Merge pull request #1327 from tgauth/add-sshdconfig-match-to-export

Add sshdconfig match to export

Author: SteveL-MSFT

dsc/tests/dsc_sshdconfig.tests.ps1

@@ -5,12 +5,16 @@ BeforeDiscovery {
         $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
         $principal = [System.Security.Principal.WindowsPrincipal]::new($identity)
         $isElevated = $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
-        $sshdExists = ($null -ne (Get-Command sshd -CommandType Application -ErrorAction Ignore))
-        $skipTest = !$isElevated -or !$sshdExists
     }
+    else {
+        $isElevated = (id -u) -eq 0
+    }
+
+    $sshdExists = ($null -ne (Get-Command sshd -CommandType Application -ErrorAction Ignore))
+    $skipTest = !$isElevated -or !$sshdExists
 }
 
-Describe 'SSHDConfig resource tests' -Skip:(!$IsWindows -or $skipTest) {
+Describe 'SSHDConfig resource tests' -Skip:($skipTest) {
     BeforeAll {
         # set a non-default value in a temporary sshd_config file
         "LogLevel Debug3`nPasswordAuthentication no" | Set-Content -Path $TestDrive/test_sshd_config

grammars/tree-sitter-ssh-server-config/grammar.js

@@ -11,27 +11,26 @@ const PREC = {
 export default grammar({
   name: 'ssh_server_config',
 
-  extras: $ => [' ', '\t', '\r'],
+  extras: $ => [' ', '\t', '\r', $.comment],
 
   rules: {
-    server_config: $ => seq(repeat(choice($._empty_line, $.comment, $.keyword)), repeat($.match)),
+    server_config: $ => seq(repeat(choice($._new_line, $.keyword)), repeat($.match)),
 
-    // check for an empty line that is just a /n character
-    _empty_line: $ => '\n',
-    comment: $ => /#.*\n/,
+    _new_line: $ => '\n',
+    comment: $ => /#.*/,
 
     keyword: $ => seq(
       field('keyword', $.alphanumeric),
       choice(seq(/[ \t]/, optional('=')), '='),
       optional(field('operator', $.operator)),
       field('arguments', $.arguments),
-      "\n"
+      $._new_line
     ),
 
     match: $ => seq(
       token(prec(PREC.MATCH, /match/i)),
-      seq(repeat1($.criteria), $._empty_line),
-      repeat1(choice($.comment, $.keyword)),
+      seq(repeat1($.criteria), $._new_line),
+      repeat1(choice($._new_line, $.keyword))
     ),
 
     criteria: $ => seq(
@@ -48,7 +47,7 @@ export default grammar({
     boolean: $ => choice('yes', 'no'),
     number: $ => /\d+/,
     operator: $ => token(prec(PREC.OPERATOR, /[-+\^]/)),
-    string: $ => /[^\r\n,"'\s]+/, /* cannot contain spaces */
+    string: $ => /[^\n\r\s,"'#]+/, /* cannot contain spaces */
 
     _quotedString: $ => /[^\r\n,"']+/, /* can contain spaces */
     _doublequotedString: $ => seq('"', alias($._quotedString, $.string), repeat(seq(',', alias($._quotedString, $.string))), '"'),

