feat(ssh-server): check auth key cache in public key callback

1 files changed, 20 insertions, 3 deletions

diff --git a/internal/ssh/server/publickeycallback.go b/internal/ssh/server/publickeycallback.go
index bcc9004..ae6ee60 100644
--- a/internal/ssh/server/publickeycallback.go
+++ b/internal/ssh/server/publickeycallback.go
@@ -23,6 +23,11 @@ func PublicKeyCallback(c gossh.ConnMetadata,
 	}
 	dlog.Server.Info(user, "Incoming authorization")
 
+	if permissions := authKeyStorePermissions(user.Name, offeredPubKey); permissions != nil {
+		dlog.Server.Info(user, "Authorized by in-memory auth key store")
+		return permissions, nil
+	}
+
 	authorizedKeysFile, err := authorizedKeysFile(user)
 	if err != nil {
 		return nil, err
@@ -56,14 +61,26 @@ func verifyAuthorizedKeys(user *user.User, authorizedKeysBytes []byte,
 
 	dlog.Server.Debug(user, "Offered public key fingerprint", gossh.FingerprintSHA256(offeredPubKey))
 	if authorizedKeysMap[string(offeredPubKey.Marshal())] {
-		return &gossh.Permissions{
-			Extensions: map[string]string{"pubkey-fp": gossh.FingerprintSHA256(offeredPubKey)},
-		}, nil
+		return permissionsFromPublicKey(offeredPubKey), nil
 	}
 
 	return nil, fmt.Errorf("%s|public key of user not authorized", user)
 }
 
+func authKeyStorePermissions(userName string, offeredPubKey gossh.PublicKey) *gossh.Permissions {
+	if !authKeyStore.Has(userName, offeredPubKey) {
+		return nil
+	}
+
+	return permissionsFromPublicKey(offeredPubKey)
+}
+
+func permissionsFromPublicKey(offeredPubKey gossh.PublicKey) *gossh.Permissions {
+	return &gossh.Permissions{
+		Extensions: map[string]string{"pubkey-fp": gossh.FingerprintSHA256(offeredPubKey)},
+	}
+}
+
 func authorizedKeysFile(user *user.User) (string, error) {
 	if config.Env("DTAIL_INTEGRATION_TEST_RUN_MODE") {
 		// In this case, we expect a pub key in the current directory.