Add allowed_targets whitelist support

[dadbravo]

This PR adds allowed_targets support to restrict which ?target= values can be used when querying Proxmox metrics.

This adds an optional layer of security directly in the exporter logic. If allowed_targets is not set, only localhost is accepted. Subnets, hostnames, and IPs with optional ports are supported.

See README section Whitelist: allowed_targets for full details and configuration examples.

This security measure ensures that even if the exporter port is exposed, an attacker cannot use it to connect to arbitrary Proxmox hosts and steal API credentials. Only explicitly allowed targets will be contacted by the exporter.

[znerol]

Thank you for filing this PR.

From a user perspective, I do think this could be an interesting feature. With my maintainer hat on, I don't think I'd like to have this in the code base.

This is the kind of stuff which absolutely needs unit tests and many eyes to carefully review all the implications. Otherwise this will backfire on users relying on it - and consequently on the project as well.

I'm tempted to close this PR as a won't fix.

[znerol]

That said, I might be accepting a PR which implements this feature using simple pattern matching (without attempting to deal with IP (v4/v6) addresses explicitly). E.g., something based on fnmatch

[dadbravo]

I will redo it as you advise.
The problem does indeed exist. For ethical reasons, I could not show the full vector. It is very simple and dangerous, so I want to help solve this problem as much as possible. I can tell you personally, and you will understand that this is very necessary right now.

I will do it later and send you a review. I will also do the synthetic  test

[znerol]

I do fully understand the attack vector. I'm sorry that there is no big warning at the top of the README to never expose the port to the internet. Its obvious for people used to work with prometheus, but it seems it isn't for everybody else.

[dadbravo]

@znerol
Hi, I did as you said. Thank you for your advice - it worked out better than I expected.

I checked everything, and it works as it should. I created many connections, everything holds up. I don’t see any issues that could have affected production.

Here is my config and a couple of requests.
The logs show the operation and efficiency

`cat pve.yml
default:
  user: prome@pve
  password: password
  verify_ssl: false
  allowed_targets:
    - '192.168.1.10'
    - 'pve.local'
    - '192.168.2.20:8090'
    - 'test.com'


curl http://localhost:9221/pve?target=pve2.local
[WARNING] Target 'pve2.local' rejected for module 'default'. Reason: Target not in whitelist. Allowed patterns: ['192.168.1.10', 'pve.local', '192.168.2.20:8090', 'test.com']

curl http://localhost:9221/pve?target=192.168.5.20
[WARNING] Target '192.168.5.20' rejected for module 'default'. Reason: Target not in whitelist. Allowed patterns: ['192.168.1.10', 'pve.local', '192.168.2.20:8090', 'test.com']

curl http://localhost:9221/pve?target=test.com
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='test.com', port=8006): Max retries exceeded with url: /api2/json/access/ticket (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x75e527795400>: Failed to resolve 'test.com' ([Errno -5] No address associated with hostname)"))

curl http://localhost:9221/pve?target=192.168.2.20
[WARNING] Target '192.168.2.20' rejected for module 'default'. Reason: Target not in whitelist. Allowed patterns: ['192.168.1.10', 'pve.local', '192.168.2.20:8090', 'test.com']

curl http://localhost:9221/pve?target=192.168.2.20:8099
[WARNING] Target '192.168.2.20:8099' rejected for module 'default'. Reason: Target not in whitelist. Allowed patterns: ['192.168.1.10', 'pve.local', '192.168.2.20:8090', 'test.com']

curl http://localhost:9221/pve?target=192.168.2.20:8090
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='192.168.2.20', port=8090): Max retries exceeded with url: /api2/json/access/ticket (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x75e52c1a2850>, 'Connection to 192.168.2.20 timed out. (connect timeout=5)'))`