fixing fallback to proto stream V1 for plaintext recordings and a few issues pointed out in PR feedback

Author: eriktate

lib/auth/auth.go

@@ -221,7 +221,7 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		cfg.ClusterConfiguration = recordingencryption.NewClusterConfigService(clusterConfig, cfg.RecordingEncryption)
+		cfg.ClusterConfiguration = clusterConfig
 	}
 	if cfg.KeyStore == nil {
 		keystoreOpts := &keystore.Options{
@@ -255,16 +255,16 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 		}
 
 		recordingEncryptionManager, err := recordingencryption.NewManager(recordingencryption.ManagerConfig{
-			Backend:  localRecordingEncryption,
-			KeyStore: cfg.KeyStore,
-			Logger:   cfg.Logger,
+			Backend:       localRecordingEncryption,
+			ClusterConfig: cfg.ClusterConfiguration,
+			KeyStore:      cfg.KeyStore,
+			Logger:        cfg.Logger,
 		})
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
 
 		cfg.RecordingEncryption = recordingEncryptionManager
-		cfg.ClusterConfiguration = recordingencryption.NewClusterConfigService(cfg.ClusterConfiguration, recordingEncryptionManager)
 	}
 	if cfg.AutoUpdateService == nil {
 		cfg.AutoUpdateService, err = local.NewAutoUpdateService(cfg.Backend)

lib/auth/helpers.go

@@ -323,7 +323,7 @@ func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error) {
 		}
 	}
 
-	keyStore, err := keystore.NewManager(context.Background(), &cfg.KeystoreConfig, keystoreOpts)
+	keyStore, err := keystore.NewManager(ctx, &cfg.KeystoreConfig, keystoreOpts)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/auth/init.go

@@ -45,6 +45,7 @@ import (
 	autoupdatev1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
 	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	machineidv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
+	recordingencryptionv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/clusterconfig"
 	apievents "github.com/gravitational/teleport/api/types/events"
@@ -90,8 +91,8 @@ type VersionStorage interface {
 // operations.
 type RecordingEncryptionManager interface {
 	services.RecordingEncryption
-	recordingencryption.Resolver
 	recordingencryption.DecryptionKeyFinder
+	ResolveRecordingEncryption(ctx context.Context) (*recordingencryptionv1pb.RecordingEncryption, error)
 }
 
 // InitConfig is auth server init config

lib/auth/recordingencryption/clusterconfig.go

@@ -68,12 +68,12 @@ func (e *EncryptedIO) WithEncryption(ctx context.Context, writer io.WriteCloser)
 // WithDecryption wraps the given io.Reader with decryption using the recordingencryption.RecordingIdentity. This
 // will dynamically search for an accessible decryption key using the provided recordingencryption.DecryptionKeyFinder
 // in order to perform decryption
-func (e *EncryptedIO) WithDecryption(reader io.Reader) (io.Reader, error) {
+func (e *EncryptedIO) WithDecryption(ctx context.Context, reader io.Reader) (io.Reader, error) {
 	if e.keyFinder == nil {
 		return reader, nil
 	}
 
-	ident := NewRecordingIdentity(e.keyFinder)
+	ident := NewRecordingIdentity(ctx, e.keyFinder)
 	r, err := age.Decrypt(reader, ident)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -112,10 +112,35 @@ func (s *EncryptionWrapper) WithEncryption(ctx context.Context, writer io.WriteC
 		recipients = append(recipients, recipient)
 	}
 
-	w, err := age.Encrypt(writer, recipients...)
-	if err != nil {
-		return nil, trace.Wrap(err)
+	return &ageWriter{
+		w:          writer,
+		recipients: recipients,
+	}, nil
+}
+
+// ageWriter defers initializing the age encrypter to the first write so we can
+// prevent age from immediately writing the header
+type ageWriter struct {
+	w           io.WriteCloser
+	recipients  []age.Recipient
+	initialized bool
+}
+
+// Write data using age encryption, initializing the encrypter if needed
+func (a *ageWriter) Write(data []byte) (int, error) {
+	if !a.initialized {
+		w, err := age.Encrypt(a.w, a.recipients...)
+		if err != nil {
+			return 0, trace.Wrap(err)
+		}
+		a.w = w
+		a.initialized = true
 	}
 
-	return w, nil
+	return a.w.Write(data)
+}
+
+// Close flushes any buffered encrypted data and closes the underlying io.WriteCloser
+func (a *ageWriter) Close() error {
+	return a.w.Close()
 }

lib/auth/recordingencryption/encryptedio.go

@@ -56,7 +56,7 @@ func TestEncryptedIO(t *testing.T) {
 	err = writer.Close()
 	require.NoError(t, err)
 
-	reader, err := encryptedIO.WithDecryption(out)
+	reader, err := encryptedIO.WithDecryption(ctx, out)
 	require.NoError(t, err)
 
 	plaintext, err := io.ReadAll(reader)

lib/auth/recordingencryption/encryptedio_test.go

@@ -300,12 +300,8 @@ func (m *Manager) searchActiveKeys(ctx context.Context, activeKeys []*recordinge
 			continue
 		}
 
-		// TODO (eriktate): this is a bit of a hack to allow encryption to work while the public key isn't retrievable
-		// from the age header
-		if publicKey != nil {
-			if !slices.Equal(key.RecordingEncryptionPair.PublicKey, publicKey) {
-				continue
-			}
+		if !slices.Equal(key.RecordingEncryptionPair.PublicKey, publicKey) {
+			continue
 		}
 
 		decrypter, err := m.keyStore.GetDecrypter(ctx, key.KeyEncryptionPair)
@@ -329,8 +325,7 @@ func (m *Manager) searchActiveKeys(ctx context.Context, activeKeys []*recordinge
 }
 
 // FindDecryptionKey returns the first accessible decryption key that matches one of the given public keys.
-func (m *Manager) FindDecryptionKey(publicKeys ...[]byte) (*types.EncryptionKeyPair, error) {
-	ctx := context.Background()
+func (m *Manager) FindDecryptionKey(ctx context.Context, publicKeys ...[]byte) (*types.EncryptionKeyPair, error) {
 	encryption, err := m.GetRecordingEncryption(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/auth/recordingencryption/manager.go

@@ -305,21 +305,21 @@ func TestFindDecryptionKeyFromActiveKeys(t *testing.T) {
 	pubKey := activeKeys[0].RecordingEncryptionPair.PublicKey
 
 	// fail to find private key for manager B because it is waiting for key fulfillment
-	_, err = managerB.FindDecryptionKey(pubKey)
+	_, err = managerB.FindDecryptionKey(ctx, pubKey)
 	require.Error(t, err)
 
 	_, err = managerA.ResolveRecordingEncryption(ctx)
 	require.NoError(t, err)
 
 	// find private key for manager A because it provisioned the key
-	decryptionPair, err := managerA.FindDecryptionKey(pubKey)
+	decryptionPair, err := managerA.FindDecryptionKey(ctx, pubKey)
 	require.NoError(t, err)
 	ident, err := age.ParseX25519Identity(string(decryptionPair.PrivateKey))
 	require.NoError(t, err)
 	require.Equal(t, ident.Recipient().String(), string(pubKey))
 
 	// find private key for manager B after fulfillment
-	decryptionPair, err = managerB.FindDecryptionKey(pubKey)
+	decryptionPair, err = managerB.FindDecryptionKey(ctx, pubKey)
 	require.NoError(t, err)
 	ident, err = age.ParseX25519Identity(string(decryptionPair.PrivateKey))
 	require.NoError(t, err)