From 9fd0d5e2c7caa6fc94ccd5aeff69a6a39874abfd Mon Sep 17 00:00:00 2001
From: James Adams <james.adams@stfc.ac.uk>
Date: Thu, 28 Nov 2024 14:22:34 +0000
Subject: [PATCH 1/6] ncm-ssh: Fix wrapping and indentation in pan

---
 ncm-ssh/src/main/pan/components/ssh/schema-5.3.pan | 4 ++--
 ncm-ssh/src/main/pan/components/ssh/schema.pan     | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/ncm-ssh/src/main/pan/components/ssh/schema-5.3.pan b/ncm-ssh/src/main/pan/components/ssh/schema-5.3.pan
index fc4f6e24e4..f16658a4d9 100644
--- a/ncm-ssh/src/main/pan/components/ssh/schema-5.3.pan
+++ b/ncm-ssh/src/main/pan/components/ssh/schema-5.3.pan
@@ -7,6 +7,6 @@
 declaration template components/ssh/schema-5.3;
 
 type ssh_authkeyscommand_options_type = {
-            "AuthorizedKeysCommand" ? string
-            "AuthorizedKeysCommandRunAs" ? string
+    "AuthorizedKeysCommand" ? string
+    "AuthorizedKeysCommandRunAs" ? string
 };
diff --git a/ncm-ssh/src/main/pan/components/ssh/schema.pan b/ncm-ssh/src/main/pan/components/ssh/schema.pan
index 69fd6d3d2a..a990932fd9 100644
--- a/ncm-ssh/src/main/pan/components/ssh/schema.pan
+++ b/ncm-ssh/src/main/pan/components/ssh/schema.pan
@@ -168,7 +168,8 @@ type ssh_daemon_options_type = {
     "StrictModes" ? legacy_binary_affirmation_string
     "Subsystem" ? string
     "SyslogFacility" ? string with match (SELF,
-        '^(AUTH(PRIV)?|DAEMON|USER|KERN|UUCP|NEWS|MAIL|SYSLOG|LPR|FTP|CRON|LOCAL[0-7])$')
+        '^(AUTH(PRIV)?|DAEMON|USER|KERN|UUCP|NEWS|MAIL|SYSLOG|LPR|FTP|CRON|LOCAL[0-7])$'
+    )
     "TcpRcvBuf" ? long
     "TcpRcvBufPoll" ? legacy_binary_affirmation_string
     "UseDNS" ? legacy_binary_affirmation_string

From 87b907dd09267af1674323a121206d8a63a6ec5b Mon Sep 17 00:00:00 2001
From: James Adams <james.adams@stfc.ac.uk>
Date: Fri, 29 Nov 2024 11:54:14 +0000
Subject: [PATCH 2/6] ncm-ssh: Add missing spaces after commas in tests

(Fix lint warnings)
---
 ncm-ssh/src/test/resources/ssh_simple.pan | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ncm-ssh/src/test/resources/ssh_simple.pan b/ncm-ssh/src/test/resources/ssh_simple.pan
index 1484e92c95..c7b7873090 100644
--- a/ncm-ssh/src/test/resources/ssh_simple.pan
+++ b/ncm-ssh/src/test/resources/ssh_simple.pan
@@ -16,5 +16,5 @@ prefix "/software/components/ssh/daemon/comment_options";
 "Banner" = "Foobar";
 
 prefix "/software/components/ssh/client/options";
-"PreferredAuthentications" = list('gssapi-with-mic','hostbased','publickey');
+"PreferredAuthentications" = list('gssapi-with-mic', 'hostbased', 'publickey');
 "Port" = 22222;

From 196f8517f7bbdcb9381496735afbe337a97eeb21 Mon Sep 17 00:00:00 2001
From: James Adams <james.adams@stfc.ac.uk>
Date: Fri, 29 Nov 2024 14:16:23 +0000
Subject: [PATCH 3/6] ncm-ssh: Remove two unused types

