ncm-metaconfig: ssh: add more structure to Match

ncm-metaconfig/src/main/metaconfig/ssh/client.tt

@@ -2,7 +2,7 @@
 [% INCLUDE metaconfig/ssh/client_attrs.tt data=main -%]
 
 [% FOREACH mt IN Match -%]
-Match [% mt.matches.join(' ') %]
+[%  INCLUDE metaconfig/ssh/match.tt %]
 [% INCLUDE metaconfig/ssh/client_attrs.tt data=mt FILTER indent %]
 [% END -%]
 

ncm-metaconfig/src/main/metaconfig/ssh/match.tt

@@ -0,0 +1,8 @@
+Match[% -%]
+[% FOREACH pair IN mt.criteria.pairs -%]
+[% IF pair.value.is_boolean -%]
+ [% pair.key -%]
+[% ELSE -%]
+ [% pair.key %] [% CCM.is_list(pair.value) ? pair.value.join(',') : pair.value -%]
+[% END -%]
+[% END -%]

ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan

@@ -135,13 +135,27 @@ type ssh_config_opts = {
 type ssh_config_host = {
  "hostnames" : string[]
  include ssh_config_opts
+};
 
+type ssh_config_match_criteria = {
+ "all" ? boolean with SELF
+ "canonical" ? boolean with SELF
+ "final" ? boolean with SELF
+ "user" ? string[]
+ "localuser" ? string[]
+ "host" ? string[]
+ "originalhost" ? string[]
+ "exec" ? string
+} with {
+ if (exists(SELF['all']) && length(SELF) > 1) {
+ error('You can only set all, no other options allowed');
+ };
+ true;
 };
 
 type ssh_config_match = {
- "matches" : string[]
+ "criteria" : ssh_config_match_criteria with length(SELF) > 0
  include ssh_config_opts
-
 };
 
 type ssh_config_file = {
@@ -207,8 +221,24 @@ type sshd_config_match_opts = {
  'X11UseLocalHost' ? boolean
 };
 
+type sshd_config_match_criteria = {
+ "All" ? boolean with SELF
+ "User" ? string[]
+ "Group" ? string[]
+ "Host" ? string[]
+ "LocalAddress" ? string[]
+ "LocalPort" ? string[]
+ "RDomain" ? string[]
+ "Address" ? string[]
+} with {
+ if (exists(SELF['All']) && length(SELF) > 1) {
+ error('You can only set All, no other options allowed');
+ };
+ true;
+};
+
 type sshd_config_match = {
- "matches" : string[]
+ "criteria" : sshd_config_match_criteria with length(SELF) > 0
  include sshd_config_match_opts
 };
 

ncm-metaconfig/src/main/metaconfig/ssh/server.tt

@@ -2,6 +2,6 @@
 [% INCLUDE metaconfig/ssh/server_attrs.tt data=main -%]
 
 [% FOREACH mt IN Match -%]
-Match [% mt.matches.join(' ') %]
+[%  INCLUDE metaconfig/ssh/match.tt %]
 [% INCLUDE metaconfig/ssh/server_attrs.tt data=mt FILTER indent %]
 [% END -%]

ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt

@@ -4,7 +4,7 @@
  -%]
 [%- FOREACH pair IN data.pairs -%]
 [% SWITCH pair.key -%]
-[% CASE 'matches' %][% # do nothing -%]
+[% CASE 'criteria' %][% # do nothing -%]
 [% CASE commalist -%]
 [% pair.key %] [% pair.value.join(',') %]
 [% CASE multilinelist -%]

ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan

@@ -8,14 +8,17 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents"
 "main/IdentityFile" = list("~/.ssh/identity", "~/.ssh/id_rsa", "~/.ssh/id_dsa");
 "main/Ciphers" = list("aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc");
 
-'Match' = append(
- dict(
- "matches", list("user testuser2", "originalhost hostname4"),
- "ForwardX11", false,
- "BatchMode", true,
- "NumberOfPasswordPrompts", 1,
- )
- );
+'Match/0' = dict(
+ "ForwardX11", false,
+ "BatchMode", true,
+ "NumberOfPasswordPrompts", 1,
+);
+'Match/0/criteria' = dict(
+ "user", list("testuser2"),
+ "originalhost", list("hostname4"),
+ "exec", "/a/b/c",
+ "canonical", true,
+);
 
 'Host' = append(
  dict(
@@ -41,7 +44,8 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents"
  "hostnames", list("*"),
  "GSSAPIAuthentication", true,
  "ForwardX11Trusted", true,
- "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL", "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"),
+ "SendEnv", list("LANG", "LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_ALL",
+ "LC_MESSAGES", "LANGUAGE", "XMODIFIERS"),
  )
  );
 

ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan

@@ -9,9 +9,13 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents
 "main/PasswordAuthentication" = false;
 "main/Subsystem" = dict("sftp", "internal-sftp");
 
-'Match' = append(
- dict(
- "matches", list("User testuser2", "Address 192.168.0.0/16"),
- "PasswordAuthentication", true,
- )
- );
+"Match/0/criteria" = dict(
+ "User", list("testuser2"),
+ "Address", list("192.168.0.0/16", "!192.168.10.0/24"),
+ );
+"Match/0/PasswordAuthentication" = true;
+
+"Match/1/criteria" = dict(
+ "All", true,
+ );
+"Match/1/PasswordAuthentication" = false;

ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base

@@ -8,7 +8,7 @@ Base test for ssh client config
 ^IdentityFile\s~/.ssh/id_rsa$
 ^IdentityFile\s~/.ssh/id_dsa$
 ^$
-^Match\suser\stestuser2\soriginalhost\shostname4$
+^Match\scanonical\sexec\s/a/b/c\soriginalhost\shostname4\suser\stestuser2$
 ^\s{4}BatchMode\syes$
 ^\s{4}ForwardX11\sno$
 ^\s{4}NumberOfPasswordPrompts\s1$

ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base

@@ -5,5 +5,7 @@ Base test for ssh server config
 ^AddressFamily\sany$
 ^Ciphers\saes128-ctr,aes192-ctr,aes256-ctr$
 ^PasswordAuthentication\sno$
-^Match\sUser\stestuser2\sAddress\s192.168.0.0/16$
+^Match\sAddress\s192.168.0.0/16,!192.168.10.0/24\sUser\stestuser2$
 ^\s{4}PasswordAuthentication\syes$
+^Match\sAll$
+^\s{4}PasswordAuthentication\sno$