Adding session recording plugin for age

api/types/sessionrecording.go

@@ -17,6 +17,7 @@ limitations under the License.
 package types
 
 import (
+	"iter"
 	"slices"
 	"strings"
 	"time"
@@ -43,6 +44,16 @@ type SessionRecordingConfig interface {
 	// SetProxyChecksHostKeys sets if the proxy will check host keys.
 	SetProxyChecksHostKeys(bool)
 
+	// GetEncrypted gets if session recordings should be encrypted or not.
+	GetEncrypted() bool
+
+	// GetEncryptionKeys gets the encryption keys for the session recording config.
+	GetEncryptionKeys() []*AgeEncryptionKey
+
+	// SetEncryptionKeys sets the encryption keys for the session recording config.
+	// It returns true if there was a change applied and false otherwise.
+	SetEncryptionKeys(iter.Seq[*AgeEncryptionKey]) bool
+
 	// Clone returns a copy of the resource.
 	Clone() SessionRecordingConfig
 }
@@ -163,6 +174,62 @@ func (c *SessionRecordingConfigV2) SetProxyChecksHostKeys(t bool) {
 	c.Spec.ProxyChecksHostKeys = NewBoolOption(t)
 }
 
+// GetEncrypted gets if session recordings should be encrypted or not.
+func (c *SessionRecordingConfigV2) GetEncrypted() bool {
+	encryption := c.Spec.Encryption
+	if encryption == nil {
+		return false
+	}
+
+	return encryption.Enabled
+}
+
+// GetEncryptionKeys gets the encryption keys for the session recording config.
+func (c *SessionRecordingConfigV2) GetEncryptionKeys() []*AgeEncryptionKey {
+	if c.Status != nil {
+		return c.Status.EncryptionKeys
+	}
+
+	return nil
+}
+
+// SetEncryptionKeys sets the encryption keys for the session recording config.
+// It returns true if there was a change applied and false otherwise.
+func (c *SessionRecordingConfigV2) SetEncryptionKeys(keys iter.Seq[*AgeEncryptionKey]) bool {
+	existingKeys := make(map[string]struct{})
+	for _, key := range c.GetEncryptionKeys() {
+		existingKeys[string(key.PublicKey)] = struct{}{}
+	}
+
+	var keysChanged bool
+	var newKeys []*AgeEncryptionKey
+	addedKeys := make(map[string]struct{})
+	for key := range keys {
+		if !keysChanged {
+			if _, exists := existingKeys[string(key.PublicKey)]; !exists {
+				keysChanged = true
+			}
+		}
+
+		if _, added := addedKeys[string(key.PublicKey)]; !added {
+			addedKeys[string(key.PublicKey)] = struct{}{}
+			newKeys = append(newKeys, key)
+		}
+
+	}
+
+	if !keysChanged || len(newKeys) == 0 || len(existingKeys) == len(addedKeys) {
+		return false
+	}
+
+	if c.Status == nil {
+		c.Status = &SessionRecordingConfigStatus{}
+	}
+	c.Status.EncryptionKeys = newKeys
+
+	return true
+}
+
 // Clone returns a copy of the resource.
 func (c *SessionRecordingConfigV2) Clone() SessionRecordingConfig {
 	return utils.CloneProtoMsg(c)

go.mod

@@ -15,6 +15,7 @@ require (
 	cloud.google.com/go/storage v1.53.0
 	code.dny.dev/ssrf v0.2.0
 	connectrpc.com/connect v1.18.1
+	filippo.io/age v1.2.1
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0

go.sum

@@ -1,3 +1,5 @@
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
 cel.dev/expr v0.23.1 h1:K4KOtPCJQjVggkARsjG9RWXP6O4R73aHeJMa/dmCQQg=
 cel.dev/expr v0.23.1/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
@@ -641,6 +643,8 @@ cuelang.org/go v0.12.1/go.mod h1:B4+kjvGGQnbkz+GuAv1dq/R308gTkp0sO28FdMrJ2Kw=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8=