---
 ncm-ssh/src/main/pan/components/ssh/schema.pan | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ncm-ssh/src/main/pan/components/ssh/schema.pan b/ncm-ssh/src/main/pan/components/ssh/schema.pan
index a990932fd9..7743a2db50 100644
--- a/ncm-ssh/src/main/pan/components/ssh/schema.pan
+++ b/ncm-ssh/src/main/pan/components/ssh/schema.pan
@@ -17,10 +17,6 @@ type ssh_preferred_authentication = string with match(SELF, '^(gssapi-with-mic|h
 
 
 type ssh_ciphers = string with is_valid_ssh_cipher(SELF);
-type ssh_hostkeyalgorithms = string with match(SELF, "^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp(256|384|521)" +
-    "(ssh-rsa-cert-v01|ssh-dss-cert-v01|ecdsa-sha2-nistp256-cert-v01|ecdsa-sha2-nistp384-cert-v01|" +
-    "|ecdsa-sha2-nistp521-cert-v01|ssh-rsa-cert-v00|ssh-dss-cert-v00|ssh-ed25519-cert-v01)@openssh.com)$");
-type ssh_kbdinteractivedevices = string with match (SELF, "^(bsdauth|pam|skey)$");
 type ssh_kexalgorithms = string with match (SELF, "^(diffie-hellman-group-exchange-sha256|" +
     "ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org)$");
 type ssh_MACs = string with is_valid_ssh_MAC(SELF);

From 1a1e823d44272ce0552aef7a5bb193a64d8ca539 Mon Sep 17 00:00:00 2001
From: James Adams <james.adams@stfc.ac.uk>
Date: Fri, 29 Nov 2024 14:51:04 +0000
Subject: [PATCH 4/6] ncm-ssh: Remove unused validation function

---
 ncm-ssh/src/main/pan/components/ssh/schema.pan | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ncm-ssh/src/main/pan/components/ssh/schema.pan b/ncm-ssh/src/main/pan/components/ssh/schema.pan
index 7743a2db50..512eb297ae 100644
--- a/ncm-ssh/src/main/pan/components/ssh/schema.pan
+++ b/ncm-ssh/src/main/pan/components/ssh/schema.pan
@@ -38,10 +38,6 @@ function is_valid_ssh_MAC = {
 function is_valid_ssh_cipher = {
     match (ARGV[0], "^((aes128|aes192|aes256)-ctr|(aes128-gcm|aes256-gcm|chacha20-poly1305)@openssh.com)$");
 };
-
-function is_valid_ssh_kexalgorithm = {
-    match (ARGV[0], "^(diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp(256|384|521)|" +
-        "curve25519-sha256@libssh.org)$");
 };
 
 type legacy_ssh_MACs = string with {

From 0ed5adde7cc9bdb58d0442178998fcbf9e9ca0c0 Mon Sep 17 00:00:00 2001
From: James Adams <james.adams@stfc.ac.uk>
Date: Fri, 29 Nov 2024 14:17:38 +0000
Subject: [PATCH 5/6] ncm-ssh: Use choice type where possible

---
 .../src/main/pan/components/ssh/schema.pan    | 30 +++++++++++++------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/ncm-ssh/src/main/pan/components/ssh/schema.pan b/ncm-ssh/src/main/pan/components/ssh/schema.pan
index 512eb297ae..533734f37e 100644
--- a/ncm-ssh/src/main/pan/components/ssh/schema.pan
+++ b/ncm-ssh/src/main/pan/components/ssh/schema.pan
@@ -12,14 +12,26 @@ variable SSH_SCHEMA_VERSION ?= '5.3';
 
 include 'components/ssh/schema-' + SSH_SCHEMA_VERSION;
 
-type ssh_preferred_authentication = string with match(SELF, '^(gssapi-with-mic|hostbased|publickey' +
-    '|keyboard-interactive|password)$');
-
+type ssh_preferred_authentication = choice(
+    'gssapi-with-mic',
+    'hostbased',
+    'keyboard-interactive',
+    'password',
+    'publickey'
+);
 
 type ssh_ciphers = string with is_valid_ssh_cipher(SELF);
-type ssh_kexalgorithms = string with match (SELF, "^(diffie-hellman-group-exchange-sha256|" +
-    "ecdh-sha2-nistp(256|384|521)|curve25519-sha256@libssh.org)$");
+
+type ssh_kexalgorithms = choice(
+    'diffie-hellman-group-exchange-sha256',
+    'ecdh-sha2-nistp256',
+    'ecdh-sha2-nistp384',
+    'ecdh-sha2-nistp521',
+    'curve25519-sha256@libssh.org'
+);
+
 type ssh_MACs = string with is_valid_ssh_MAC(SELF);
+
 type ssh_gssapikexalgorithms = choice(
     'gss-gex-sha1-',
     'gss-group1-sha1-',
@@ -68,17 +80,17 @@ type legacy_ssh_kexalgorithm = string with {
 };
 
