[Drupal 7] Two-Factor Authentication, configured with Features

Enacted Two-Factor Authentication for select user roles using TFA contrib modules, a custom rule, and configured completely by code with a custom feature.

Completion Date
TFA Example
Platform(s)/Language(s)
Code Snippet
diff --git a/sites/all/modules/features/feat_tfa/feat_tfa.features.inc b/sites/all/modules/features/feat_tfa/feat_tfa.features.inc
new file mode 100644
index 0000000..7a04579
--- /dev/null
+++ b/sites/all/modules/features/feat_tfa/feat_tfa.features.inc
@@ -0,0 +1,25 @@
+<?php
+/**
+ * @file
+ * feat_tfa.features.inc
+ */
+
+/**
+ * Implements hook_ctools_plugin_api().
+ */
+function feat_tfa_ctools_plugin_api($module = NULL, $api = NULL) {
+  if ($module == "strongarm" && $api == "strongarm") {
+    return array("version" => "1");
+  }
+}
+
+/**
+ * Implements hook_default_rules_configuration_alter().
+ */
+function feat_tfa_default_rules_configuration_alter(&$configs) {
+  // Disable default tfa user login rule because we are using our own custom
+  // notification email rule.
+  if (isset($configs['rules_tfa_user_login_redirect_setup'])) {
+    $configs['rules_tfa_user_login_redirect_setup']->active = FALSE;
+  }
+}
diff --git a/sites/all/modules/features/feat_tfa/feat_tfa.info b/sites/all/modules/features/feat_tfa/feat_tfa.info
new file mode 100644
index 0000000..cf4e0ba
--- /dev/null
+++ b/sites/all/modules/features/feat_tfa/feat_tfa.info
@@ -0,0 +1,21 @@
+name = TFA
+description = Two-Factor Authentication
+core = 7.x
+package = Custom Features
+version = 7.x-1.0
+dependencies[] = ctools
+dependencies[] = entity
+dependencies[] = rules
+dependencies[] = strongarm
+dependencies[] = tfa
+dependencies[] = tfa_basic
+dependencies[] = tfa_rules
+features[ctools][] = strongarm:strongarm:1
+features[features_api][] = api:2
+features[rules_config][] = tfa_rules_admin_redirect_to_tfa_setup_on_login
+features[variable][] = tfa_basic_help_text
+features[variable][] = tfa_basic_roles_require
+features[variable][] = tfa_enabled
+features[variable][] = tfa_fallback_plugins
+features[variable][] = tfa_login_plugins
+features[variable][] = tfa_validate_plugin
diff --git a/sites/all/modules/features/feat_tfa/feat_tfa.module b/sites/all/modules/features/feat_tfa/feat_tfa.module
new file mode 100644
index 0000000..b610afa
--- /dev/null
+++ b/sites/all/modules/features/feat_tfa/feat_tfa.module
@@ -0,0 +1,7 @@
+<?php
+/**
+ * @file
+ * Code for the TFA feature.
+ */
+
+include_once 'feat_tfa.features.inc';
diff --git a/sites/all/modules/features/feat_tfa/feat_tfa.rules_defaults.inc b/sites/all/modules/features/feat_tfa/feat_tfa.rules_defaults.inc
new file mode 100644
index 0000000..b7bf814
--- /dev/null
+++ b/sites/all/modules/features/feat_tfa/feat_tfa.rules_defaults.inc
@@ -0,0 +1,40 @@
+<?php
+/**
+ * @file
+ * feat_tfa.rules_defaults.inc
+ */
+
+/**
+ * Implements hook_default_rules_configuration().
