Nested Cmd Blocks for Arguments in tac_plus-ng Config

[strikerx22]

For tac_plus-ng, can we still build out nested cmd blocks like in the tac_plus configuration structure? I have a heavily customized configuration that was easy to maintain in the tac_plus.cfg, but am not certain what the ideal method is to accomplish this in the new script format used for tac_plus-ng.

For example, here's a heavily truncated config showing how these blocks were written in tac_plus.cfg:

        group = -SUPPORT {
                default service = deny
                service = shell {
                        default command = deny
                        default attribute = permit
                        set priv-lvl = 15
                        cmd = show {
                                # Permitted show commands
                                permit .*
                        }
                        cmd = configure {
                                # Permit configure terminal
                                permit terminal
                                # ExtremeOS Switch Commands - SYSTEM ADMINS
                                permit vlan.*
                                deny "ports all"
                                permit ports.*
                                permit inline-power.*
                        }
                        cmd = no {
                                deny "switchport trunk.*"
                                permit shutdown
                                permit switchport.*
                                permit description
                                permit "ip dhcp"
                                permit "service dhcp"
                                permit "spanning-tree portfast"
                                permit "spanning-tree guard"
                                permit "spanning-tree bpduguard"
                                permit "spanning-tree link-type"
                                permit untagged.*
                                permit tagged.*
                                permit boot.*
                                permit port-security.*
                                permit power-over-ethernet
                                permit deploy
                                permit "inline power"
                                permit inline.*
                                permit vstack.*
                                deny vlan.*
}
                }
        }

While transposing to scripts, it's starting to look like this, which I feel like is going to fail due to the lack of REGEX syntax on my end. 

profile support {
    script {
        if (service == shell) {
            # Default settings for shell startup
            if (cmd == "") {
                set priv-lvl = 15
                permit
            }

            # Simplified one-liners for non-granular control
            if (cmd == "show") permit
            if (cmd == "exit") permit
            if (cmd == "end") permit

            # Expanded command blocks for granular control
            if (cmd == "configure") {
                permit terminal
                permit "vlan.*"
                permit "ports.*"
                permit "inline-power.*"
                deny "ports all"
            }

if (cmd == "no") {
                permit shutdown
                permit "switchport.*"
                permit description
                permit "ip dhcp"
                permit "service dhcp"
                permit "spanning-tree portfast"
                permit "spanning-tree guard"
                permit "spanning-tree bpduguard"
                permit "spanning-tree link-type"
                permit "untagged.*"
                permit "tagged.*"
                permit boot.*
                permit "port-security.*"
                permit "power-over-ethernet"
                permit "inline power"
                permit inline.*
                permit "vstack.*"
                deny "switchport trunk.*"
                deny "vlan.*"
            }
}
}
}

Am I correct in assuming the same block format (cmd-arg inside the root cmd block) is not supported in tac_plus-ng? If so, what is the best way to accomplish the same type of granularity/legibility using the new script configuration format?

Since I am not the only person who will be maintaining this once migrated to tac_plus-ng, I want to make sure the configuration is super legible and easy to follow, which is why I love the block formatting. Worst case scenario, I can translate them all to one-liners but I wanted to check here first. 

Kindest Regards,

Ryan N. Davis

[Marc Huber]

Hi Ryan,

I'd translate that to

profile support {
if (service == shell) {
if (cmd == "") { # shell startup

set priv-lvl = 15
permit
}

if (cmd =~ /^show/) permit
if (cmd =~ /^configure terminal) permit
if (cmd =~ /^configure vlan/) permit
if (cmd =~ /^configure ports all/) deny
if (cmd =~ /^configure ports/) permit
if (cmd =~ /^configure inline-power/) permiot
if (cmd =~ /^no switchport trunk/) deny
if (cmd =~ /^no shutdown/) permit
...
if (cmd =~ /^no vstack/) permit
if (cmd =~ ^vlan/) deny
deny # all other commands
}
deny # all other service
}

These Perl regular expressions are only anchored on the left side (^),
it might be advisable to add some right-side anchoring, too, or at least
add some white-space. Examples:

if (cmd =~ /^show /) permit
if (cmd =~ /^no switchport trunk <cr>$/) deny

This largely depends on the command attributes you device is actually
sending.

Cheers,

Marc

[strikerx22]

Thanks, Marc! This is helpful and is how I will re-write my old configs. 

Kindest Regards,

Ryan N. Davis

[strikerx22]

Quick side question; I noticed you removed the "script" lines in your reply. Is that intentional, or just an oversight? My impression from the config docs is that all of these command blocks need to be in script blocks