Add support for 2FA in cmk

[rohityadavcloud]

Add support for 2FA in cmk -> automate login and inputs.

[rohityadavcloud]

@harikrishna-patnala could you advise how we can detect if 2FA is enabled or an API needs some kind of inputs -> any way to implement that in a better UX way for cmk ?

[rohityadavcloud]

I checked with help from @harikrishna-patnala and found that:

1. APIs called using apikey/secretkey bypass the 2FA checks; for most ACS/cmk users cmk will not prompt for 2FA code.

2. For APIs called using username/password for 2FA enabled systems, it suggests users what to run, for example:

(mbx-419-rohit) 🐵 > list volumes
🙈 Error: (HTTP 511, error code <nil>) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode -h
validateUserTwoFactorAuthenticationCode: Checks the 2FA code for the user.
Required params: codefor2fa,
API Params               Type     Description
==========               ====     ===========
codefor2fa               string   two factor authentication code
(mbx-419-rohit) 🐵 > validate usertwofactorauthenticationcode codefor2fa=105826
{
  "success": true
}

This means 2FA support in cmk isn't a blocker for cmk / 2FA users. They can still call this manually as the CLI/prompt suggests.

[rohityadavcloud]

Ideally the improvement in cmk would be to do the following:

1. This applies only when username and password is provided, upon login the response contains whether 2FA is enabled or not:
   {
   "loginresponse": {
   "username": "rohit",
   "userid": "9e9ba412-d3ca-4bf4-aead-768c0b09531f",
   "domainid": "d3806260-e766-11ee-b2c1-525400b612b4",
   "timeout": 1800,
   "account": "rohit",
   "firstname": "Rohit",
   "lastname": "Yadav",
   "type": "0",
   "timezone": "UTC",
   "timezoneoffset": "0.0",
   "registered": "false",
   "sessionkey": "9Gyo6QrVnC4UNd_S9Em64rjlBwE",
   "is2faenabled": "true",
   "is2faverified": "false",
   "providerfor2fa": "totp",
   "issuerfor2fa": "CloudStack"
   }
   }

2. Next, the validate API should be called after taking user input of the 2FA code such as:

URL: http://172.20.0.86:8080/client/api/?codefor2fa=217258&command=validateUserTwoFactorAuthenticationCode&response=json

Query String Parameters must pass:
codefor2fa: 217258
command: validateUserTwoFactorAuthenticationCode

3. Upon successful code the following is returned, otherwise cmk may prompt additional input:
   {
   "validateusertwofactorauthenticationcoderesponse": {
   "success": true
   }
   }

[Jayd603]

I have both api/secretkey configured and working.

When trying to use createAccount I am getting 2fa failure despite issuing a successful 'login' and 2fa code and receiving a success message.

(admin) 🐱 > login username=admin password='password'

(admin) 🐱 > validateUserTwoFactorAuthenticationCode codefor2fa=643762
{
"success": true
}

(admin) 🐱 > createAccount username=testuser email=info@test.net firstname=Test lastname=User password=testpassword roleid=ce5a99c7-3f9a-4ba1-b52e-f0a1155f2cdf
🙈 Error: (HTTP 511, error code ) Unable to process the API request due to :Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated.

so this is not implemented or am I doing something else wrong.

EDIT: oh my bad this IS a feature request so I assume not implemented. sorry

[rohityadavcloud]

Hi @Jayd603 you should either just use apikey-secretkey which doesn’t need 2FA or set username and password and use the validate code api. You’re doing both.

If you want to use 2FA, then remove the apikey-secretkey by running the set command with value as blank, next set username and password. Try again.

[Jayd603]

Hi @Jayd603 you should either just use apikey-secretkey which doesn’t need 2FA or set username and password and use the validate code api. You’re doing both.

If you want to use 2FA, then remove the apikey-secretkey by running the set command with value as blank, next set username and password. Try again.

Ahh I see. api/secretkey do not work with 2fa enabled. Using user/pass with 2fa it worked just fine. Thank you very much.