+ */
+function feat_tfa_default_rules_configuration() {
+  $items = array();
+  $items['tfa_rules_admin_redirect_to_tfa_setup_on_login'] = entity_import('rules_config', '{ "tfa_rules_admin_redirect_to_tfa_setup_on_login" : {
+      "LABEL" : "Admin user redirect to TFA setup on login",
+      "PLUGIN" : "reaction rule",
+      "OWNER" : "rules",
+      "TAGS" : [ "TFA" ],
+      "REQUIRES" : [ "tfa_rules", "rules" ],
+      "ON" : { "user_login" : [] },
+      "IF" : [
+        { "NOT tfa_rules_user_has_tfa" : { "account" : [ "account" ] } },
+        { "user_has_role" : {
+            "account" : [ "account" ],
+            "roles" : { "value" : { "3" : "3" } },
+            "operation" : "OR"
+          }
+        }
+      ],
+      "DO" : [
+        { "drupal_message" : {
+            "message" : "Two-factor authentication (TFA) is strongly recommended; please configure your account security.",
+            "type" : "warning",
+            "repeat" : "0"
+          }
+        },
+        { "redirect" : { "url" : "\\/user\\/[account:uid]\\/security\\/tfa" } }
+      ]
+    }
+  }');
+  return $items;
+}
diff --git a/sites/all/modules/features/feat_tfa/feat_tfa.strongarm.inc b/sites/all/modules/features/feat_tfa/feat_tfa.strongarm.inc
new file mode 100644
index 0000000..debd637
--- /dev/null
+++ b/sites/all/modules/features/feat_tfa/feat_tfa.strongarm.inc
@@ -0,0 +1,91 @@
+<?php
+/**
+ * @file
+ * feat_tfa.strongarm.inc
+ */
+
+/**
+ * Implements hook_strongarm().
+ */
+function feat_tfa_strongarm() {
+  $export = array();
+
+  $strongarm = new stdClass();
+  $strongarm->disabled = FALSE; /* Edit this to true to make a default strongarm disabled initially */
+  $strongarm->api_version = 1;
+  $strongarm->name = 'tfa_basic_help_text';
+  $strongarm->value = 'Contact support to reset your access';
+  $export['tfa_basic_help_text'] = $strongarm;
+
+  $strongarm = new stdClass();
+  $strongarm->disabled = FALSE; /* Edit this to true to make a default strongarm disabled initially */
+  $strongarm->api_version = 1;
+  $strongarm->name = 'tfa_basic_roles_require';
+  $strongarm->value = array(
+    2 => 0,
+    11 => 0,
+    246 => 0,
+    7 => 0,
+    5 => 0,
+    9 => 0,
+    237 => 0,
+    8 => 0,
+    242 => 0,
+    243 => 0,
+    244 => 0,
+    245 => 0,
+    249 => 0,
+    10 => 0,
+    4 => 0,
+    241 => 0,
+    240 => 0,
+    234 => 0,
+    6 => 0,
+    233 => 0,
+    248 => 0,
+    3 => 0,
+    222 => 0,
+    12 => 0,
+    13 => 0,
+    14 => 0,
+    15 => 0,
+    247 => 0,
+  );
+  $export['tfa_basic_roles_require'] = $strongarm;
+
+  $strongarm = new stdClass();
+  $strongarm->disabled = FALSE; /* Edit this to true to make a default strongarm disabled initially */
+  $strongarm->api_version = 1;
+  $strongarm->name = 'tfa_enabled';
+  $strongarm->value = 1;
+  $export['tfa_enabled'] = $strongarm;
+
+  $strongarm = new stdClass();
+  $strongarm->disabled = FALSE; /* Edit this to true to make a default strongarm disabled initially */
+  $strongarm->api_version = 1;
+  $strongarm->name = 'tfa_fallback_plugins';
+  $strongarm->value = array(
+    -999 => 'tfa_basic_totp',
+    0 => 'tfa_basic_recovery_code',
+    10 => 'tfa_basic_help',
+  );
+  $export['tfa_fallback_plugins'] = $strongarm;
+
+  $strongarm = new stdClass();
+  $strongarm->disabled = FALSE; /* Edit this to true to make a default strongarm disabled initially */
+  $strongarm->api_version = 1;
+  $strongarm->name = 'tfa_login_plugins';
+  $strongarm->value = array(
+    0 => 'tfa_basic_trusted_browser',
+  );
+  $export['tfa_login_plugins'] = $strongarm;
+
+  $strongarm = new stdClass();
+  $strongarm->disabled = FALSE; /* Edit this to true to make a default strongarm disabled initially */
+  $strongarm->api_version = 1;
+  $strongarm->name = 'tfa_validate_plugin';
+  $strongarm->value = 'tfa_basic_totp';
+  $export['tfa_validate_plugin'] = $strongarm;
+
+  return $export;
+}
Attachment Size
feat_tfa.patch 6.4 KB