[sec_scan][24] extract AuthorizedKey's comment and type (#44643)

This PR adds ability to extract the comment and key type from AuthorizedKeys files.

Signed-off-by: Tiago Silva <[email protected]>

api/proto/teleport/access_graph/v1/authorized_key.proto

@@ -43,4 +43,10 @@ message AuthorizedKeySpec {
   string key_fingerprint = 2;
   // host_user is the user who can be accessed using the fingerprint above.
   string host_user = 3;
+  // key_comment is the authorized key's comment.
+  // Authorized keys consist of the following space-separated fields:
+  // options, keytype, base64-encoded key, comment.  The options field is optional.
+  string key_comment = 4;
+  // key_type is the ssh's key type.
+  string key_type = 5;
 }

api/types/accessgraph/authorized_key.go

@@ -76,6 +76,10 @@ func ValidateAuthorizedKey(k *accessgraphv1pb.AuthorizedKey) error {
 		return trace.BadParameter("KeyFingerprint is unset")
 	}
 
+	if k.Spec.KeyType == "" {
+		return trace.BadParameter("KeyType is unset")
+	}
+
 	if k.Metadata.Name == "" {
 		return trace.BadParameter("Name is unset")
 	}

api/types/accessgraph/authorized_key_test.go

@@ -39,6 +39,7 @@ func TestAuthorizedKey(t *testing.T) {
 				HostId:         uuid.New().String(),
 				KeyFingerprint: "fingerprint",
 				HostUser:       "user",
+				KeyType:        "ssh-rsa",
 			},
 			errValidation: require.NoError,
 		},
@@ -48,6 +49,7 @@ func TestAuthorizedKey(t *testing.T) {
 				HostId:         uuid.New().String(),
 				KeyFingerprint: "",
 				HostUser:       "user",
+				KeyType:        "ssh-rsa",
 			},
 			errValidation: func(t require.TestingT, err error, i ...any) {
 				require.ErrorContains(t, err, "KeyFingerprint is unset")
@@ -59,6 +61,7 @@ func TestAuthorizedKey(t *testing.T) {
 				HostId:         uuid.New().String(),
 				KeyFingerprint: "fingerprint",
 				HostUser:       "",
+				KeyType:        "ssh-rsa",
 			},
 			errValidation: func(t require.TestingT, err error, i ...any) {
 				require.ErrorContains(t, err, "HostUser is unset")
@@ -69,11 +72,23 @@ func TestAuthorizedKey(t *testing.T) {
 			spec: &accessgraphv1pb.AuthorizedKeySpec{
 				KeyFingerprint: "fingerprint",
 				HostUser:       "user",
+				KeyType:        "ssh-rsa",
 			},
 			errValidation: func(t require.TestingT, err error, i ...any) {
 				require.ErrorContains(t, err, "HostId is unset")
 			},
 		},
+		{
+			name: "missing HostID",
+			spec: &accessgraphv1pb.AuthorizedKeySpec{
+				KeyFingerprint: "fingerprint",
+				HostUser:       "user",
+				HostId:         uuid.New().String(),
+			},
+			errValidation: func(t require.TestingT, err error, i ...any) {
+				require.ErrorContains(t, err, "KeyType is unset")
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

lib/secretsscanner/authorizedkeys/authorized_keys.go

@@ -354,7 +354,7 @@ func (w *Watcher) parseAuthorizedKeysFile(ctx context.Context, u user.User, auth
 		if len(payload) == 0 || payload[0] == '#' {
 			continue
 		}
-		parsedKey, _, _, _, err := ssh.ParseAuthorizedKey(payload)
+		parsedKey, comment, _, _, err := ssh.ParseAuthorizedKey(payload)
 		if err != nil {
 			w.logger.WarnContext(ctx, "Failed to parse authorized key", "error", err)
 			continue
@@ -367,6 +367,8 @@ func (w *Watcher) parseAuthorizedKeysFile(ctx context.Context, u user.User, auth
 				HostId:         w.hostID,
 				HostUser:       u.Username,
 				KeyFingerprint: ssh.FingerprintSHA256(parsedKey),
+				KeyComment:     comment,
+				KeyType:        parsedKey.Type(),
 			},
 		)
 		if err != nil {

lib/secretsscanner/authorizedkeys/authorized_keys_test.go

@@ -202,15 +202,26 @@ func (f *fakeClient) getReqReceived() []*accessgraphsecretsv1pb.ReportAuthorized
 
 func createKeysForUsers(t *testing.T, hostID string) []*accessgraphsecretsv1pb.AuthorizedKey {
 	var keys []*accessgraphsecretsv1pb.AuthorizedKey
-	for _, fingerprint := range []string{
-		"SHA256:GbJlTLeQgZhvGoklWGXHo0AinGgGEcldllgYExoSy+s", /* ssh-rsa */
-		"SHA256:ewwMB/nCAYurNrYFXYZuxLZv7T7vgpPd7QuIo0d5n+U", /* ssh-ed25519 */
+	for _, k := range []struct {
+		fingerprint string
+		keyType     string
+	}{
+		{
+			fingerprint: "SHA256:GbJlTLeQgZhvGoklWGXHo0AinGgGEcldllgYExoSy+s",
+			keyType:     "ssh-ed25519",
+		},
+		{
+			fingerprint: "SHA256:ewwMB/nCAYurNrYFXYZuxLZv7T7vgpPd7QuIo0d5n+U",
+			keyType:     "ssh-rsa",
+		},
 	} {
 		for _, user := range []string{"root", "user"} {
 			at, err := accessgraph.NewAuthorizedKey(&accessgraphsecretsv1pb.AuthorizedKeySpec{
 				HostId:         hostID,
 				HostUser:       user,
-				KeyFingerprint: fingerprint,
+				KeyFingerprint: k.fingerprint,
+				KeyComment:     "friel@test",
+				KeyType:        k.keyType,
 			})
 			require.NoError(t, err)
 			keys = append(keys, at)

lib/services/local/access_graph_test.go

@@ -55,21 +55,25 @@ func TestAccessGraphAuthorizedKeys(t *testing.T) {
 			HostId:         "host1",
 			HostUser:       "user1",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 		{
 			HostId:         "host1",
 			HostUser:       "user2",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 		{
 			HostId:         "host2",
 			HostUser:       "user1",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 		{
 			HostId:         "host2",
 			HostUser:       "user2",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 	}
 	var authKeys []*accessgraphsecretspb.AuthorizedKey