On Wed, Dec 11, 2019 at 7:54 AM Pablo Escobar Lopez < [email protected]> wrote:
> Hi, > > In our team we are doing some tests to interact with the rest api in > guacamole. Inspecting the traffic with the browser dev tools we found out > how to create connections and users in guacamole using the api. Our tests > are accessible here > https://github.com/pescobar/ansible-playbook-guacamole-api > > After our initial testing we have two doubts: > > 1) Does anyone has any docs for the api? Anything that could save us some > time inspecting the http traffic or the source code would be very helpful > and appreciated. e.g. I still couldn't find how to get a list of existing > connections. > The current best references are the JavaScript services that use the REST API. To get the connection hierarchy, you would make a GET request to .../api/session/data/DATASOURCE/connectionGroups/IDENTIFIER/tree, where DATASOURCE is the identifier of the authentication provider that you're retrieving the connections from ("mysql", "postgresql", "ldap", etc.) and IDENTIFIER is the identifier of the connection group at the base of the hierarchy being retrieved: https://github.com/apache/guacamole-client/blob/d1e928bea79ca81c827e9b6adedabc98eefdf701/guacamole/src/main/webapp/app/rest/services/connectionGroupService.js#L36-L79 The identifier "ROOT" can always be used to refer to the root connection group, regardless of whether the underlying authentication provider calls it "ROOT". https://github.com/apache/guacamole-client/blob/7d822df5a3b040bf61d1055fe7bffaf1996c0983/guacamole/src/main/webapp/app/rest/types/ConnectionGroup.js#L111-L117 There is an open pull request adding documentation for the REST API which is awaiting a response to feedback from initial code review: https://github.com/apache/guacamole-manual/pull/123 That said, I expect there is a better approach than adding manually-written docs to the manual, given that the REST services are already documented at both the Java and JavaScript levels. There should be some tool out there which can generate JavaDoc-esque documentation from that, perhaps with minor changes, annotations, etc. to the existing comments. > 2) We did a test with a guacamole instance using OpenID auth ( > https://guacamole.apache.org/doc/gug/openid-auth.html) and 2FA and we > could > authenticate with the api using a local guacamole admin account. I mean, if > I access guacamole with a browser I have to use EduID+2FA but our ansible > code can "bypass" it and authenticate with the api using the local > guacamole account. For us it's convenient because we can use the api even > with EduID+2FA enabled but I am not sure if this is a bug or a feature. Is > it the expected behavior? Yes, definitely not a bug. This is intentional. Guacamole will always attempt to authenticate the user using all installed extensions, in order. Once one extension authenticates the user, other extensions are then allowed to provide data for that user, trusting the authentication result of the other extension. If you have both OpenID and a database extension installed, then users will be able to authenticate using OpenID or (if they have a password set in the database) the database. There are 2FA extensions which are part of guacamole-client (the Duo and TOTP support) which will veto the authentication result of other extensions and enforce multi-factor. That won't happen if the multifactor auth is happening on the OpenID side, outside of Guacamole's view. - Mike
