fork ssh private keys

gravitational · Jul 19, 2024 · 5a8c74f · 5a8c74f
1 parent c61f841
commit 5a8c74f
Show file tree

Hide file tree

Showing 3 changed files with 351 additions and 16 deletions.
diff --git a/lib/secretsscanner/scaner/scan_test.go b/lib/secretsscanner/scaner/scan_test.go
@@ -29,11 +29,11 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/ssh"
-	cryptosshtestdata "golang.org/x/crypto/ssh/testdata"
 	"google.golang.org/protobuf/testing/protocmp"
 
 	accessgraphsecretsv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1"
 	"github.com/gravitational/teleport/api/types/accessgraph"
+	scantestdata "github.com/gravitational/teleport/lib/secretsscanner/scaner/testdata"
 )
 
 var (
@@ -97,7 +97,7 @@ func writeEncryptedKeys(t *testing.T, dir string) []*accessgraphsecretsv1pb.Priv
 	t.Helper()
 	var expectedKeys []*accessgraphsecretsv1pb.PrivateKey
 	// Write encrypted keys to the directory.
-	for _, key := range cryptosshtestdata.PEMEncryptedKeys {
+	for _, key := range scantestdata.PEMEncryptedKeys {
 		err := os.Mkdir(filepath.Join(dir, key.Name), 0o777)
 		require.NoError(t, err)
 
@@ -141,7 +141,7 @@ func writeUnEncryptedKeys(t *testing.T, dir string) []*accessgraphsecretsv1pb.Pr
 	t.Helper()
 	var expectedKeys []*accessgraphsecretsv1pb.PrivateKey
 
-	for name, key := range cryptosshtestdata.PEMBytes {
+	for name, key := range scantestdata.PEMBytes {
 		err := os.Mkdir(filepath.Join(dir, name), 0o777)
 		require.NoError(t, err)
 
@@ -174,7 +174,7 @@ func writeEncryptedKeyWithoutPubFile(t *testing.T, dir string) []*accessgraphsec
 	t.Helper()
 
 	// Write encrypted keys to the directory.
-	rawKey := cryptosshtestdata.PEMEncryptedKeys[0]
+	rawKey := scantestdata.PEMEncryptedKeys[0]
 	err := os.Mkdir(filepath.Join(dir, rawKey.Name), 0o777)
 	require.NoError(t, err)
 
@@ -199,19 +199,14 @@ func writeInvalidKeys(t *testing.T, dir string) []*accessgraphsecretsv1pb.Privat
 	t.Helper()
 
 	// Write invalid keys to the directory.
-	err := os.WriteFile(filepath.Join(dir, "file-with-short-size"), []byte("invalid-key"), 0o644)
-	require.NoError(t, err)
-
-	err = os.WriteFile(filepath.Join(dir, "invalid-key-valid-headers"), []byte(
-		`-----BEGIN OPENSSH PRIVATE KEY-----\n
-trash\n
------END OPENSSH PRIVATE KEY-----\n`), 0o644)
-	require.NoError(t, err)
+	for path, keyBytes := range scantestdata.InvalidKeysBytes {
+		err := os.Mkdir(filepath.Join(dir, path), 0o777)
+		require.NoError(t, err)
 
-	err = os.WriteFile(filepath.Join(dir, "invalid-key-invalid-header"), []byte(
-		`abcefg-----BEGIN OPENSSH PRIVATE KEY-----\n
------END OPENSSH PRIVATE KEY-----\n`), 0o644)
-	require.NoError(t, err)
+		filePath := filepath.Join(dir, path, path)
+		err = os.WriteFile(filePath, keyBytes, 0o666)
+		require.NoError(t, err)
+	}
 
 	return nil
 }
diff --git a/lib/secretsscanner/scaner/testdata/invalid_keys.go b/lib/secretsscanner/scaner/testdata/invalid_keys.go
@@ -0,0 +1,50 @@
+/*
+ * Teleport
+ * Copyright (C) 2024  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package testdata
+
+// InvalidKeysBytes is a map of invalid keys to their byte representation.
+var InvalidKeysBytes = map[string][]byte{
+	"short-file": []byte("short file"),
+
+	"empty-file": []byte(""),
+
+	"invalid-key": []byte(`-----BEGIN PRIVATE
+KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQ7z7z7z7z7z7z
+-----END OPENSSH PRIVATE KEY-----
+`),
+
+	"invalid-key-valid-headers": []byte(
+		`-----BEGIN OPENSSH PRIVATE KEY-----
+trash
+-----END OPENSSH PRIVATE KEY-----
+`),
+
+	"invalid-key-invalid-header": []byte(
+		`abcefg-----BEGIN OPENSSH PRIVATE KEY-----
+-----END OPENSSH PRIVATE KEY-----
+`),
+
+	"valid-key-not-supported-header": []byte(`-----BEGIN RANDOM PRIVATE KEY-----
+MHcCAQEEINGWx0zo6fhJ/0EAfrPzVFyFC9s18lBt3cRoEDhS3ARooAoGCCqGSM49
+AwEHoUQDQgAEi9Hdw6KvZcWxfg2IDhA7UkpDtzzt6ZqJXSsFdLd+Kx4S3Sx4cVO+
+6/ZOXRnPmNAlLUqjShUsUBBngG0u2fqEqA==
+-----END EC PRIVATE KEY-----
+`),
+}