feat(pam): add command blocking and session log masking via account policies (#174)

Consume policyRules from the session credentials API to enforce two rule types:

- command-blocking (SSH only): intercept Enter keypress, check accumulated
  command against regex patterns, suppress and show [BLOCKED] if matched.
  Also blocks matching exec requests. Session continues normally after block.

- session-log-masking (all resource types): apply regex replacements on
  data fields before JSON marshaling in each Log method. Output events are
  buffered until newline so patterns can match across character-by-character
  echo. Masked content replaced with [MASKED].

Handles ANSI escape sequences (cursor position reports from web terminal)
by tracking a 3-state parser in bufferInput so they don't pollute the
command buffer.

Co-authored-by: saif <11242541+saifsmailbox98@users.noreply.github.com>

Author: saifsmailbox98

packages/api/model.go

@@ -845,8 +845,18 @@ type PAMAccessApprovalRequestResponse struct {
 	} `json:"request"`
 }
 
+type PAMPolicyRuleConfig struct {
+	Patterns []string `json:"patterns"`
+}
+
+type PAMPolicyRules struct {
+	CommandBlocking   *PAMPolicyRuleConfig `json:"command-blocking,omitempty"`
+	SessionLogMasking *PAMPolicyRuleConfig `json:"session-log-masking,omitempty"`
+}
+
 type PAMSessionCredentialsResponse struct {
 	Credentials PAMSessionCredentials `json:"credentials"`
+	PolicyRules *PAMPolicyRules       `json:"policyRules,omitempty"`
 }
 
 type PAMSessionCredentials struct {

packages/pam/compile_patterns_test.go

@@ -0,0 +1,54 @@
+package pam
+
+import (
+	"testing"
+
+	"github.com/Infisical/infisical-merge/packages/api"
+)
+
+func TestCompilePolicyPatterns(t *testing.T) {
+	t.Run("nil config returns nil", func(t *testing.T) {
+		result := compilePolicyPatterns(nil, "sess-1", "test")
+		if result != nil {
+			t.Errorf("expected nil, got %v", result)
+		}
+	})
+
+	t.Run("empty patterns returns nil", func(t *testing.T) {
+		config := &api.PAMPolicyRuleConfig{Patterns: []string{}}
+		result := compilePolicyPatterns(config, "sess-1", "test")
+		if result != nil {
+			t.Errorf("expected nil, got %v", result)
+		}
+	})
+
+	t.Run("valid patterns all compile", func(t *testing.T) {
+		config := &api.PAMPolicyRuleConfig{
+			Patterns: []string{`rm\s+-rf`, `shutdown`, `password\s*=\s*\S+`},
+		}
+		result := compilePolicyPatterns(config, "sess-1", "test")
+		if len(result) != 3 {
+			t.Errorf("expected 3 compiled patterns, got %d", len(result))
+		}
+	})
+
+	t.Run("invalid pattern is skipped", func(t *testing.T) {
+		config := &api.PAMPolicyRuleConfig{
+			Patterns: []string{`rm\s+-rf`, `[invalid`, `shutdown`},
+		}
+		result := compilePolicyPatterns(config, "sess-1", "test")
+		if len(result) != 2 {
+			t.Errorf("expected 2 compiled patterns (1 skipped), got %d", len(result))
+		}
+	})
+
+	t.Run("all invalid patterns returns empty slice", func(t *testing.T) {
+		config := &api.PAMPolicyRuleConfig{
+			Patterns: []string{`[bad`, `(unclosed`},
+		}
+		result := compilePolicyPatterns(config, "sess-1", "test")
+		if len(result) != 0 {
+			t.Errorf("expected 0 compiled patterns, got %d", len(result))
+		}
+	})
+}

packages/pam/handlers/ssh/command_blocking_test.go

@@ -0,0 +1,54 @@
+package ssh
+
+import (
+	"regexp"
+	"testing"
+)
+
+func TestMatchBlockedCommand(t *testing.T) {
+	proxy := &SSHProxy{
+		config: SSHProxyConfig{
+			BlockedCommandPatterns: []*regexp.Regexp{
+				regexp.MustCompile(`rm\s+-rf`),
+				regexp.MustCompile(`shutdown`),
+				regexp.MustCompile(`reboot`),
+			},
+		},
+	}
+
+	tests := []struct {
+		name    string
+		command string
+		blocked bool
+	}{
+		{"blocks rm -rf", "rm -rf /", true},
+		{"blocks rm  -rf with extra space", "rm  -rf /home", true},
+		{"blocks sudo rm -rf", "sudo rm -rf /", true},
+		{"blocks shutdown", "shutdown -h now", true},
+		{"blocks reboot", "reboot", true},
+		{"allows ls", "ls -la", false},
+		{"allows rm without -rf", "rm file.txt", false},
+		{"allows empty command", "", false},
+		{"allows whitespace only", "   ", false},
+		{"allows normal commands", "cat /etc/hosts", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := proxy.matchBlockedCommand(tt.command)
+			if result != tt.blocked {
+				t.Errorf("matchBlockedCommand(%q) = %v, want %v", tt.command, result, tt.blocked)
+			}
+		})
+	}
+}
+
+func TestMatchBlockedCommandNoPatterns(t *testing.T) {
+	proxy := &SSHProxy{
+		config: SSHProxyConfig{},
+	}
+
+	if proxy.matchBlockedCommand("rm -rf /") {
+		t.Error("with no patterns, should never block")
+	}
+}