feat(server): add AUTHKEY command handling

author: Paul Buetow <paul@buetow.org> 2026-03-03 10:10:19 +0200
committer: Paul Buetow <paul@buetow.org> 2026-03-03 10:10:19 +0200
commit: 7d3685a5ed4bfac85673793f8ae6d9c5a6cff962 (patch)
tree: 27bc845ef5758aa43662d0ce238436461d1893e7 /internal/server
parent: f4898f746d03ff5dcf57d3967c594d98a9da7fe0 (diff)
2 files changed, 159 insertions, 5 deletions
diff --git a/internal/server/handlers/authkeycommand_test.go b/internal/server/handlers/authkeycommand_test.go
new file mode 100644
index 0000000..bb9488b
--- /dev/null
+++ b/internal/server/handlers/authkeycommand_test.go
@@ -0,0 +1,117 @@
+package handlers
+
+import (
+	"context"
+	"crypto/ed25519"
+	"encoding/base64"
+	"testing"
+	"time"
+
+	"github.com/mimecast/dtail/internal"
+	"github.com/mimecast/dtail/internal/config"
+	"github.com/mimecast/dtail/internal/lcontext"
+	sshserver "github.com/mimecast/dtail/internal/ssh/server"
+	userserver "github.com/mimecast/dtail/internal/user/server"
+
+	gossh "golang.org/x/crypto/ssh"
+)
+
+func TestHandleAuthKeyCommandSuccess(t *testing.T) {
+	handler := newAuthKeyTestHandler("authkey-success-user", true)
+	key := handlerTestPublicKey(t, 31)
+	keyArg := base64.StdEncoding.EncodeToString(key.Marshal())
+
+	commandFinished := false
+	handler.handleAuthKeyCommand(context.Background(), lcontext.LContext{}, 2,
+		[]string{"AUTHKEY", keyArg}, func() {
+			commandFinished = true
+		})
+
+	if !commandFinished {
+		t.Fatalf("Expected commandFinished callback to be called")
+	}
+	if message := readServerMessage(t, handler.serverMessages); message != "AUTHKEY OK\n" {
+		t.Fatalf("Unexpected response: %q", message)
+	}
+	if !sshserver.ServerAuthKeyStore().Has(handler.user.Name, key) {
+		t.Fatalf("Expected key to be stored for user")
+	}
+
+	sshserver.ServerAuthKeyStore().Remove(handler.user.Name, key)
+}
+
+func TestHandleAuthKeyCommandFeatureDisabled(t *testing.T) {
+	handler := newAuthKeyTestHandler("authkey-disabled-user", false)
+	key := handlerTestPublicKey(t, 32)
+	keyArg := base64.StdEncoding.EncodeToString(key.Marshal())
+
+	handler.handleAuthKeyCommand(context.Background(), lcontext.LContext{}, 2,
+		[]string{"AUTHKEY", keyArg}, func() {})
+
+	if message := readServerMessage(t, handler.serverMessages); message != "AUTHKEY ERR feature disabled\n" {
+		t.Fatalf("Unexpected response: %q", message)
+	}
+	if sshserver.ServerAuthKeyStore().Has(handler.user.Name, key) {
+		t.Fatalf("Expected no key to be stored while feature is disabled")
+	}
+}
+
+func TestHandleAuthKeyCommandInvalidPayload(t *testing.T) {
+	handler := newAuthKeyTestHandler("authkey-invalid-user", true)
+
+	handler.handleAuthKeyCommand(context.Background(), lcontext.LContext{}, 2,
+		[]string{"AUTHKEY", "not-base64"}, func() {})
+
+	if message := readServerMessage(t, handler.serverMessages); message != "AUTHKEY ERR invalid base64\n" {
+		t.Fatalf("Unexpected response for invalid base64: %q", message)
+	}
+
+	validButNonSSH := base64.StdEncoding.EncodeToString([]byte("not-an-ssh-key"))
+	handler.handleAuthKeyCommand(context.Background(), lcontext.LContext{}, 2,
+		[]string{"AUTHKEY", validButNonSSH}, func() {})
+	if message := readServerMessage(t, handler.serverMessages); message != "AUTHKEY ERR invalid public key\n" {
+		t.Fatalf("Unexpected response for invalid key bytes: %q", message)
+	}
+}
+
+func newAuthKeyTestHandler(userName string, authKeyEnabled bool) *ServerHandler {
+	return &ServerHandler{
+		baseHandler: baseHandler{
+			done:           internal.NewDone(),
+			serverMessages: make(chan string, 4),
+			user:           &userserver.User{Name: userName},
+		},
+		serverCfg: &config.ServerConfig{
+			AuthKeyEnabled: authKeyEnabled,
+		},
+	}
+}
+
+func handlerTestPublicKey(t *testing.T, seedByte byte) gossh.PublicKey {
+	t.Helper()
+
+	seed := make([]byte, ed25519.SeedSize)
+	for i := range seed {
+		seed[i] = seedByte
+	}
+
+	privateKey := ed25519.NewKeyFromSeed(seed)
+	publicKey, err := gossh.NewPublicKey(privateKey.Public())
+	if err != nil {
+		t.Fatalf("Unable to build ssh public key: %s", err.Error())
+	}
+
+	return publicKey
+}
+
+func readServerMessage(t *testing.T, messages <-chan string) string {
+	t.Helper()
+
+	select {
+	case message := <-messages:
+		return message
+	case <-time.After(time.Second):
+		t.Fatalf("Timed out waiting for server message")
+		return ""
+	}
+}
diff --git a/internal/server/handlers/serverhandler.go b/internal/server/handlers/serverhandler.go
index f9aa499..53ab4e3 100644
--- a/internal/server/handlers/serverhandler.go
+++ b/internal/server/handlers/serverhandler.go
@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"context"
+	"encoding/base64"
 	"strings"
 	"sync/atomic"
 
