Skip to content

Commit

Permalink
Merge pull request #349 from humanmade/220-documentation-linting-issues
Browse files Browse the repository at this point in the history 
Reformat docs files after linting
  • Loading branch information
@mikelittle
mikelittle authored Jul 15, 2024
2 parents 631ee3e + 338a367 commit f0031ec
Show file tree
Hide file tree
Showing 9 changed files with 334 additions and 274 deletions.
2 changes: 1 addition & 1 deletion .travis.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Import Travis configuration from dev-tools repo
version: ~> 1.0
import:
- source: humanmade/altis-dev-tools:travis/module.yml@4accc74
- source: humanmade/altis-dev-tools:travis/module.yml@0bfa112a
mode: deep_merge_append

# Add your custom config below, which will merge with the default module config from the section above.
54 changes: 30 additions & 24 deletions docs/2-factor-authentication.md
View file
Original file line number Diff line number Diff line change
@@ -1,45 +1,51 @@
# Two Factor Authentication

For increased security of user authentication, Altis supports the use of a second factor to authorize the login request. The Two Factor Authentication feature is enabled by default, and only required for network administrators and site administrators by default.
For increased security of user authentication, Altis supports the use of a second factor to authorize the login request. The Two
Factor Authentication feature is enabled by default, and only required for network administrators and site administrators by
default.

To disable Two Factor Authentication, set the `modules.security.2-factor-authentication` setting to `false`.

Second factor authentication options are Email, Time-based one-time passwords and FIDO Universal 2nd Factor (U2F).

Two Factor methods can be configured by each user in their Edit Profile page in the CMS.

**Note:** Two Factor Authentication is not required on local environments for convenience, in order to require it, use local environment specific configuration.
**Note:** Two Factor Authentication is not required on local environments for convenience, in order to require it, use local
environment specific configuration.

## Requiring Two Factor Authentication

The site can be configured to require all users enable two factor authentication, or set requirement options on a per-role basis. To require all users of the site enable two factor authentication set the `modules.security.2-factor-authentication.required` setting to `true`:
The site can be configured to require all users enable two factor authentication, or set requirement options on a per-role basis. To
require all users of the site enable two factor authentication set the `modules.security.2-factor-authentication.required` setting
to `true`:

```
```json
"altis": {
"modules": {
"security": {
"2-factor-authentication": {
"required": true
}
}
}
"modules": {
"security": {
"2-factor-authentication": {
"required": true
}
}
}
}
```

Alternatively, to require two factor authentication only for specific user roles, define the roles in the `modules.security.2-factor-authentication.required` array:
Alternatively, to require two factor authentication only for specific user roles, define the roles in
the `modules.security.2-factor-authentication.required` array:

```
```json
"altis": {
"modules": {
"security": {
"2-factor-authentication": {
"required": [
"super-admin",
"administrator",
"editor"
]
}
}
}
"modules": {
"security": {
"2-factor-authentication": {
"required": [
"super-admin",
"administrator",
"editor"
]
}
}
}
}
```
5 changes: 3 additions & 2 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Security

![](./assets/banner-security.png)
![Security banner](./assets/banner-security.png)

The security module provides high-level security focused features to the Altis. This module is concerned with security features such as Multi Factor Authentication, Password Strength Rules, Audit Logging etc.
The security module provides high-level security focused features to the Altis. This module is concerned with security features such
as Multi-Factor Authentication, Password Strength Rules, Audit Logging etc.
16 changes: 12 additions & 4 deletions docs/audit-log.md
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
# Audit Log

All change activity made in the CMS is tracked in the Audit Log. This provides a historical account of who changed what, when. The Audit Log is "always on" and tracks changes across all sites.
All change activity made in the CMS is tracked in the Audit Log. This provides a historical account of who changed what, when. The
Audit Log is "always on" and tracks changes across all sites.

Audit logging base functionality is provided by the [Stream](https://github.com/xwp/stream/) plugin.

The Audit Log is tamper resistant. Once entries have been added to the Audit Log, they can not be removed. This is to preserve knowledge of historical changes for auditing and compliance purposes. The Cloud infrastructure application layer has no permissions to delete or modify records, therefore it's also resilient to modification from rogue custom code.
The Audit Log is tamper resistant. Once entries have been added to the Audit Log, they can not be removed. This is to preserve
knowledge of historical changes for auditing and compliance purposes. The Cloud infrastructure application layer has no permissions
to delete or modify records, therefore it's also resilient to modification from rogue custom code.

The Audit Log will also be persistent across site restores, overrides and imports.

Expand Down Expand Up @@ -33,8 +36,13 @@ The Audit Log records create, update and delete actions for the following conten

## Custom Action Recording

Any custom functionality or data types that are built on CMS primitives such as Custom Post Types, Custom Taxonomies, Post Meta or similar will already be tracked by default in the Audit Log. There are situations where you may want to insert your own custom records for reporting / compliance purposes. For example, you have built a feature with a custom database table, and want to track changes made to those entities.
Any custom functionality or data types that are built on CMS primitives such as Custom Post Types, Custom Taxonomies, Post Meta or
similar will already be tracked by default in the Audit Log. There are situations where you may want to insert your own custom
records for reporting / compliance purposes. For example, you have built a feature with a custom database table, and want to track
changes made to those entities.

In this scenario, you are responsible for also triggering the necessary API calls to the Audit Log in the application code. See the detailed documentation on [creating custom Connectors](https://github.com/xwp/stream/wiki/Creating-a-Custom-Connector) via the Stream plugin documentation.
In this scenario, you are responsible for also triggering the necessary API calls to the Audit Log in the application code. See the
detailed documentation on [creating custom Connectors](https://github.com/xwp/stream/wiki/Creating-a-Custom-Connector) via the
Stream plugin documentation.

