Tom P created GUACAMOLE-2140:
--------------------------------
Summary: PI support for persisting TOTP disable attributes when
TOTP is globally enabled
Key: GUACAMOLE-2140
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2140
Project: Guacamole
Issue Type: Improvement
Components: guacamole, guacamole-auth-jdbc, guacamole-auth-totp
Affects Versions: 1.6.0
Environment: Guacamole Version: 1.6.0
Deployment: Docker containers with two-phase deployment
Authentication: Database with TOTP extension
Reporter: Tom P
h2. Summary
Requesting API support for persisting TOTP disable attributes when TOTP is
globally enabled, avoiding database workarounds during automated deployment.
h2. Use Case: Automated Deployment
Our deployment scenario requires:
* {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
* {*}API automation user{*}: TOTP disabled for programmatic access
* {*}Custom admin user{*}: TOTP enabled for interactive use
This configuration enables automation workflows that cannot handle interactive
TOTP challenges.
h2. Current Problem
Automated installed is done in 2 phases
# Automated user creation with TOTP disabled attribute
# Enabling TOTP
When TOTP is *not globally enabled* ('Phase 1'), the REST API correctly
processes TOTP disable attributes:
{code:python}
# This approach WORKS during Phase 1 (TOTP not globally enabled)
api_attributes = {"guac-totp-disabled": "true"}
client.create_user(api_user, api_pass, api_attributes)
client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
{code}
However, when TOTP is *globally enabled* ('Phase 2'), the TOTP module
*overwrites/removes* the disable attribute:
{code:sql}
-- Before Phase 2 (TOTP globally enabled):
username | attribute_name | attribute_value
eiguacadmin-api | guac-totp-disabled | true
-- After Phase 2 (TOTP globally enabled):
username | attribute_name | attribute_value
eiguacadmin-api | guac-totp-key-confirmed | true
eiguacadmin-api | guac-totp-key-secret | ABC46UT52UQHC4P3LW5FZYQ4IN7JXYZ
-- guac-totp-disabled attribute was REMOVED
{code}
h3. Root Cause
The TOTP module does not respect existing {{guac-totp-disabled}} attributes
when TOTP is enabled globally - it forces enrolment and removes disable flags.
h2. Current Workaround
Database manipulation is required to restore the disable attribute:
{code:sql}
-- Restore the disable attribute
INSERT INTO guacamole_user_attribute (user_id, attribute_name, attribute_value)
VALUES (user_id, 'guac-totp-disabled', 'true')
ON DUPLICATE KEY UPDATE attribute_value='true';
-- Clear forced enrolment
DELETE FROM guacamole_user_attribute
WHERE user_id = user_id
AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
{code}
h2. Proposed Improvement
Modify the TOTP module to respect existing {{guac-totp-disabled}} attributes
when global TOTP is enabled
h2. Benefits
* Eliminates need for database workarounds
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
