[sec_scan][24] extract AuthorizedKey's comment and type

This PR adds ability to extract the comment and key type from AuthorizedKeys files.

Signed-off-by: Tiago Silva <[email protected]>

api/proto/teleport/access_graph/v1/authorized_key.proto

@@ -43,4 +43,10 @@ message AuthorizedKeySpec {
   string key_fingerprint = 2;
   // host_user is the user who can be accessed using the fingerprint above.
   string host_user = 3;
+  // key_comment is the authorized key's comment.
+  // Authorized keys consist of the following space-separated fields:
+  // options, keytype, base64-encoded key, comment.  The options field is optional.
+  string key_comment = 4;
+  // key_type is the ssh's key type.
+  string key_type = 5;
 }

api/types/accessgraph/authorized_key.go

@@ -76,6 +76,10 @@ func ValidateAuthorizedKey(k *accessgraphv1pb.AuthorizedKey) error {
 		return trace.BadParameter("KeyFingerprint is unset")
 	}
 
+	if k.Spec.KeyType == "" {
+		return trace.BadParameter("KeyType is unset")
+	}
+
 	if k.Metadata.Name == "" {
 		return trace.BadParameter("Name is unset")
 	}

lib/secretsscanner/authorizedkeys/authorized_keys.go

@@ -354,7 +354,7 @@ func (w *Watcher) parseAuthorizedKeysFile(ctx context.Context, u user.User, auth
 		if len(payload) == 0 || payload[0] == '#' {
 			continue
 		}
-		parsedKey, _, _, _, err := ssh.ParseAuthorizedKey(payload)
+		parsedKey, comment, _, _, err := ssh.ParseAuthorizedKey(payload)
 		if err != nil {
 			w.logger.WarnContext(ctx, "Failed to parse authorized key", "error", err)
 			continue
@@ -367,6 +367,8 @@ func (w *Watcher) parseAuthorizedKeysFile(ctx context.Context, u user.User, auth
 				HostId:         w.hostID,
 				HostUser:       u.Username,
 				KeyFingerprint: ssh.FingerprintSHA256(parsedKey),
+				KeyComment:     comment,
+				KeyType:        parsedKey.Type(),
 			},
 		)
 		if err != nil {

lib/secretsscanner/authorizedkeys/authorized_keys_test.go

@@ -202,15 +202,26 @@ func (f *fakeClient) getReqReceived() []*accessgraphsecretsv1pb.ReportAuthorized
 
 func createKeysForUsers(t *testing.T, hostID string) []*accessgraphsecretsv1pb.AuthorizedKey {
 	var keys []*accessgraphsecretsv1pb.AuthorizedKey
-	for _, fingerprint := range []string{
-		"SHA256:GbJlTLeQgZhvGoklWGXHo0AinGgGEcldllgYExoSy+s", /* ssh-rsa */
-		"SHA256:ewwMB/nCAYurNrYFXYZuxLZv7T7vgpPd7QuIo0d5n+U", /* ssh-ed25519 */
+	for _, k := range []struct {
+		fingerprint string
+		keyType     string
+	}{
+		{
+			fingerprint: "SHA256:GbJlTLeQgZhvGoklWGXHo0AinGgGEcldllgYExoSy+s",
+			keyType:     "ssh-ed25519",
+		},
+		{
+			fingerprint: "SHA256:ewwMB/nCAYurNrYFXYZuxLZv7T7vgpPd7QuIo0d5n+U",
+			keyType:     "ssh-rsa",
+		},
 	} {
 		for _, user := range []string{"root", "user"} {
 			at, err := accessgraph.NewAuthorizedKey(&accessgraphsecretsv1pb.AuthorizedKeySpec{
 				HostId:         hostID,
 				HostUser:       user,
-				KeyFingerprint: fingerprint,
+				KeyFingerprint: k.fingerprint,
+				KeyComment:     "friel@test",
+				KeyType:        k.keyType,
 			})
 			require.NoError(t, err)
 			keys = append(keys, at)

lib/services/local/access_graph_test.go

@@ -55,21 +55,25 @@ func TestAccessGraphAuthorizedKeys(t *testing.T) {
 			HostId:         "host1",
 			HostUser:       "user1",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 		{
 			HostId:         "host1",
 			HostUser:       "user2",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 		{
 			HostId:         "host2",
 			HostUser:       "user1",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 		{
 			HostId:         "host2",
 			HostUser:       "user2",
 			KeyFingerprint: "AAAAB3NzaC1yc2EAAAADAQABAAABAQC...",
+			KeyType:        "ssh-rsa",
 		},
 	}
 	var authKeys []*accessgraphsecretspb.AuthorizedKey