Once registered, your custom Stream Connector's records will be part of the Audit Log with the same data integrity guarantees.
150 changes: 80 additions & 70 deletions docs/basic-auth.md
View file
Original file line number Diff line number Diff line change
@@ -1,111 +1,121 @@
# Basic Authentication

In many instances, the [Require Login](./require-login.md) functionality of Altis is sufficient to block access to websites. However, sometimes, it's desirable to be able to test elements (particularly on development environments) as a logged-out user.
In many instances, the [Require Login](./require-login.md) functionality of Altis is sufficient to block access to websites.
However, sometimes, it's desirable to be able to test elements (particularly on development environments) as a logged-out user.

Altis provides support for Basic Authentication access control, which uses [standard HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) to limit access instead of WordPress users.

**Note:** Require Login only applies to URLs served from your [application servers](docs://cloud/architecture.md), and will not apply to `/uploads/` or `/tachyon/` URLs.
Altis provides support for Basic Authentication access control, which
uses [standard HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) to limit access instead of
WordPress users.

**Note:** Require Login only applies to URLs served from your [application servers](docs://cloud/architecture.md), and will not
apply to `/uploads/` or `/tachyon/` URLs.

**Note:** Enabling PHP Basic Auth for an environment will prevent it from being indexed with search engines.

## Configuration

By default, Basic authentication is disabled. To enable it, a value must be passed to `security.php-basic-auth`; either `true` or an array that includes a username and password.
By default, Basic authentication is disabled. To enable it, a value must be passed to `security.php-basic-auth`; either `true` or an
array that includes a username and password.

The recommended setup is to define everything in your `composer.json` file, including the username and passwords. The same configuration in the manual setup example below could be handled in the Composer file like this:
The recommended setup is to define everything in your `composer.json` file, including the username and passwords. The same
configuration in the manual setup example below could be handled in the Composer file like this:

```json
{
"extra": {
"altis": {
"modules": {
"security": {
"php-basic-auth": {
"username": "altisusername",
"password": "altispassword"
}
}
}
}
}
"extra": {
"altis": {
"modules": {
"security": {
"php-basic-auth": {
"username": "altisusername",
"password": "altispassword"
}
}
}
}
}
}
```

**Note:** The authentication username and password _must_ be defined or basic authentication will not be active.

**Note:** You _must_ specify the username and password in this configuration, even if you are reusing the same username and password in different environments.

You may also want to [disable Require Login](./require-login.md) in this configuration to ensure only one form of authentication is used.
**Note:** You _must_ specify the username and password in this configuration, even if you are reusing the same username and password
in different environments.

You may also want to [disable Require Login](./require-login.md) in this configuration to ensure only one form of authentication is
used.

### Manual Configuration

Manual setup involves a simpler configuration in your `composer.json` but an additional step in your configuration. Your Composer file would look like this:
Manual setup involves a simpler configuration in your `composer.json` but an additional step in your configuration. Your Composer
file would look like this:

```json
{
"extra": {
"altis": {
"modules": {
"security": {
"php-basic-auth": true
}
}
}
}
"extra": {
"altis": {
"modules": {
"security": {
"php-basic-auth": true
}
}
}
}
}
```

This _turns on_ the Basic Auth component, but does not define the username and password. Without the username and password, basic authentication will not be required. To specify the username and password in this configuration, you must add them as PHP constants to a file in the `.config/` directory (e.g. `.config/load.php` or a file required by `.config/load.php`). The following example is recommended:
This _turns on_ the Basic Auth component, but does not define the username and password. Without the username and password, basic
authentication will not be required. To specify the username and password in this configuration, you must add them as PHP constants
to a file in the `.config/` directory (e.g. `.config/load.php` or a file required by `.config/load.php`). The following example is
recommended:

```php
if ( in_array( \Altis\get_environment_type(), [ 'staging', 'development' ], true ) ) {
define( 'HM_BASIC_AUTH_USER', 'altisusername' );
define( 'HM_BASIC_AUTH_PW', 'altispassword' );
define( 'HM_BASIC_AUTH_USER', 'altisusername' );
define( 'HM_BASIC_AUTH_PW', 'altispassword' );
}
```


## Overrides

By default, Basic Auth will work on development and staging environments but not local or production environments. These defaults can be overridden in the `composer.json` file as well, or environment-specific username/password combinations could be defined:
By default, Basic Auth will work on development and staging environments but not local or production environments. These defaults
can be overridden in the `composer.json` file as well, or environment-specific username/password combinations could be defined:

```json
{
"extra": {
"altis": {
"modules": {
"security": {
"php-basic-auth": {
"username": "devuser",
"password": "devpass"
}
}
},
"environments": {
"local": {
"modules": {
"security": {
"php-basic-auth": {
"username": "altis",
"password": "altis"
}
}
}
},
"production": {
"modules": {
"security": {
"php-basic-auth": {
"username": "produser",
"password": "prodpass"
}
}
}
}
}
}
}
"extra": {
"altis": {
"modules": {
"security": {
"php-basic-auth": {
"username": "devuser",
"password": "devpass"
}
}
},
"environments": {
"local": {
"modules": {
"security": {
"php-basic-auth": {
"username": "altis",
"password": "altis"
}
}
}
},
"production": {
"modules": {
"security": {
"php-basic-auth": {
"username": "produser",
"password": "prodpass"
}
}
}
}
}
}
}
}
```
Loading

0 comments on commit f0031ec

Please sign in to comment.