ValidateCommand checks if a command is allowed for the given target type
(targetType TargetType, command string)
| 28 | |
| 29 | // ValidateCommand checks if a command is allowed for the given target type |
| 30 | func (v *Validator) ValidateCommand(targetType TargetType, command string) error { |
| 31 | var allowedCommands []string |
| 32 | |
| 33 | switch targetType { |
| 34 | case TargetHost: |
| 35 | allowedCommands = v.config.AllowedCommands.Host |
| 36 | case TargetContainer: |
| 37 | allowedCommands = v.config.AllowedCommands.Container |
| 38 | case TargetVM: |
| 39 | allowedCommands = v.config.AllowedCommands.VM |
| 40 | default: |
| 41 | return fmt.Errorf("invalid target type: %s", targetType) |
| 42 | } |
| 43 | |
| 44 | // Check if command matches any allowed pattern |
| 45 | for _, allowed := range allowedCommands { |
| 46 | if v.matchesPattern(command, allowed) { |
| 47 | return nil |
| 48 | } |
| 49 | } |
| 50 | |
| 51 | return fmt.Errorf("command not in whitelist: %s", command) |
| 52 | } |
| 53 | |
| 54 | // matchesPattern checks if a command matches an allowed pattern |
| 55 | // Supports exact matches and template patterns like "systemctl status {service}" |