diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/client.tt b/ncm-metaconfig/src/main/metaconfig/ssh/client.tt index a84b09c55b..6184e62512 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/client.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/client.tt @@ -2,7 +2,7 @@ [% INCLUDE metaconfig/ssh/client_attrs.tt data=main -%] [% FOREACH mt IN Match -%] -Match [% mt.matches.join(' ') %] +[% INCLUDE metaconfig/ssh/match.tt %] [% INCLUDE metaconfig/ssh/client_attrs.tt data=mt FILTER indent %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/match.tt b/ncm-metaconfig/src/main/metaconfig/ssh/match.tt new file mode 100644 index 0000000000..4544e0509b --- /dev/null +++ b/ncm-metaconfig/src/main/metaconfig/ssh/match.tt @@ -0,0 +1,8 @@ +Match[% -%] +[% FOREACH pair IN mt.criteria.pairs -%] +[% IF pair.value.is_boolean -%] + [% pair.key -%] +[% ELSE -%] + [% pair.key %] [% CCM.is_list(pair.value) ? pair.value.join(',') : pair.value -%] +[% END -%] +[% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan index 3525594ff1..31d7b38267 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/pan/schema.pan @@ -135,13 +135,27 @@ type ssh_config_opts = { type ssh_config_host = { "hostnames" : string[] include ssh_config_opts +}; +type ssh_config_match_criteria = { + "all" ? boolean with SELF + "canonical" ? boolean with SELF + "final" ? boolean with SELF + "user" ? string[] + "localuser" ? string[] + "host" ? string[] + "originalhost" ? string[] + "exec" ? string +} with { + if (exists(SELF['all']) && length(SELF) > 1) { + error('You can only set all, no other options allowed'); + }; + true; }; type ssh_config_match = { - "matches" : string[] + "criteria" : ssh_config_match_criteria with length(SELF) > 0 include ssh_config_opts - }; type ssh_config_file = { @@ -207,8 +221,24 @@ type sshd_config_match_opts = { 'X11UseLocalHost' ? boolean }; +type sshd_config_match_criteria = { + "All" ? boolean with SELF + "User" ? string[] + "Group" ? string[] + "Host" ? string[] + "LocalAddress" ? string[] + "LocalPort" ? string[] + "RDomain" ? string[] + "Address" ? string[] +} with { + if (exists(SELF['All']) && length(SELF) > 1) { + error('You can only set All, no other options allowed'); + }; + true; +}; + type sshd_config_match = { - "matches" : string[] + "criteria" : sshd_config_match_criteria with length(SELF) > 0 include sshd_config_match_opts }; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt index b5b6de5124..c33d9f7c39 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/server.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server.tt @@ -2,6 +2,6 @@ [% INCLUDE metaconfig/ssh/server_attrs.tt data=main -%] [% FOREACH mt IN Match -%] -Match [% mt.matches.join(' ') %] +[% INCLUDE metaconfig/ssh/match.tt %] [% INCLUDE metaconfig/ssh/server_attrs.tt data=mt FILTER indent %] [% END -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt index 55e06d34d1..e362e817f7 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt +++ b/ncm-metaconfig/src/main/metaconfig/ssh/server_attrs.tt @@ -4,7 +4,7 @@ -%] [%- FOREACH pair IN data.pairs -%] [% SWITCH pair.key -%] -[% CASE 'matches' %][% # do nothing -%] +[% CASE 'criteria' %][% # do nothing -%] [% CASE commalist -%] [% pair.key %] [% pair.value.join(',') %] [% CASE multilinelist -%] diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan index d71286553a..b059d85bf1 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/client_config.pan @@ -8,14 +8,17 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/ssh_config}/contents" "main/IdentityFile" = list("~/.ssh/identity", "~/.ssh/id_rsa", "~/.ssh/id_dsa"); "main/Ciphers" = list("aes128-ctr", "aes192-ctr", "aes256-ctr", "arcfour256", "arcfour128", "aes128-cbc", "3des-cbc"); -'Match' = append( - dict( - "matches", list("user testuser2", "originalhost hostname4"), - "ForwardX11", false, - "BatchMode", true, - "NumberOfPasswordPrompts", 1, - ) - ); +'Match/0' = dict( + "ForwardX11", false, + "BatchMode", true, + "NumberOfPasswordPrompts", 1, +); +'Match/0/criteria' = dict( + "user", list("testuser2"), + "originalhost", list("hostname4"), + "exec", "/a/b/c", + "canonical", true, +); 'Host' = append( dict( diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan index 5bf466885f..59e94d3b52 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/profiles/server_config.pan @@ -9,9 +9,13 @@ prefix "/software/components/metaconfig/services/{/etc/ssh/sshd_config}/contents "main/PasswordAuthentication" = false; "main/Subsystem" = dict("sftp", "internal-sftp"); -'Match' = append( - dict( - "matches", list("User testuser2", "Address 192.168.0.0/16"), - "PasswordAuthentication", true, - ) - ); +"Match/0/criteria" = dict( + "User", list("testuser2"), + "Address", list("192.168.0.0/16", "!192.168.10.0/24"), + ); +"Match/0/PasswordAuthentication" = true; + +"Match/1/criteria" = dict( + "All", true, + ); +"Match/1/PasswordAuthentication" = false; diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base index 2e23afae62..2eea216f04 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/client_config/base @@ -8,7 +8,7 @@ Base test for ssh client config ^IdentityFile\s~/.ssh/id_rsa$ ^IdentityFile\s~/.ssh/id_dsa$ ^$ -^Match\suser\stestuser2\soriginalhost\shostname4$ +^Match\scanonical\sexec\s/a/b/c\soriginalhost\shostname4\suser\stestuser2$ ^\s{4}BatchMode\syes$ ^\s{4}ForwardX11\sno$ ^\s{4}NumberOfPasswordPrompts\s1$ diff --git a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base index e52e2ac921..1e6466e7f8 100644 --- a/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base +++ b/ncm-metaconfig/src/main/metaconfig/ssh/tests/regexps/server_config/base @@ -5,5 +5,7 @@ Base test for ssh server config ^AddressFamily\sany$ ^Ciphers\saes128-ctr,aes192-ctr,aes256-ctr$ ^PasswordAuthentication\sno$ -^Match\sUser\stestuser2\sAddress\s192.168.0.0/16$ +^Match\sAddress\s192.168.0.0/16,!192.168.10.0/24\sUser\stestuser2$ ^\s{4}PasswordAuthentication\syes$ +^Match\sAll$ +^\s{4}PasswordAuthentication\sno$