From f5525f7e1a6affdfce76853d84b556e3e849fc62 Mon Sep 17 00:00:00 2001
From: Artem Sidorenko <artem@posteo.de>
Date: Wed, 17 Jul 2019 10:06:20 +0200
Subject: [PATCH 1/2] Support of custom match configuration blocks

They are sometimes useful when you need to have user/group rectrictions or want to override some global configuration options

Signed-off-by: Artem Sidorenko <artem.sidorenko@t-systems.com>
---
 README.md                           | 19 +++++++++++++++++++
 attributes/default.rb               |  3 +++
 spec/recipes/server_spec.rb         | 29 +++++++++++++++++++++++++++++
 templates/default/opensshd.conf.erb |  8 ++++++++
 4 files changed, 59 insertions(+)

diff --git a/README.md b/README.md
index f08a5b2..8802458 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['sftp']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled
 * `['ssh-hardening']['ssh']['server']['authorized_keys_path']` - `nil`. If not nil, full path to an authorized keys folder is expected
 * `['ssh-hardening']['ssh']['server']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details
+* `['ssh-hardening']['ssh']['server']['match_blocks']` - `{}`. Match configuration block, see [below](#match-configuration-options-for-sshd) for details
 
 ## Usage
 
@@ -145,6 +146,24 @@ default['ssh-hardening']['ssh']['client']['extras'].tap do |extra|
 end
 ```
 
+## Match Configuration Options for sshd
+Match blocks have to be placed by the end of sshd_config. This can be achieved by using the `match_blocks` attribute tree:
+
+```
+default['ssh-hardening']['ssh']['server']['match_blocks'].tap do |match|
+  match['User root'] = <<~ROOT
+    AuthorizedKeysFile .ssh/authorized_keys
+  ROOT
+  match['User git'] = <<~GIT
+    Banner none
+    AuthorizedKeysCommand /bin/false
+    AuthorizedKeysFile .ssh/authorized_keys
+    GSSAPIAuthentication no
+    PasswordAuthentication no
+  GIT
+end
+```
+
 ## Local Testing
 
 Please install [chef-dk](https://downloads.chef.io/chefdk), [VirtualBox](https://www.virtualbox.org/) or VMware Workstation and [Vagrant](https://www.vagrantup.com/).
diff --git a/attributes/default.rb b/attributes/default.rb
index 07161f6..7853b9b 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -113,6 +113,9 @@
   # extra server configuration options
   server['extras']                   = {}
 
+  # server match configuration block
+  server['match_blocks']             = {}
+
   # sshd sftp options
   server['sftp']['enable']                  = false
   server['sftp']['log_level']               = 'VERBOSE'
diff --git a/spec/recipes/server_spec.rb b/spec/recipes/server_spec.rb
index 0480245..d3a5cbd 100644
--- a/spec/recipes/server_spec.rb
+++ b/spec/recipes/server_spec.rb
@@ -501,6 +501,35 @@
     end
   end
 
+  describe 'match configuration blocks' do
+    context 'without custom extra config value' do
+      cached(:chef_run) do
+        ChefSpec::SoloRunner.new.converge(described_recipe)
+      end
+
+      it 'does not have any match config blocks' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config')
+        expect(chef_run).not_to render_file('/etc/ssh/sshd_config').
+          with_content(/^# Match Configuration Blocks/)
+      end
+    end
+
+    context 'with custom match config block value' do
+      cached(:chef_run) do
+        ChefSpec::SoloRunner.new do |node|
+          node.normal['ssh-hardening']['ssh']['server']['match_blocks']['User root'] = <<~ROOT
+            AuthorizedKeysFile .ssh/authorized_keys
+          ROOT
+        end.converge(described_recipe)
+      end
+
+      it 'uses the match config blocks' do
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^# Match Configuration Blocks/)
+        expect(chef_run).to render_file('/etc/ssh/sshd_config').with_content(/^Match User root/)
+      end
+    end
+  end
+
   it 'disables the challenge response authentication' do
     expect(chef_run).to render_file('/etc/ssh/sshd_config').
       with_content(/ChallengeResponseAuthentication no/)
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
index c6dbfa1..40ecd95 100644
--- a/templates/default/opensshd.conf.erb
+++ b/templates/default/opensshd.conf.erb
@@ -245,3 +245,11 @@ X11Forwarding no
 #PermitRootLogin no
 #X11Forwarding no
 <% end %>
+
+<%- unless @node['ssh-hardening']['ssh']['server']['match_blocks'].empty? %>
+# Match Configuration Blocks
+  <%- @node['ssh-hardening']['ssh']['server']['match_blocks'].each do |key, value| %>
+Match <%= key %>
+  <%= value.split("\n").join("\n  ") %>
+  <% end -%>
+<% end -%>

From e289780c10695f781e18deb6410e5bf5ac43996a Mon Sep 17 00:00:00 2001
From: Artem Sidorenko <artem.sidorenko@t-systems.com>
Date: Wed, 17 Jul 2019 10:30:07 +0200
Subject: [PATCH 2/2] Switch rubocop to one of the modern ruby versions

Signed-off-by: Artem Sidorenko <artem.sidorenko@t-systems.com>
---
 .rubocop.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index f7be2d4..619397c 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -4,7 +4,7 @@ AllCops:
   Exclude:
   - vendor/**/*
   - test/**/*
-  TargetRubyVersion: 2.1 # we need this because of chef 12.5.1 support
+  TargetRubyVersion: 2.4
 Metrics/AbcSize:
   Max: 29
 Metrics/CyclomaticComplexity:
@@ -35,4 +35,4 @@ Metrics/BlockLength:
   Exclude:
     - 'spec/**/*'
 Style/FrozenStringLiteralComment:
-  Enabled: false
\ No newline at end of file
+  Enabled: false