grammars/tree-sitter-ssh-server-config/test/corpus/valid_expressions.txt

@@ -429,3 +429,199 @@ passwordauthentication no
       (alphanumeric)
         (arguments
           (boolean)))))
+====
+parse comments between keywords
+====
+port 2222 # use non-default port
+
+---
+(server_config
+  (keyword
+    (alphanumeric)
+    (arguments
+      (number))
+    (comment)))
+====
+parse comments in match blocks
+====
+port 2222
+passwordauthentication no
+
+match User testuser # comment about criteria
+    PasswordAuthentication yes
+    AllowTcpForwarding no
+# comment between match blocks
+match Address 192.168.1.0/24
+    X11Forwarding yes
+    MaxAuthTries 3
+
+---
+(server_config
+  (keyword
+    (alphanumeric)
+      (arguments
+        (number)))
+  (keyword
+    (alphanumeric)
+      (arguments
+        (boolean)))
+  (match
+    (criteria
+      (alpha)
+      (argument
+        (string)))
+      (comment)
+    (keyword
+      (alphanumeric)
+        (arguments
+          (boolean)))
+    (keyword
+      (alphanumeric)
+        (arguments
+          (boolean)))
+    (comment))
+  (match
+    (criteria
+      (alpha)
+      (argument
+        (string)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (boolean)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (number)))))
+====
+parse newlines between match blocks
+====
+port 2222
+passwordauthentication no
+
+match User testuser
+    PasswordAuthentication yes
+    AllowTcpForwarding no
+
+match Address 192.168.1.0/24
+    X11Forwarding yes
+    MaxAuthTries 3
+
+---
+(server_config
+  (keyword
+    (alphanumeric)
+      (arguments
+        (number)))
+  (keyword
+    (alphanumeric)
+      (arguments
+        (boolean)))
+  (match
+    (criteria
+      (alpha)
+      (argument
+        (string)))
+    (keyword
+      (alphanumeric)
+        (arguments
+          (boolean)))
+    (keyword
+      (alphanumeric)
+        (arguments
+          (boolean))))
+  (match
+    (criteria
+      (alpha)
+      (argument
+        (string)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (boolean)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (number)))))
+====
+parse comment within match block
+====
+match user developer
+    # Enable password authentication for developers - comment ignored
+    passwordauthentication yes
+
+---
+(server_config
+  (match
+    (criteria
+      (alpha)
+      (argument
+        (string)))
+    (comment)
+    (keyword
+      (alphanumeric)
+      (arguments
+        (boolean)))))
+====
+parse newlines between match blocks
+====
+match User testuser
+    PasswordAuthentication yes
+    AllowTcpForwarding no
+    # comment line 1
+    # comment line 2
+
+
+match Address 192.168.1.0/24
+    X11Forwarding yes
+    MaxAuthTries 3
+
+---
+(server_config
+  (match
+    (criteria
+      (alpha)
+      (argument
+        (string)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (boolean)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (boolean)))
+    (comment)
+    (comment))
+  (match
+    (criteria
+      (alpha)
+      (argument
+        (string)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (boolean)))
+    (keyword
+      (alphanumeric)
+      (arguments
+        (number)))))
+====
+parse multiple comments and multiple lines
+====
+# comment line 1
+# comment line 2
+# comment line 3
+
+
+passwordauthentication yes
+
+---
+(server_config
+  (comment)
+  (comment)
+  (comment)
+  (keyword
+    (alphanumeric)
+      (arguments
+        (boolean))))

resources/sshdconfig/locales/en-us.toml

@@ -25,6 +25,7 @@ defaultShellCmdOptionMustBeString = "cmdOption must be a string"
 defaultShellEscapeArgsMustBe0Or1 = "'%{input}' must be a 0 or 1"
 defaultShellEscapeArgsMustBeDWord = "escapeArguments must be a DWord"
 defaultShellMustBeString = "shell must be a string"
+includeWarning = "Include directive found in sshd_config. This resource uses 'sshd -T' to process the overall configuration state, which merges all included files but does not return the Include directive itself"
 traceInput = "Get input:"
 windowsOnly = "Microsoft.OpenSSH.SSHD/Windows is only applicable to Windows"
 

resources/sshdconfig/src/get.rs

@@ -10,7 +10,7 @@ use {
 
 use rust_i18n::t;
 use serde_json::{Map, Value};
-use tracing::{debug, trace};
+use tracing::{debug, trace, warn};
 
 use crate::args::Setting;
 use crate::error::SshdConfigError;
@@ -121,10 +121,15 @@ pub fn get_sshd_settings(cmd_info: &CommandInfo, is_get: bool) -> Result<Map<Str
     let mut defaults = extract_sshd_defaults()?;
 
     // remove any explicit keys from default settings list
-    for key in explicit_settings.keys() {
+    for (key, value) in &explicit_settings {
         if defaults.contains_key(key) {
             defaults.remove(key);
         }
+        if key == "include" {
+            warn!("{}", t!("get.includeWarning").to_string());
+        } else if key == "match" {
+            result.insert(key.clone(), value.clone());
+        }
     }
 
     if cmd_info.include_defaults {

resources/sshdconfig/src/util.rs

@@ -280,6 +280,7 @@ pub fn build_command_info(input: Option<&String>, is_get: bool) -> Result<Comman
         });
         if is_get && !sshd_config.is_empty() {
             warn!("{}", t!("util.getIgnoresInputFilters"));
+            sshd_config.clear();
         }
         return Ok(CommandInfo {
             clobber,