feat(sshd_config): Add Matcbh block for completions

2025-06-18 23:15:26 +02:00 · 2024-09-13 21:45:44 +02:00 · 2024-09-13 21:45:44 +02:00 · f25c11b966
commit f25c11b966
parent b9f6ed8758
3 changed files with 37 additions and 5 deletions
--- a/handlers/sshd_config/ast/parser_test.go
+++ b/handlers/sshd_config/ast/parser_test.go
@ -167,6 +167,11 @@ Match 192.168.0.2
 	if !(emptyOption == nil && matchBlock.MatchEntry.Value == "Match 192.168.0.1") {
 		t.Errorf("Expected empty option and match block to be 'Match 192.168.0.1', but got: %v, %v", emptyOption, matchBlock)
 	}
+
+	matchOption, matchBlock := p.FindOption(uint32(2))
+	if !(matchOption.Value == "Match 192.168.0.1" && matchBlock.MatchEntry.Value == "Match 192.168.0.1") {
+		t.Errorf("Expected match option to be 'Match 192.160.0.1' and match block to be 'Match 192.168.0.1', but got: %v, %v", matchOption, matchBlock)
+	}
 }

 func TestSimpleExampleWithComments(
--- a/handlers/sshd_config/ast/sshd_config.go
+++ b/handlers/sshd_config/ast/sshd_config.go
@ -93,6 +93,10 @@ func (c SSHConfig) FindOption(line uint32) (*SSHOption, *SSHMatchBlock) {
 	matchBlock := c.FindMatchBlock(line)

 	if matchBlock != nil {
+		if line == matchBlock.MatchEntry.Start.Line {
+			return matchBlock.MatchEntry, matchBlock
+		}
+
 		rawEntry, found := matchBlock.Options.Get(line)

 		if found {
--- a/handlers/sshd_config/fields/fields.go
+++ b/handlers/sshd_config/fields/fields.go
@ -559,11 +559,34 @@ See PATTERNS in ssh_config(5) for more information on patterns. This keyword may
 		}),
 	},

-	// Match Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
-	// The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, and Address (with RDomain representing the rdomain(4) on which the connection was received).
-	// The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the “PATTERNS” section of ssh_config(5).
-	// The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as 192.0.2.0/24 or 2001:db8::/32. Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
-	// Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AcceptEnv, AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, Banner, CASignatureAlgorithms, ChannelTimeout, ChrootDirectory, ClientAliveCountMax, ClientAliveInterval, DenyGroups, DenyUsers, DisableForwarding, ExposeAuthInfo, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedAlgorithms, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IgnoreRhosts, Include, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitListen, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms, PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and X11UseLocalhost.`,
+	"Match": docvalues.DocumentationValue{
+		Documentation: `Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. If a keyword appears in multiple Match blocks that are satisfied, only the first instance of the keyword is applied.
+The arguments to Match are one or more criteria-pattern pairs or the single token All which matches all criteria. The available criteria are User, Group, Host, LocalAddress, LocalPort, RDomain, and Address (with RDomain representing the rdomain(4) on which the connection was received).
+The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the “PATTERNS” section of ssh_config(5).
+The patterns in an Address criteria may additionally contain addresses to match in CIDR address/masklen format, such as 192.0.2.0/24 or 2001:db8::/32. Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address or one with bits set in this host portion of the address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively.
+Only a subset of keywords may be used on the lines following a Match keyword. Available keywords are AcceptEnv, AllowAgentForwarding, AllowGroups, AllowStreamLocalForwarding, AllowTcpForwarding, AllowUsers, AuthenticationMethods, AuthorizedKeysCommand, AuthorizedKeysCommandUser, AuthorizedKeysFile, AuthorizedPrincipalsCommand, AuthorizedPrincipalsCommandUser, AuthorizedPrincipalsFile, Banner, CASignatureAlgorithms, ChannelTimeout, ChrootDirectory, ClientAliveCountMax, ClientAliveInterval, DenyGroups, DenyUsers, DisableForwarding, ExposeAuthInfo, ForceCommand, GatewayPorts, GSSAPIAuthentication, HostbasedAcceptedAlgorithms, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, IgnoreRhosts, Include, IPQoS, KbdInteractiveAuthentication, KerberosAuthentication, LogLevel, MaxAuthTries, MaxSessions, PasswordAuthentication, PermitEmptyPasswords, PermitListen, PermitOpen, PermitRootLogin, PermitTTY, PermitTunnel, PermitUserRC, PubkeyAcceptedAlgorithms, PubkeyAuthentication, PubkeyAuthOptions, RekeyLimit, RevokedKeys, RDomain, SetEnv, StreamLocalBindMask, StreamLocalBindUnlink, TrustedUserCAKeys, UnusedConnectionTimeout, X11DisplayOffset, X11Forwarding and X11UseLocalhost.`,
+		Value: docvalues.OrValue{
+			Values: []docvalues.Value{
+				docvalues.SingleEnumValue("All"),
+				docvalues.ArrayValue{
+					Separator:           ",",
+					DuplicatesExtractor: &docvalues.SimpleDuplicatesExtractor,
+					SubValue: docvalues.KeyEnumAssignmentValue{
+						Separator: " ",
+						Values: map[docvalues.EnumString]docvalues.Value{
+							docvalues.CreateEnumString("User"):         docvalues.UserValue("", true),
+							docvalues.CreateEnumString("Group"):        docvalues.GroupValue("", true),
+							docvalues.CreateEnumString("Host"):         docvalues.StringValue{},
+							docvalues.CreateEnumString("LocalAddress"): docvalues.StringValue{},
+							docvalues.CreateEnumString("LocalPort"):    docvalues.NumberValue{Min: &ZERO, Max: &MAX_PORT},
+							docvalues.CreateEnumString("RDomain"):      docvalues.StringValue{},
+							docvalues.CreateEnumString("Address"):      docvalues.StringValue{},
+						},
+					},
+				},
+			},
+		},
+	},
 	"MaxAuthTries": docvalues.DocumentationValue{
 		Documentation: `Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.`,
 		Value:         docvalues.NumberValue{Min: &ZERO},