lib/auth/recordingencryption/age.go

@@ -0,0 +1,119 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package recordingencryption
+
+import (
+	"context"
+
+	"filippo.io/age"
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/types"
+)
+
+// X25519Stanza is the default stanza type used by age.
+const X25519Stanza = "X25519"
+
+// RecordingStanza is the type used for the identifying stanza added by RecordingRecipient.
+const RecordingStanza = "Recording-X25519"
+
+// DecryptionKeyFinder returns an EncryptionKeyPair related to at least one of the given public keys to be used
+// for file key unwrapping.
+type DecryptionKeyFinder interface {
+	FindDecryptionKey(ctx context.Context, publicKeys ...[]byte) (*types.EncryptionKeyPair, error)
+}
+
+// RecordingIdentity removes public keys from stanzas and passes the unwrap call to the default
+// age.X25519Identity.
+type RecordingIdentity struct {
+	ctx       context.Context
+	keyFinder DecryptionKeyFinder
+}
+
+// NewRecordingIdentity returns a RecordingIdentity that will use the given DecryptionKeyFinder in order to facilitate
+// file key unwrapping.
+func NewRecordingIdentity(ctx context.Context, keyFinder DecryptionKeyFinder) *RecordingIdentity {
+	return &RecordingIdentity{
+		ctx:       ctx,
+		keyFinder: keyFinder,
+	}
+}
+
+// Unwrap uses the additional stanzas added by RecordingRecipient.Wrap in order to find a matching X25519 identity.
+func (i *RecordingIdentity) Unwrap(stanzas []*age.Stanza) ([]byte, error) {
+	var publicKeys [][]byte
+	for _, stanza := range stanzas {
+		if stanza.Type != RecordingStanza {
+			continue
+		}
+
+		if len(stanza.Args) != 1 {
+			continue
+		}
+
+		publicKeys = append(publicKeys, []byte(stanza.Args[0]))
+	}
+
+	pair, err := i.keyFinder.FindDecryptionKey(i.ctx, publicKeys...)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	identity, err := age.ParseX25519Identity(string(pair.PrivateKey))
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return identity.Unwrap(stanzas)
+}
+
+// RecordingRecipient adds the public key to the stanzas generated by the default age.X25519Recipient
+type RecordingRecipient struct {
+	*age.X25519Recipient
+}
+
+// ParseRecordingRecipient parses an Bech32 encoded age X25519 public key into a RecordingRecipient.
+func ParseRecordingRecipient(s string) (*RecordingRecipient, error) {
+	recipient, err := age.ParseX25519Recipient(s)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return &RecordingRecipient{X25519Recipient: recipient}, nil
+}
+
+// Wrap a fileKey using the wrapped X2519Recipient. An additional stanza containing the bech32 encoded X25519
+// public key will be created to enable lookups during Unwrap.
+func (r *RecordingRecipient) Wrap(fileKey []byte) ([]*age.Stanza, error) {
+	stanzas, err := r.X25519Recipient.Wrap(fileKey)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	// a new stanza has to be added because modifying the original stanza and returning it to "normal" during
+	// Unwrap fails due to MAC errors
+	for _, stanza := range stanzas {
+		if stanza.Type == X25519Stanza {
+			stanzas = append(stanzas, &age.Stanza{
+				Type: RecordingStanza,
+				Args: []string{r.String()},
+			})
+		}
+	}
+
+	return stanzas, nil
+}

lib/auth/recordingencryption/age_test.go

@@ -0,0 +1,111 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package recordingencryption_test
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"testing"
+
+	"filippo.io/age"
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/auth/recordingencryption"
+)
+
+func TestRecordingAgePlugin(t *testing.T) {
+	ctx := t.Context()
+	keyFinder := newFakeKeyFinder()
+	recordingIdentity := recordingencryption.NewRecordingIdentity(ctx, keyFinder)
+
+	ident, err := keyFinder.generateIdentity()
+	require.NoError(t, err)
+
+	recipient, err := recordingencryption.ParseRecordingRecipient(ident.Recipient().String())
+	require.NoError(t, err)
+
+	out := bytes.NewBuffer(nil)
+	writer, err := age.Encrypt(out, recipient)
+	require.NoError(t, err)
+
+	msg := []byte("testing age plugin for session recordings")
+	_, err = writer.Write(msg)
+	require.NoError(t, err)
+
+	// writer must be closed to ensure data is flushed
+	err = writer.Close()
+	require.NoError(t, err)
+
+	reader, err := age.Decrypt(out, recordingIdentity)
+	require.NoError(t, err)
+	plaintext, err := io.ReadAll(reader)
+	require.NoError(t, err)
+
+	require.Equal(t, msg, plaintext)
+
+	// running the same test with the raw recipient should fail because the
+	// the extra stanza added by RecordingRecipient won't be present and
+	// the private key won't be found
+	out.Reset()
+	writer, err = age.Encrypt(out, ident.Recipient())
+	require.NoError(t, err)
+	_, err = writer.Write(msg)
+	require.NoError(t, err)
+	err = writer.Close()
+	require.NoError(t, err)
+	_, err = age.Decrypt(out, recordingIdentity)
+	require.Error(t, err)
+}
+
+type fakeKeyFinder struct {
+	keys map[string]string
+}
+
+func newFakeKeyFinder() *fakeKeyFinder {
+	return &fakeKeyFinder{
+		keys: make(map[string]string),
+	}
+}
+
+func (f *fakeKeyFinder) FindDecryptionKey(ctx context.Context, publicKeys ...[]byte) (*types.EncryptionKeyPair, error) {
+	for _, pubKey := range publicKeys {
+		key, ok := f.keys[string(pubKey)]
+		if !ok {
+			continue
+		}
+
+		return &types.EncryptionKeyPair{
+			PrivateKey: []byte(key),
+			PublicKey:  pubKey,
+		}, nil
+	}
+
+	return nil, errors.New("no accessible decryption key found")
+}
+
+func (f *fakeKeyFinder) generateIdentity() (*age.X25519Identity, error) {
+	ident, err := age.GenerateX25519Identity()
+	if err != nil {
+		return nil, err
+	}
+
+	f.keys[ident.Recipient().String()] = ident.String()
+	return ident, nil
+}