[
https://issues.apache.org/jira/browse/GUACAMOLE-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18021408#comment-18021408
]
Nick Couchman commented on GUACAMOLE-2140:
------------------------------------------
Thanks for the additional detail, [~oerunf] - I'll see if I can reproduce and
have a look at the code. Based on what you're saying, I'm actually surprised
the disabling part works at all, but it sounds like we're skipping a check for
the guac-totp-disabled attribute prior to putting the guac-totp-key* flags into
the databases, and then wiping it all out.
If you have a chance, could you perform one more test - when you do the initial
creation a user without the TOTP extension enabled, could you also insert the
guac-totp-key-secret (should not matter the value) and guac-totp-key-confirmed
(set to "true") and see if that results in TOTP being disabled for that user?
I'm not suggesting that as a permanent fix, just a test and a possible
work-around until we get a fix introduced.
> API support for persisting TOTP disable attributes when TOTP is globally
> enabled
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2140
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2140
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-auth-jdbc, guacamole-auth-totp
> Environment: Guacamole Version: 1.6.0
> Deployment: Docker containers with two-phase deployment
> Authentication: Database with TOTP extension
> Reporter: Tom P
> Priority: Minor
>
> h2. Summary
> Requesting API support for persisting TOTP disable attributes when TOTP is
> globally enabled, avoiding database workarounds during automated deployment.
> _Edit: clarified API behaviour after further testing._
> h2. Use Case: Automated Deployment
> Our deployment scenario requires:
> * {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
> * {*}API automation user{*}: TOTP disabled for programmatic access
> * {*}Custom admin user{*}: TOTP enabled for interactive use
> This configuration enables automation workflows that cannot handle
> interactive TOTP challenges.
> h2. Current Problem
> Automated installed is done in 2 phases
> # Automated user creation with TOTP disabled attribute
> # Enabling TOTP
> When TOTP is *not globally enabled* ('Phase 1'), the REST API does not store
> TOTP disable attributes:
> {code:python}
> # This this call works during Phase 1 (TOTP not globally enabled)
> api_attributes = {"guac-totp-disabled": "true"}
> client.create_user(api_user, api_pass, api_attributes)
> client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
> {code}
> However, when TOTP is *globally enabled* ('Phase 2'), TOTP is still enabled
> for all users as the attribute was not saved
> h3. Root Cause
> API does not save TOTP user attributes when TOTP extension is not enabled.
> h2. Current Workaround
> Database manipulation is required to restore the disable attribute:
> {code:sql}
> -- Restore the disable attribute
> INSERT INTO guacamole_user_attribute (user_id, attribute_name,
> attribute_value)
> VALUES (user_id, 'guac-totp-disabled', 'true')
> ON DUPLICATE KEY UPDATE attribute_value='true';
> -- Clear forced enrolment
> DELETE FROM guacamole_user_attribute
> WHERE user_id = user_id
> AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
> {code}
> h2. Proposed Improvement
> Modify the API module to save {{guac-totp-disabled}} attributes for new and
> updated users, even when global TOTP is disabled.
> h2. Benefits
> * Eliminates need for database workarounds
> * Simplifies automated deploys
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
