[
https://issues.apache.org/jira/browse/GUACAMOLE-2140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18021385#comment-18021385
]
Tom P commented on GUACAMOLE-2140:
----------------------------------
[~vnick], thanks. Happy to clarify:
h2. Not globally enabled
*Not globally enabled*: the TOTP extension is not loaded at all. The guacamole
container is started with the env var {{TOTP_ENABLED=false}}.
h2. Automated user creation
Yes, I am using the scripted, API-based creation of user accounts. I want to
avoid making direct database modifications for security, safety, and
maintainability.
When guacamole is running without the TOTP extension loaded, it appears that
TOTP attributes are ignored by the API:
1. Create user {{bob-totp-disabled}} (with TOTP disabled attribute)
{code:python}
api_attributes = {"guac-totp-disabled": "true"}
client.create_user("bob-totp-disabled", "password", api_attributes)
{code}
2. Get user attributes
*Issue*: {{guac-totp-disabled}} attribute is *NOT SET*
{{client.get_user_attributes("bob-totp-disabled")}} ->
{code:json}
{
"guac-email-address": null,
"guac-organizational-role": null,
"guac-full-name": null,
"expired": null,
"timezone": null,
"access-window-start": null,
"guac-organization": null,
"access-window-end": null,
"valid-until": null,
"valid-from": null
}
{code}
This means that after enabling the TOTP extension by updating the docker
compose file with {{TOTP_ENABLED=false}} and deploying, user
{{bob-totp-disabled}} still gets the enrol prompt on first login unless I
modify the database.
> API support for persisting TOTP disable attributes when TOTP is globally
> enabled
> --------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2140
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2140
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-auth-jdbc, guacamole-auth-totp
> Environment: Guacamole Version: 1.6.0
> Deployment: Docker containers with two-phase deployment
> Authentication: Database with TOTP extension
> Reporter: Tom P
> Priority: Minor
>
> h2. Summary
> Requesting API support for persisting TOTP disable attributes when TOTP is
> globally enabled, avoiding database workarounds during automated deployment.
> h2. Use Case: Automated Deployment
> Our deployment scenario requires:
> * {*}Global TOTP{*}: Enabled for all new users by default{*}{*}
> * {*}API automation user{*}: TOTP disabled for programmatic access
> * {*}Custom admin user{*}: TOTP enabled for interactive use
> This configuration enables automation workflows that cannot handle
> interactive TOTP challenges.
> h2. Current Problem
> Automated installed is done in 2 phases
> # Automated user creation with TOTP disabled attribute
> # Enabling TOTP
> When TOTP is *not globally enabled* ('Phase 1'), the REST API correctly
> processes TOTP disable attributes:
> {code:python}
> # This approach WORKS during Phase 1 (TOTP not globally enabled)
> api_attributes = {"guac-totp-disabled": "true"}
> client.create_user(api_user, api_pass, api_attributes)
> client.update_user_attributes(api_user, {"guac-totp-disabled": "true"})
> {code}
> However, when TOTP is *globally enabled* ('Phase 2'), the TOTP module
> *overwrites/removes* the disable attribute:
> {code:sql}
> -- Before Phase 2 (TOTP globally enabled):
> username | attribute_name | attribute_value
> eiguacadmin-api | guac-totp-disabled | true
> -- After Phase 2 (TOTP globally enabled):
> username | attribute_name | attribute_value
> eiguacadmin-api | guac-totp-key-confirmed | true
> eiguacadmin-api | guac-totp-key-secret | ABC46UT52UQHC4P3LW5FZYQ4IN7JXYZ
> -- guac-totp-disabled attribute was REMOVED
> {code}
> h3. Root Cause
> The TOTP module does not respect existing {{guac-totp-disabled}} attributes
> when TOTP is enabled globally - it forces enrolment and removes disable flags.
> h2. Current Workaround
> Database manipulation is required to restore the disable attribute:
> {code:sql}
> -- Restore the disable attribute
> INSERT INTO guacamole_user_attribute (user_id, attribute_name,
> attribute_value)
> VALUES (user_id, 'guac-totp-disabled', 'true')
> ON DUPLICATE KEY UPDATE attribute_value='true';
> -- Clear forced enrolment
> DELETE FROM guacamole_user_attribute
> WHERE user_id = user_id
> AND attribute_name IN ('guac-totp-key-secret', 'guac-totp-key-confirmed');
> {code}
> h2. Proposed Improvement
> Modify the TOTP module to respect existing {{guac-totp-disabled}} attributes
> when global TOTP is enabled
> h2. Benefits
> * Eliminates need for database workarounds
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
