From e31592899c8a5b2e86b33754ca01da43807828b5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 8 Oct 2020 18:06:45 +0200
Subject: [PATCH 1/2] Allow listing match blocks in more nature manner

---
 templates/sshd_config.j2 | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index 049d5e8..6f61832 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -91,6 +91,15 @@ Match {{ match["Condition"] }}
 {%     endfor %}
 {%   endif %}
 {% endmacro %}
+{% macro match_iterate_block(match_list) %}
+{%   if match_list | type_debug == "list" %}
+{%     for match in match_list %}
+{{       match_block(match) -}}
+{%     endfor %}
+{%   else %}
+{{     match_block(match_list) -}}
+{%   endif %}
+{% endmacro %}
 {{ body_option("Port",sshd_Port) -}}
 {{ body_option("AddressFamily",sshd_AddressFamily) -}}
 {{ body_option("ListenAddress",sshd_ListenAddress) -}}
@@ -199,10 +208,10 @@ Match {{ match["Condition"] }}
 {{ body_option("X11UseLocalhost",sshd_X11UseLocalhost) -}}
 {{ body_option("XAuthLocation",sshd_XAuthLocation) -}}
 {% if sshd['Match'] is defined %}
-{{ match_block(sshd['Match']) -}}
+{{   match_iterate_block(sshd['Match']) -}}
 {% endif %}
 {% if sshd_match is defined %}
-{{ match_block(sshd_match) -}}
+{{   match_iterate_block(sshd_match) -}}
 {% endif %}
 {% if sshd_match_1 is defined %}
 {{ match_block(sshd_match_1) -}}

From 6ed5341f32db8c28f65e8470dc266d06a23add5d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 8 Oct 2020 18:10:05 +0200
Subject: [PATCH 2/2] Test match blocks generators

---
 .travis.yml                  | 12 ++++++
 tests/test_match.yml         | 73 ++++++++++++++++++++++++++++++++++++
 tests/test_match_iterate.yml | 71 +++++++++++++++++++++++++++++++++++
 3 files changed, 156 insertions(+)
 create mode 100644 tests/test_match.yml
 create mode 100644 tests/test_match_iterate.yml

