feat: separate access validation logic for gitops commands into a separate file
This commit is contained in:
Pallav Vasa
parent
fd0c07e954
commit
3e361cd03c
@ -127,69 +127,8 @@ remove_containers() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# ─────────────────────────────────────────────
|
# ─────────────────────────────────────────────
|
||||||
# validate_command <cmd> [<tok1> <tok2> …]
|
# validate_command <workspace> <cmd> [<tok1> <tok2> …]
|
||||||
validate_command() {
|
source "$HOME"/.local/bin/validate_command_access.sh
|
||||||
local cmd="$1"
|
|
||||||
shift
|
|
||||||
local tokens=("$@")
|
|
||||||
local yaml="$HOME/access.yml"
|
|
||||||
|
|
||||||
# 1) Is command allowed at all?
|
|
||||||
if [[ "$(yq e ".\"$PERSON\".commands | has(\"$cmd\")" "$yaml")" != "true" ]]; then
|
|
||||||
log ERROR "Unauthorized command: '$cmd'"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# 2) Load allowed args for this cmd (may be empty array)
|
|
||||||
mapfile -t allowed < <(yq e ".\"$PERSON\".commands.${cmd}[]" "$yaml")
|
|
||||||
|
|
||||||
if [[ "${#allowed[@]}" -eq 0 ]]; then
|
|
||||||
log ERROR "No allowed arguments for command '$cmd' in $yaml"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# 3) Extract just the non-flag tokens
|
|
||||||
local args=()
|
|
||||||
for tok in "${tokens[@]}"; do
|
|
||||||
[[ "$tok" == -* ]] && continue
|
|
||||||
args+=("$tok")
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ "$cmd" == "remove" ]]; then
|
|
||||||
# ─ remove: must have at least one arg
|
|
||||||
if ((${#args[@]} == 0)); then
|
|
||||||
log ERROR "Command '$cmd' requires at least one argument: ${allowed[*]}"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
# Validate each against allowed[]
|
|
||||||
for a in "${args[@]}"; do
|
|
||||||
local ok=false
|
|
||||||
for want in "${allowed[@]}"; do
|
|
||||||
[[ "$a" == "$want" ]] && ok=true && break
|
|
||||||
done
|
|
||||||
if ! $ok; then
|
|
||||||
log ERROR "Invalid argument '$a' for '$cmd'; allowed: ${allowed[*]}"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
else
|
|
||||||
# ─ all other cmds: must have exactly one arg
|
|
||||||
if ((${#args[@]} != 1)); then
|
|
||||||
log ERROR "Command '$cmd' requires exactly one argument: ${allowed[*]}"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
# And that single arg must be allowed
|
|
||||||
local a="${args[0]}"
|
|
||||||
local ok=false
|
|
||||||
for want in "${allowed[@]}"; do
|
|
||||||
[[ "$a" == "$want" ]] && ok=true && break
|
|
||||||
done
|
|
||||||
if ! $ok; then
|
|
||||||
log ERROR "Invalid argument '$a' for '$cmd'; allowed: ${allowed[*]}"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# ─────────────────────────────────────────────
|
# ─────────────────────────────────────────────
|
||||||
# Entry & command parsing
|
# Entry & command parsing
|
||||||
@ -203,7 +142,7 @@ read -ra parts <<<"$SSH_ORIGINAL_COMMAND"
|
|||||||
cmd="${parts[0]}"
|
cmd="${parts[0]}"
|
||||||
args=("${parts[@]:1}")
|
args=("${parts[@]:1}")
|
||||||
|
|
||||||
validate_command "$cmd" "${args[@]}"
|
validate_command "$PERSON" "$cmd" "${args[@]}"
|
||||||
|
|
||||||
# ─────────────────────────────────────────────
|
# ─────────────────────────────────────────────
|
||||||
# Dispatch
|
# Dispatch
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user