Better error messaging when writing invalid sudoer entries

[eriktate]

Related to #34515

Adds an expanded error message and WARN level log when writing sudoers fails due to invalid entries in a role's host_sudoers or a static host user's sudoers.

[espadolini]

Use structured logging whenever possible:

Suggested change

	log.Warnf("encountered invalid sudoers entry in: %s", sudoersOut.String())
	log.WithFields(logrus.Fields{
	"host_username": name,
	"sudoers_entry": sudoersOut.String(),
	}).Warn("Encountered invalid sudoers entry.")

Should we truncate the string? Do we have concerns about it being potentially sensitive?

[eriktate]

Should we truncate the string? Do we have concerns about it being potentially sensitive?

I wondered about this, but I couldn't think of a good reason not to off the top of my head 🤔 An alternative, that actually might be more useful to end-users, would be to validate the entries while resolving matching rules. That way we could inform them which role has the broken entry instead of falling back to logging the entire sudoers file and leaving it up to them to figure out which role needs attention.

[rosstimothy]

Hrm yeah I agree that dumping the entire sudoers file into a log message might not be ideal. What if we reworded the message to indicate that writing the sudoers file failed due an invalid host_sudoers entry in one of the users roles?

[eriktate]

I rebased this on the slog changes and adjusted the message we're logging a bit. The log and the error are a bit redundant in cases where the returned error also ends up getting logged (e.g. in regular/sshserver.go), but I think that's probably okay since this shouldn't happen unless there's an incorrectly configured resource. And I think it's better in this case to ensure we're always surfacing something actionable when this happens

[espadolini]

Maybe a BadParameterError?

Suggested change

	return trace.Errorf("invalid sudoers entry for login %q, inspect role's host_sudoers field or static host user's sudoers field for invalid syntax", name)
	return trace.BadParameter("invalid sudoers entry for login %q, inspect role's host_sudoers field or static host user's sudoers field for invalid syntax", name)

[eriktate]

Done!

[rosstimothy]

With is a small optimization that formats arguments a single time, which is beneficial if they are to be included in multiple log messages. For one off arguments to a single message prefer passing them in directly to the logging function.

Also don't forget to use the context variant for logging.

Suggested change

	u.log.With("error", err, "host_username", name).Warn("Invalid sudoers entry. If using a login managed by a static host user resource, inspect its configured sudoers field for invalid entries. Otherwise, inspect the host_sudoers field for roles targeting this host.")
	u.log.WarnContext(<some_context_here>, "Invalid sudoers entry. If using a login managed by a static host user resource, inspect its configured sudoers field for invalid entries. Otherwise, inspect the host_sudoers field for roles targeting this host.", "error", err, "host_username", name)

[eriktate]

This might be the final nudge I need to get the linter integrated properly into my editor 😅

[rosstimothy]

You really only need to use teleport.Component if you have multiple components for the key. For single values you can pass the string in directly.

Suggested change

	log: slog.With(teleport.ComponentKey, teleport.Component(teleport.ComponentHostUsers)),
	log: slog.With(teleport.ComponentKey, teleport.ComponentHostUsers),

[public-teleport-github-review-bot]

@eriktate See the table below for backport results.

Branch	Result
branch/v15	Create PR
branch/v16	Create PR