[
https://issues.apache.org/jira/browse/GUACAMOLE-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tom P updated GUACAMOLE-2140:
-----------------------------
Summary: API support for persisting TOTP disable attributes when TOTP is
globally enabled (was: PI support for persisting TOTP disable attributes when
TOTP is globally enabled)
> API support for persisting TOTP disable attributes when TOTP is globally
> enabled
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2140
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2140
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-auth-jdbc, guacamole-auth-totp
> Affects Versions: 1.6.0
> Environment: Guacamole Version: 1.6.0
> Deployment: Docker containers with two-phase deployment
> Authentication: Database with TOTP extension
> Reporter: Tom P
> Priority: Minor
>
> h2. Summary
> Requesting API support for persisting TOTP disable attributes when TOTP is
> globally enabled, avoiding database workarounds during automated deployment.
> h2. Use Case: Automated Deployment
> Our deployment scenario requires:
> * {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
> * {*}API automation user{*}: TOTP disabled for programmatic access
> * {*}Custom admin user{*}: TOTP enabled for interactive use
> This configuration enables automation workflows that cannot handle
> interactive TOTP challenges.
> h2. Current Problem
> Automated installed is done in 2 phases
> # Automated user creation with TOTP disabled attribute
> # Enabling TOTP
> When TOTP is *not globally enabled* ('Phase 1'), the REST API correctly
> processes TOTP disable attributes:
> {code:python}
> # This approach WORKS during Phase 1 (TOTP not globally enabled)
> api_attributes = {"guac-totp-disabled": "true"}
> client.create_user(api_user, api_pass, api_attributes)
> client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
> {code}
> However, when TOTP is *globally enabled* ('Phase 2'), the TOTP module
> *overwrites/removes* the disable attribute:
> {code:sql}
> -- Before Phase 2 (TOTP globally enabled):
> username | attribute_name | attribute_value
> eiguacadmin-api | guac-totp-disabled | true
> -- After Phase 2 (TOTP globally enabled):
> username | attribute_name | attribute_value
> eiguacadmin-api | guac-totp-key-confirmed | true
> eiguacadmin-api | guac-totp-key-secret | ABC46UT52UQHC4P3LW5FZYQ4IN7JXYZ
> -- guac-totp-disabled attribute was REMOVED
> {code}
> h3. Root Cause
> The TOTP module does not respect existing {{guac-totp-disabled}} attributes
> when TOTP is enabled globally - it forces enrolment and removes disable flags.
> h2. Current Workaround
> Database manipulation is required to restore the disable attribute:
> {code:sql}
> -- Restore the disable attribute
> INSERT INTO guacamole_user_attribute (user_id, attribute_name,
> attribute_value)
> VALUES (user_id, 'guac-totp-disabled', 'true')
> ON DUPLICATE KEY UPDATE attribute_value='true';
> -- Clear forced enrolment
> DELETE FROM guacamole_user_attribute
> WHERE user_id = user_id
> AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
> {code}
> h2. Proposed Improvement
> Modify the TOTP module to respect existing {{guac-totp-disabled}} attributes
> when global TOTP is enabled
> h2. Benefits
> * Eliminates need for database workarounds
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