 type ssh_core_options_type = {
-    "AddressFamily" ? string with match (SELF, '^(any|inet6?)$')
+    "AddressFamily" ? choice('any', 'inet', 'inet6')
     "ChallengeResponseAuthentication" ? legacy_binary_affirmation_string
     "Ciphers" ? legacy_ssh_ciphers
-    "Compression" ? string with match (SELF, '^(yes|delayed|no)$')
+    "Compression" ? choice('yes', 'delayed', 'no')
     "GSSAPIAuthentication" ? legacy_binary_affirmation_string
     "GSSAPICleanupCredentials" ? legacy_binary_affirmation_string
     "GSSAPIKexAlgorithms" ? ssh_gssapikexalgorithms[1..]
     "GSSAPIKeyExchange" ? legacy_binary_affirmation_string
     "GatewayPorts" ? legacy_binary_affirmation_string
     "HostbasedAuthentication" ? legacy_binary_affirmation_string
-    "LogLevel" ? string with match (SELF, '^(QUIET|FATAL|ERROR|INFO|VERBOSE|DEBUG[123]?)$')
+    "LogLevel" ? choice('QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG1', 'DEBUG2', 'DEBUG3')
     "MACs" ? legacy_ssh_MACs
     "PasswordAuthentication" ? legacy_binary_affirmation_string
     "Protocol" ? string
@@ -142,7 +154,7 @@ type ssh_daemon_options_type = {
         };
         true;
     }
-    "PermitTunnel" ? string with match (SELF, '^(yes|point-to-point|ethernet|no)$')
+    "PermitTunnel" ? choice('yes', 'point-to-point', 'ethernet', 'no')
     "PermitUserEnvironment" ? legacy_binary_affirmation_string
     "PidFile" ? string
     "Port" ? long

From 4001143db09c1f399c9c8b7294af046fc9f89841 Mon Sep 17 00:00:00 2001
From: James Adams <james.adams@stfc.ac.uk>
Date: Fri, 29 Nov 2024 14:18:08 +0000
Subject: [PATCH 6/6] ncm-ssh: Rewrite two validation functions

The regexps were clever, but hard to understand and maintain.
---
 .../src/main/pan/components/ssh/schema.pan    | 27 ++++++++++++++++---
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/ncm-ssh/src/main/pan/components/ssh/schema.pan b/ncm-ssh/src/main/pan/components/ssh/schema.pan
index 533734f37e..ea4191466c 100644
--- a/ncm-ssh/src/main/pan/components/ssh/schema.pan
+++ b/ncm-ssh/src/main/pan/components/ssh/schema.pan
@@ -43,13 +43,32 @@ type ssh_gssapikexalgorithms = choice(
 );
 
 function is_valid_ssh_MAC = {
-    match(ARGV[0], "^(hmac-(sha2-256|sha2-512|ripemd160)|(hmac-ripemd160|umac-64|umac-128|hmac-sha2-256-etm" +
-        "|hmac-sha2-512-etm|hmac-ripemd160-etm|umac-64-etm|umac-128-etm)@openssh.com)$");
+    valid_options = list(
+        'hmac-ripemd160',
+        'hmac-ripemd160@openssh.com',
+        'hmac-ripemd160-etm@openssh.com',
+        'hmac-sha2-256',
+        'hmac-sha2-256-etm@openssh.com',
+        'hmac-sha2-512',
+        'hmac-sha2-512-etm@openssh.com',
+        'umac-64@openssh.com',
+        'umac-64-etm@openssh.com',
+        'umac-128@openssh.com',
+        'umac-128-etm@openssh.com',
+    );
+    index(ARGV[0], valid_options) >= 0;
 };
 
 function is_valid_ssh_cipher = {
-    match (ARGV[0], "^((aes128|aes192|aes256)-ctr|(aes128-gcm|aes256-gcm|chacha20-poly1305)@openssh.com)$");
-};
+    valid_options = list(
+        'aes128-ctr',
+        'aes192-ctr',
+        'aes256-ctr',
+        'aes128-gcm@openssh.com',
+        'aes256-gcm@openssh.com',
+        'chacha20-poly1305@openssh.com',
+    );
+    index(ARGV[0], valid_options) >= 0;
 };
 
 type legacy_ssh_MACs = string with {