diff --git a/.travis.yml b/.travis.yml
index 43ebef9..317e2f2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -47,3 +47,15 @@ script:
     ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_alternative_file.yml --connection=local --become -v
     && (echo 'Alternative configuration file test: pass' && exit 0)
     || (echo 'Alternative configuration file test: fail' && exit 1)
+
+  # Test 6: Test match blocks generators
+  - >
+    ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_match.yml --connection=local --become -v
+    && (echo 'Match blocks test: pass' && exit 0)
+    || (echo 'Match blocks test: fail' && exit 1)
+
+  # Test 7: Test match blocks generators with iteration
+  - >
+    ANSIBLE_FORCE_COLOR=1 ansible-playbook -i tests/inventory tests/test_match_iterate.yml --connection=local --become -v
+    && (echo 'Match blocks with iteration test: pass' && exit 0)
+    || (echo 'Match blocks with iteration test: fail' && exit 1)
diff --git a/tests/test_match.yml b/tests/test_match.yml
new file mode 100644
index 0000000..1e5e5ab
--- /dev/null
+++ b/tests/test_match.yml
@@ -0,0 +1,73 @@
+---
+- hosts: all
+  become: true
+  tasks:
+  - name: Configure sshd
+    include_role:
+      name: ansible-sshd
+    vars:
+      sshd:
+        Match:
+        - Condition: "User xusers"
+          X11Forwarding: yes
+          Banner: /tmp/xusers-banner
+      sshd_match:
+        - Condition: "User bot"
+          AllowTcpForwarding: no
+          Banner: /tmp/bot-banner
+      sshd_match_1:
+        - Condition: "User sftponly"
+          ForceCommand: "internal-sftp"
+          ChrootDirectory: "/var/uploads/"
+      sshd_match_2:
+        - Condition: "User root"
+          PasswordAuthentication: no
+          PermitTunnel: yes
+
+
+  - name: Verify the options are correctly set
+    block:
+      - meta: flush_handlers
+
+      - name: List effective configuration using sshd -T for xusers
+        command: sshd -T -C user=xusers
+        register: xusers_effective
+
+      - name: List effective configuration using sshd -T for bot
+        command: sshd -T -C user=bot
+        register: bot_effective
+
+      - name: List effective configuration using sshd -T for sftponly
+        command: sshd -T -C user=sftponly
+        register: sftponly_effective
+
+      - name: List effective configuration using sshd -T for root
+        command: sshd -T -C user=root
+        register: root_effective
+
+      - name: Print current configuration file
+        command: cat /etc/ssh/sshd_config
+        register: config
+
+      - name: Check the options are effective
+        # note, the options are in lower-case here
+        assert:
+          that:
+            - "'x11forwarding yes' in xusers_effective.stdout"
+            - "'banner /tmp/xusers-banner' in xusers_effective.stdout"
+            - "'allowtcpforwarding no' in bot_effective.stdout"
+            - "'banner /tmp/bot-banner' in bot_effective.stdout"
+            - "'forcecommand internal-sftp' in sftponly_effective.stdout"
+            - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout"
+            - "'passwordauthentication no' in root_effective.stdout"
+            - "'permittunnel yes' in root_effective.stdout"
+
+      - name: Check the options are in configuration file
+        assert:
+          that:
+            - "'Match User xusers' in config.stdout"
+            - "'Match User bot' in config.stdout"
+            - "'Match User sftponly' in config.stdout"
+            - "'Match User root' in config.stdout"
+    tags: tests::verify
+
diff --git a/tests/test_match_iterate.yml b/tests/test_match_iterate.yml
new file mode 100644
index 0000000..a1cedb7
--- /dev/null
+++ b/tests/test_match_iterate.yml
@@ -0,0 +1,71 @@
+---
+- hosts: all
+  become: true
+  tasks:
+  - name: Configure sshd
+    include_role:
+      name: ansible-sshd
+    vars:
+      sshd:
+        Match:
+        - Condition: "User xusers"
+          X11Forwarding: yes
+          Banner: /tmp/xusers-banner
+        - Condition: "User bot"
+          AllowTcpForwarding: no
+          Banner: /tmp/bot-banner
+      sshd_match:
+        - Condition: "User sftponly"
+          ForceCommand: "internal-sftp"
+          ChrootDirectory: "/var/uploads/"
+        - Condition: "User root"
+          PasswordAuthentication: no
+          PermitTunnel: yes
+
+
+  - name: Verify the options are correctly set
+    block:
+      - meta: flush_handlers
+
+      - name: List effective configuration using sshd -T for xusers
+        command: sshd -T -C user=xusers
+        register: xusers_effective
+
+      - name: List effective configuration using sshd -T for bot
+        command: sshd -T -C user=bot
+        register: bot_effective
+
+      - name: List effective configuration using sshd -T for sftponly
+        command: sshd -T -C user=sftponly
+        register: sftponly_effective
+
+      - name: List effective configuration using sshd -T for root
+        command: sshd -T -C user=root
+        register: root_effective
+
+      - name: Print current configuration file
+        command: cat /etc/ssh/sshd_config
+        register: config
+
+      - name: Check the options are effective
+        # note, the options are in lower-case here
+        assert:
+          that:
+            - "'x11forwarding yes' in xusers_effective.stdout"
+            - "'banner /tmp/xusers-banner' in xusers_effective.stdout"
+            - "'allowtcpforwarding no' in bot_effective.stdout"
+            - "'banner /tmp/bot-banner' in bot_effective.stdout"
+            - "'forcecommand internal-sftp' in sftponly_effective.stdout"
+            - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout"
+            - "'passwordauthentication no' in root_effective.stdout"
+            - "'permittunnel yes' in root_effective.stdout"
+
+      - name: Check the options are in configuration file
+        assert:
+          that:
+            - "'Match User xusers' in config.stdout"
+            - "'Match User bot' in config.stdout"
+            - "'Match User sftponly' in config.stdout"
+            - "'Match User root' in config.stdout"
+    tags: tests::verify
+