feat: add audit logging for account key hash updates

ToeiRei · ToeiRei · commit c8eca65d90cb · 2026-01-16T15:59:41.000+01:00
diff --git a/cmd/keymaster/main.go b/cmd/keymaster/main.go
@@ -12,9 +12,11 @@ package main
 import (
 	"bufio"
 	"context"
+	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"strings"
 	"time"
@@ -342,6 +344,7 @@ Running without a subcommand will launch the interactive TUI.`,
 		deployCmd,
 		rotateKeyCmd,
 		auditCmd,
+		auditCompareCmd,
 		importCmd,
 		transferCmd,
 		trustHostCmd,
@@ -512,6 +515,73 @@ Use --mode=serial to only verify the Keymaster header serial number on the remot
 	},
 }
 
+// auditCompareCmd compares a local or fetched authorized_keys file against
+// the stored `accounts.key_hash` for a single account.
+var auditCompareCmd = &cobra.Command{
+	Use:     "audit-compare <account-identifier> [file]",
+	Short:   "Compare an authorized_keys file to account key_hash",
+	Long:    "Provide an account identifier and a local file (or omit the file to fetch from the host).",
+	Args:    cobra.RangeArgs(1, 2),
+	PreRunE: setupDefaultServices,
+	Run: func(cmd *cobra.Command, args []string) {
+		identifier := args[0]
+		var fileArg string
+		if len(args) > 1 {
+			fileArg = args[1]
+		}
+
+		st := &cliStoreAdapter{}
+		accounts, err := st.GetAllAccounts()
+		if err != nil {
+			log.Fatalf("error fetching accounts: %v", err)
+		}
+		accPtr, err := core.FindAccountByIdentifier(identifier, accounts)
+		if err != nil {
+			log.Fatalf("%v", err)
+		}
+		account := *accPtr
+
+		var content []byte
+		if fileArg != "" {
+			if fileArg == "-" {
+				content, err = io.ReadAll(os.Stdin)
+				if err != nil {
+					log.Fatalf("read stdin: %v", err)
+				}
+			} else {
+				content, err = os.ReadFile(fileArg)
+				if err != nil {
+					log.Fatalf("open file: %v", err)
+				}
+			}
+		} else {
+			dm := &cliDeployerManager{}
+			content, err = dm.FetchAuthorizedKeys(account)
+			if err != nil {
+				log.Fatalf("fetch remote authorized_keys: %v", err)
+			}
+		}
+
+		gotHash := db.HashAuthorizedKeysContent(content)
+
+		// Read stored hash from DB
+		var stored sql.NullString
+		if err := db.QueryRawInto(context.Background(), db.BunDB(), &stored, "SELECT key_hash FROM accounts WHERE id = ?", account.ID); err != nil {
+			log.Fatalf("query key_hash: %v", err)
+		}
+		if !stored.Valid || stored.String == "" {
+			fmt.Printf("Account %s (id=%d) has no stored key_hash; computed=%s\n", account.String(), account.ID, gotHash)
+			return
+		}
+
+		if stored.String == gotHash {
+			fmt.Printf("MATCH: account=%s id=%d key_hash=%s\n", account.String(), account.ID, gotHash)
+		} else {
+			fmt.Printf("MISMATCH: account=%s id=%d\n  stored=%s\n  computed=%s\n", account.String(), account.ID, stored.String, gotHash)
+		}
+	},
+}
+
 // importCmd represents the 'import' command.
 // It parses a standard authorized_keys file and adds the public keys
 // found within it to the Keymaster database.
diff --git a/internal/db/keyhash_bun.go b/internal/db/keyhash_bun.go
@@ -10,10 +10,11 @@ import (
 	"database/sql"
 	"fmt"
 
-	"github.com/toeirei/keymaster/internal/model"
 	"sort"
 	"strings"
 	"time"
+
+	"github.com/toeirei/keymaster/internal/model"
 )
 
 // computeAccountKeyHashTx computes a deterministic fingerprint of the authorized_keys
@@ -136,6 +137,30 @@ func MaybeMarkAccountDirtyTx(ctx context.Context, q execRawProvider, accountID i
 		if _, err := ExecRaw(ctx, q, "UPDATE accounts SET key_hash = ?, is_dirty = ? WHERE id = ?", newHash, true, accountID); err != nil {
 			return MapDBError(err)
 		}
+		// Record audit entry with the new fingerprint instead of storing/printing full authorized_keys
+		details := fmt.Sprintf("account:%d key_hash:%s", accountID, newHash)
+		if _, err := ExecRaw(ctx, q, "INSERT INTO audit_log (username, action, details) VALUES (?, ?, ?)", "system", "ACCOUNT_KEY_HASH_UPDATED", details); err != nil {
+			return MapDBError(err)
+		}
 	}
 	return nil
 }
+
+// HashAuthorizedKeysContent normalizes a raw authorized_keys payload and
+// returns the SHA256 hex fingerprint using the same basic normalization
+// rules we expect on-disk: normalize CRLF to LF and trim trailing whitespace
+// on each line so hashes computed from files transferred between platforms
+// remain stable.
+func HashAuthorizedKeysContent(raw []byte) string {
+	s := string(raw)
+	// Normalize CRLF -> LF
+	s = strings.ReplaceAll(s, "\r\n", "\n")
+	// Trim trailing spaces/tabs per-line
+	lines := strings.Split(s, "\n")
+	for i := range lines {
+		lines[i] = strings.TrimRight(lines[i], " \t")
+	}
+	norm := strings.Join(lines, "\n")
+	sum := sha256.Sum256([]byte(norm))
+	return fmt.Sprintf("%x", sum[:])
+}
