[
https://issues.apache.org/jira/browse/GUACAMOLE-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tom P updated GUACAMOLE-2140:
-----------------------------
Description:
h2. Summary
Requesting API support for persisting TOTP disable attributes when TOTP is
globally enabled, avoiding database workarounds during automated deployment.
_Edit: clarified API behaviour after further testing._
h2. Use Case: Automated Deployment
Our deployment scenario requires:
* {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
* {*}API automation user{*}: TOTP disabled for programmatic access
* {*}Custom admin user{*}: TOTP enabled for interactive use
This configuration enables automation workflows that cannot handle interactive
TOTP challenges.
h2. Current Problem
Automated installed is done in 2 phases
# Automated user creation with TOTP disabled attribute
# Enabling TOTP
When TOTP is *not globally enabled* ('Phase 1'), the REST API does not store
TOTP disable attributes:
{code:python}
# This this call works during Phase 1 (TOTP not globally enabled)
api_attributes = {"guac-totp-disabled": "true"}
client.create_user(api_user, api_pass, api_attributes)
client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
{code}
However, when TOTP is *globally enabled* ('Phase 2'), TOTP is still enabled for
all users as the attribute was not saved
h3. Root Cause
API does not save TOTP user attributes when TOTP extension is not enabled.
h2. Current Workaround
Database manipulation is required to restore the disable attribute:
{code:sql}
-- Restore the disable attribute
INSERT INTO guacamole_user_attribute (user_id, attribute_name, attribute_value)
VALUES (user_id, 'guac-totp-disabled', 'true')
ON DUPLICATE KEY UPDATE attribute_value='true';
-- Clear forced enrolment
DELETE FROM guacamole_user_attribute
WHERE user_id = user_id
AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
{code}
h2. Proposed Improvement
Modify the API module to save {{guac-totp-disabled}} attributes for new and
updated users, even when global TOTP is disabled.
h2. Benefits
* Eliminates need for database workarounds
* Simplifies automated deploys
was:
h2. Summary
Requesting API support for persisting TOTP disable attributes when TOTP is
globally enabled, avoiding database workarounds during automated deployment.
h2. Use Case: Automated Deployment
Our deployment scenario requires:
* {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
* {*}API automation user{*}: TOTP disabled for programmatic access
* {*}Custom admin user{*}: TOTP enabled for interactive use
This configuration enables automation workflows that cannot handle interactive
TOTP challenges.
h2. Current Problem
Automated installed is done in 2 phases
# Automated user creation with TOTP disabled attribute
# Enabling TOTP
When TOTP is *not globally enabled* ('Phase 1'), the REST API correctly
processes TOTP disable attributes:
{code:python}
# This approach WORKS during Phase 1 (TOTP not globally enabled)
api_attributes = {"guac-totp-disabled": "true"}
client.create_user(api_user, api_pass, api_attributes)
client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
{code}
However, when TOTP is *globally enabled* ('Phase 2'), the TOTP module
*overwrites/removes* the disable attribute:
{code:sql}
-- Before Phase 2 (TOTP globally enabled):
username | attribute_name | attribute_value
eiguacadmin-api | guac-totp-disabled | true
-- After Phase 2 (TOTP globally enabled):
username | attribute_name | attribute_value
eiguacadmin-api | guac-totp-key-confirmed | true
eiguacadmin-api | guac-totp-key-secret | ABC46UT52UQHC4P3LW5FZYQ4IN7JXYZ
-- guac-totp-disabled attribute was REMOVED
{code}
h3. Root Cause
The TOTP module does not respect existing {{guac-totp-disabled}} attributes
when TOTP is enabled globally - it forces enrolment and removes disable flags.
h2. Current Workaround
Database manipulation is required to restore the disable attribute:
{code:sql}
-- Restore the disable attribute
INSERT INTO guacamole_user_attribute (user_id, attribute_name, attribute_value)
VALUES (user_id, 'guac-totp-disabled', 'true')
ON DUPLICATE KEY UPDATE attribute_value='true';
-- Clear forced enrolment
DELETE FROM guacamole_user_attribute
WHERE user_id = user_id
AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
{code}
h2. Proposed Improvement
Modify the TOTP module to respect existing {{guac-totp-disabled}} attributes
when global TOTP is enabled
h2. Benefits
* Eliminates need for database workarounds
> API support for persisting TOTP disable attributes when TOTP is globally
> enabled
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2140
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2140
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-auth-jdbc, guacamole-auth-totp
> Environment: Guacamole Version: 1.6.0
> Deployment: Docker containers with two-phase deployment
> Authentication: Database with TOTP extension
> Reporter: Tom P
> Priority: Minor
>
> h2. Summary
> Requesting API support for persisting TOTP disable attributes when TOTP is
> globally enabled, avoiding database workarounds during automated deployment.
> _Edit: clarified API behaviour after further testing._
> h2. Use Case: Automated Deployment
> Our deployment scenario requires:
> * {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
> * {*}API automation user{*}: TOTP disabled for programmatic access
> * {*}Custom admin user{*}: TOTP enabled for interactive use
> This configuration enables automation workflows that cannot handle
> interactive TOTP challenges.
> h2. Current Problem
> Automated installed is done in 2 phases
> # Automated user creation with TOTP disabled attribute
> # Enabling TOTP
> When TOTP is *not globally enabled* ('Phase 1'), the REST API does not store
> TOTP disable attributes:
> {code:python}
> # This this call works during Phase 1 (TOTP not globally enabled)
> api_attributes = {"guac-totp-disabled": "true"}
> client.create_user(api_user, api_pass, api_attributes)
> client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
> {code}
> However, when TOTP is *globally enabled* ('Phase 2'), TOTP is still enabled
> for all users as the attribute was not saved
> h3. Root Cause
> API does not save TOTP user attributes when TOTP extension is not enabled.
> h2. Current Workaround
> Database manipulation is required to restore the disable attribute:
> {code:sql}
> -- Restore the disable attribute
> INSERT INTO guacamole_user_attribute (user_id, attribute_name,
> attribute_value)
> VALUES (user_id, 'guac-totp-disabled', 'true')
> ON DUPLICATE KEY UPDATE attribute_value='true';
> -- Clear forced enrolment
> DELETE FROM guacamole_user_attribute
> WHERE user_id = user_id
> AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
> {code}
> h2. Proposed Improvement
> Modify the API module to save {{guac-totp-disabled}} attributes for new and
> updated users, even when global TOTP is disabled.
> h2. Benefits
> * Eliminates need for database workarounds
> * Simplifies automated deploys
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
