Thank you very much for your help Mike. Your advice has been really helpful.
regards, Pablo. On Wed, Dec 11, 2019 at 10:50 PM Mike Jumper <[email protected]> wrote: > On Wed, Dec 11, 2019 at 7:54 AM Pablo Escobar Lopez < > [email protected]> wrote: > > > Hi, > > > > In our team we are doing some tests to interact with the rest api in > > guacamole. Inspecting the traffic with the browser dev tools we found out > > how to create connections and users in guacamole using the api. Our tests > > are accessible here > > https://github.com/pescobar/ansible-playbook-guacamole-api > > > > After our initial testing we have two doubts: > > > > 1) Does anyone has any docs for the api? Anything that could save us > some > > time inspecting the http traffic or the source code would be very helpful > > and appreciated. e.g. I still couldn't find how to get a list of existing > > connections. > > > > The current best references are the JavaScript services that use the REST > API. To get the connection hierarchy, you would make a GET request to > .../api/session/data/DATASOURCE/connectionGroups/IDENTIFIER/tree, where > DATASOURCE is the identifier of the authentication provider that you're > retrieving the connections from ("mysql", "postgresql", "ldap", etc.) and > IDENTIFIER is the identifier of the connection group at the base of the > hierarchy being retrieved: > > > https://github.com/apache/guacamole-client/blob/d1e928bea79ca81c827e9b6adedabc98eefdf701/guacamole/src/main/webapp/app/rest/services/connectionGroupService.js#L36-L79 > > The identifier "ROOT" can always be used to refer to the root connection > group, regardless of whether the underlying authentication provider calls > it "ROOT". > > > https://github.com/apache/guacamole-client/blob/7d822df5a3b040bf61d1055fe7bffaf1996c0983/guacamole/src/main/webapp/app/rest/types/ConnectionGroup.js#L111-L117 > > There is an open pull request adding documentation for the REST API which > is awaiting a response to feedback from initial code review: > > https://github.com/apache/guacamole-manual/pull/123 > > That said, I expect there is a better approach than adding manually-written > docs to the manual, given that the REST services are already documented at > both the Java and JavaScript levels. There should be some tool out there > which can generate JavaDoc-esque documentation from that, perhaps with > minor changes, annotations, etc. to the existing comments. > > > > 2) We did a test with a guacamole instance using OpenID auth ( > > https://guacamole.apache.org/doc/gug/openid-auth.html) and 2FA and we > > could > > authenticate with the api using a local guacamole admin account. I mean, > if > > I access guacamole with a browser I have to use EduID+2FA but our ansible > > code can "bypass" it and authenticate with the api using the local > > guacamole account. For us it's convenient because we can use the api even > > with EduID+2FA enabled but I am not sure if this is a bug or a feature. > Is > > it the expected behavior? > > > Yes, definitely not a bug. This is intentional. Guacamole will always > attempt to authenticate the user using all installed extensions, in order. > Once one extension authenticates the user, other extensions are then > allowed to provide data for that user, trusting the authentication result > of the other extension. If you have both OpenID and a database extension > installed, then users will be able to authenticate using OpenID or (if they > have a password set in the database) the database. > > There are 2FA extensions which are part of guacamole-client (the Duo and > TOTP support) which will veto the authentication result of other extensions > and enforce multi-factor. That won't happen if the multifactor auth is > happening on the OpenID side, outside of Guacamole's view. > > - Mike > -- Pablo Escobar López Linux/HPC systems engineer sciCORE, University of Basel SIB Swiss Institute of Bioinformatics
