search

apache / cloudstack-cloudmonkey

Apache Cloudstack Cloudmonkey
Apache License 2.0
91 stars 60 forks source link

Add support for 2FA in cmk #145

Open rohityadavcloud opened 6 months ago

rohityadavcloud commented 6 months ago

Add support for 2FA in cmk -> automate login and inputs.

rohityadavcloud commented 6 months ago

@harikrishna-patnala could you advise how we can detect if 2FA is enabled or an API needs some kind of inputs -> any way to implement that in a better UX way for cmk ?

rohityadavcloud commented 5 months ago

I checked with help from @harikrishna-patnala and found that:

  1. APIs called using apikey/secretkey bypass the 2FA checks; for most ACS/cmk users cmk will not prompt for 2FA code.

  2. For APIs called using username/password for 2FA enabled systems, it suggests users what to run, for example:

    (mbx-419-rohit) 🐵 > list volumes
🙈 Error: (HTTP 511, error code <nil>) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode -h
validateUserTwoFactorAuthenticationCode: Checks the 2FA code for the user.
Required params: codefor2fa,
API Params               Type     Description
==========               ====     ===========
codefor2fa               string   two factor authentication code
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode codefor2fa=105826
{
"success": true
}

This means 2FA support in cmk isn't a blocker for cmk / 2FA users. They can still call this manually as the CLI/prompt suggests.

rohityadavcloud commented 5 months ago

Ideally the improvement in cmk would be to do the following:

  1. This applies only when username and password is provided, upon login the response contains whether 2FA is enabled or not: { "loginresponse": { "username": "rohit", "userid": "9e9ba412-d3ca-4bf4-aead-768c0b09531f", "domainid": "d3806260-e766-11ee-b2c1-525400b612b4", "timeout": 1800, "account": "rohit", "firstname": "Rohit", "lastname": "Yadav", "type": "0", "timezone": "UTC", "timezoneoffset": "0.0", "registered": "false", "sessionkey": "9Gyo6QrVnC4UNd_S9Em64rjlBwE", "is2faenabled": "true", "is2faverified": "false", "providerfor2fa": "totp", "issuerfor2fa": "CloudStack" } }

  2. Next, the validate API should be called after taking user input of the 2FA code such as:

URL: http://172.20.0.86:8080/client/api/?codefor2fa=217258&command=validateUserTwoFactorAuthenticationCode&response=json

Query String Parameters must pass: codefor2fa: 217258 command: validateUserTwoFactorAuthenticationCode

  1. Upon successful code the following is returned, otherwise cmk may prompt additional input: { "validateusertwofactorauthenticationcoderesponse": { "success": true } }