Skip to content

Commit

Permalink
[sec_scan][24] extract AuthorizedKey's comment and type (#44643)
Browse files Browse the repository at this point in the history
This PR adds ability to extract the comment and key type from AuthorizedKeys files.

Signed-off-by: Tiago Silva <[email protected]>
  • Loading branch information
tigrato authored Jul 29, 2024
1 parent d38e2c3 commit ca06895
Show file tree
Hide file tree
Showing 7 changed files with 85 additions and 19 deletions.
52 changes: 38 additions & 14 deletions api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions api/proto/teleport/access_graph/v1/authorized_key.proto
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,10 @@ message AuthorizedKeySpec {
string key_fingerprint = 2;
// host_user is the user who can be accessed using the fingerprint above.
string host_user = 3;
// key_comment is the authorized key's comment.
// Authorized keys consist of the following space-separated fields:
// options, keytype, base64-encoded key, comment. The options field is optional.
string key_comment = 4;
// key_type is the ssh's key type.
string key_type = 5;
}
4 changes: 4 additions & 0 deletions api/types/accessgraph/authorized_key.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ func ValidateAuthorizedKey(k *accessgraphv1pb.AuthorizedKey) error {
return trace.BadParameter("KeyFingerprint is unset")
}

if k.Spec.KeyType == "" {
return trace.BadParameter("KeyType is unset")
}

if k.Metadata.Name == "" {
return trace.BadParameter("Name is unset")
}
Expand Down
15 changes: 15 additions & 0 deletions api/types/accessgraph/authorized_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ func TestAuthorizedKey(t *testing.T) {
HostId: uuid.New().String(),
KeyFingerprint: "fingerprint",
HostUser: "user",
KeyType: "ssh-rsa",
},
errValidation: require.NoError,
},
Expand All @@ -48,6 +49,7 @@ func TestAuthorizedKey(t *testing.T) {
HostId: uuid.New().String(),
KeyFingerprint: "",
HostUser: "user",
KeyType: "ssh-rsa",
},
errValidation: func(t require.TestingT, err error, i ...any) {
require.ErrorContains(t, err, "KeyFingerprint is unset")
Expand All @@ -59,6 +61,7 @@ func TestAuthorizedKey(t *testing.T) {
HostId: uuid.New().String(),
KeyFingerprint: "fingerprint",
HostUser: "",
KeyType: "ssh-rsa",
},
errValidation: func(t require.TestingT, err error, i ...any) {
require.ErrorContains(t, err, "HostUser is unset")
Expand All @@ -69,11 +72,23 @@ func TestAuthorizedKey(t *testing.T) {
spec: &accessgraphv1pb.AuthorizedKeySpec{
KeyFingerprint: "fingerprint",
HostUser: "user",
KeyType: "ssh-rsa",
},
errValidation: func(t require.TestingT, err error, i ...any) {
require.ErrorContains(t, err, "HostId is unset")
},
},
{
name: "missing HostID",
spec: &accessgraphv1pb.AuthorizedKeySpec{
KeyFingerprint: "fingerprint",
HostUser: "user",
HostId: uuid.New().String(),
},
errValidation: func(t require.TestingT, err error, i ...any) {
require.ErrorContains(t, err, "KeyType is unset")
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
4 changes: 3 additions & 1 deletion lib/secretsscanner/authorizedkeys/authorized_keys.go
Original file line number Diff line number Diff line change
Expand Up @@ -354,7 +354,7 @@ func (w *Watcher) parseAuthorizedKeysFile(ctx context.Context, u user.User, auth
if len(payload) == 0 || payload[0] == '#' {
continue
}
parsedKey, _, _, _, err := ssh.ParseAuthorizedKey(payload)
parsedKey, comment, _, _, err := ssh.ParseAuthorizedKey(payload)
if err != nil {
w.logger.WarnContext(ctx, "Failed to parse authorized key", "error", err)
continue
Expand All @@ -367,6 +367,8 @@ func (w *Watcher) parseAuthorizedKeysFile(ctx context.Context, u user.User, auth
HostId: w.hostID,
HostUser: u.Username,
KeyFingerprint: ssh.FingerprintSHA256(parsedKey),
KeyComment: comment,
KeyType: parsedKey.Type(),
},
)
if err != nil {
Expand Down
19 changes: 15 additions & 4 deletions lib/secretsscanner/authorizedkeys/authorized_keys_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -202,15 +202,26 @@ func (f *fakeClient) getReqReceived() []*accessgraphsecretsv1pb.ReportAuthorized

func createKeysForUsers(t *testing.T, hostID string) []*accessgraphsecretsv1pb.AuthorizedKey {
var keys []*accessgraphsecretsv1pb.AuthorizedKey
for _, fingerprint := range []string{
"SHA256:GbJlTLeQgZhvGoklWGXHo0AinGgGEcldllgYExoSy+s", /* ssh-rsa */
"SHA256:ewwMB/nCAYurNrYFXYZuxLZv7T7vgpPd7QuIo0d5n+U", /* ssh-ed25519 */
for _, k := range []struct {
fingerprint string
keyType string
}{
{
fingerprint: "SHA256:GbJlTLeQgZhvGoklWGXHo0AinGgGEcldllgYExoSy+s",
keyType: "ssh-ed25519",
},
{
fingerprint: "SHA256:ewwMB/nCAYurNrYFXYZuxLZv7T7vgpPd7QuIo0d5n+U",
keyType: "ssh-rsa",
},
} {
for _, user := range []string{"root", "user"} {
at, err := accessgraph.NewAuthorizedKey(&accessgraphsecretsv1pb.AuthorizedKeySpec{
HostId: hostID,
HostUser: user,
KeyFingerprint: fingerprint,
KeyFingerprint: k.fingerprint,
KeyComment: "friel@test",
KeyType: k.keyType,
})
require.NoError(t, err)
keys = append(keys, at)
Expand Down
4 changes: 4 additions & 0 deletions lib/services/local/access_graph_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,21 +55,25 @@ func TestAccessGraphAuthorizedKeys(t *testing.T) {
HostId: "host1",
HostUser: "user1",
KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
KeyType: "ssh-rsa",
},
{
HostId: "host1",
HostUser: "user2",
KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
KeyType: "ssh-rsa",
},
{
HostId: "host2",
HostUser: "user1",
KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
KeyType: "ssh-rsa",
},
{
HostId: "host2",
HostUser: "user2",
KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
KeyType: "ssh-rsa",
},
}
var authKeys []*accessgraphsecretspb.AuthorizedKey
Expand Down

0 comments on commit ca06895

Please sign in to comment.