@@ -11,7 +12,10 @@ import (
 	"github.com/mimecast/dtail/internal/io/line"
 	"github.com/mimecast/dtail/internal/lcontext"
 	"github.com/mimecast/dtail/internal/omode"
+	sshserver "github.com/mimecast/dtail/internal/ssh/server"
 	user "github.com/mimecast/dtail/internal/user/server"
+
+	gossh "golang.org/x/crypto/ssh"
 )
 
 // ServerHandler implements the Reader and Writer interfaces to handle
@@ -100,11 +104,13 @@ func (h *ServerHandler) handleUserCommand(ctx context.Context, ltx lcontext.LCon
 
 func (h *ServerHandler) newCommandRegistry() map[string]commandHandler {
 	return map[string]commandHandler{
-		"grep": h.makeReadCommandHandler(omode.GrepClient, 1),
-		"cat":  h.makeReadCommandHandler(omode.CatClient, 1),
-		"tail": h.makeReadCommandHandler(omode.TailClient, 10),
-		"map":  h.handleMapCommand,
-		".ack": h.handleAckUserCommand,
+		"grep":    h.makeReadCommandHandler(omode.GrepClient, 1),
+		"cat":     h.makeReadCommandHandler(omode.CatClient, 1),
+		"tail":    h.makeReadCommandHandler(omode.TailClient, 10),
+		"map":     h.handleMapCommand,
+		".ack":    h.handleAckUserCommand,
+		"AUTHKEY": h.handleAuthKeyCommand,
+		"authkey": h.handleAuthKeyCommand,
 	}
 }
 
@@ -139,3 +145,34 @@ func (h *ServerHandler) handleAckUserCommand(_ context.Context, _ lcontext.LCont
 	h.handleAckCommand(argc, args)
 	commandFinished()
 }
+
+func (h *ServerHandler) handleAuthKeyCommand(_ context.Context, _ lcontext.LContext,
+	argc int, args []string, commandFinished func()) {
+
+	defer commandFinished()
+
+	if !h.serverCfg.AuthKeyEnabled {
+		h.sendln(h.serverMessages, "AUTHKEY ERR feature disabled")
+		return
+	}
+
+	if argc < 2 || strings.TrimSpace(args[1]) == "" {
+		h.sendln(h.serverMessages, "AUTHKEY ERR missing public key")
+		return
+	}
+
+	decodedPubKey, err := base64.StdEncoding.DecodeString(args[1])
+	if err != nil {
+		h.sendln(h.serverMessages, "AUTHKEY ERR invalid base64")
+		return
+	}
+
+	pubKey, err := gossh.ParsePublicKey(decodedPubKey)
+	if err != nil {
+		h.sendln(h.serverMessages, "AUTHKEY ERR invalid public key")
+		return
+	}
+
+	sshserver.ServerAuthKeyStore().Add(h.user.Name, pubKey)
+	h.sendln(h.serverMessages, "AUTHKEY OK")
+}
author	Paul Buetow <paul@buetow.org>	2026-03-03 10:10:19 +0200
committer	Paul Buetow <paul@buetow.org>	2026-03-03 10:10:19 +0200
commit	7d3685a5ed4bfac85673793f8ae6d9c5a6cff962 (patch)
tree	27bc845ef5758aa43662d0ce238436461d1893e7 /internal/server
parent	f4898f746d03ff5dcf57d3967c594d98a9da7fe0 (diff)