key_type: encryption
+key_type_settings:
+  key_size: 256
+key_provider: config
+key_provider_settings:
+  base64_encoded: false
+  key_value: 'UGN~?-#RfgR+wJg4Yh/Sp2~Z^wb{C^2X'
+key_input: text_field
+key_input_settings:
+  base64_encoded: false
diff --git a/config/test/tfa.settings.yml b/config/test/tfa.settings.yml
@@ -0,0 +1,44 @@
+enabled: 1
+required_roles:
+  authenticated: authenticated
+  govcms_content_author: '0'
+  govcms_content_approver: '0'
+  govcms_site_administrator: '0'
+send_plugins: {  }
+login_plugins: {  }
+default_validation_plugin: tfa_email_code
+validation_plugin_settings:
+  ga_login_hotp:
+    counter_window: 10
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: GovCMS
+  ga_login_totp:
+    time_skew: 2
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: GovCMS
+  tfa_email_code:
+    code_validity_period: 60
+    email_setting:
+      subject: '[site:name] Authentication code'
+      body: "[user:display-name],\r\n\r\nThis code is valid for [length] minutes. Your code is: [code]\r\n\r\nThis code will be expired after login."
+  tfa_recovery_code:
+    recovery_codes_amount: 10
+allowed_validation_plugins:
+  tfa_email_code: tfa_email_code
+help_text: 'Contact support to reset your access'
+validation_skip: 3
+encryption: tfa_encryption
+trust_cookie_expiration: 2592000
+cookie_name: TFA
+tfa_flood_uid_only: 1
+tfa_flood_window: 300
+tfa_flood_threshold: 6
+mail:
+  tfa_enabled_configuration:
+    subject: 'Your [site:name] account now has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team"
+  tfa_disabled_configuration:
+    subject: 'Your [site:name] account no longer has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team"
diff --git a/modules/custom/core/govcms_security/govcms_security.info.yml b/modules/custom/core/govcms_security/govcms_security.info.yml
@@ -4,14 +4,19 @@ description: Enhance security of GovCMS websites.
 package: GovCMS
 core_version_requirement: ^8 || ^9
 dependencies:
+  - encrypt
+  - ga_login
   - honeypot:honeypot
+  - key
   - login_security:login_security
   - password_policy:password_policy
   - password_policy:password_policy_characters
   - password_policy:password_policy_character_types
   - password_policy:password_policy_history
   - password_policy:password_policy_length
   - password_policy:password_policy_username
+  - real_aes
   - seckit:seckit
+  - tfa
   - update_notifications_disable:update_notifications_disable
   - username_enumeration_prevention:username_enumeration_prevention

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+check_profile_status: true`
	`2`	`+allow_deprecated_plugins: false`