body common control {

bundlesequence => {
"main",
};

inputs => {
"cfengine_stdlib.cf",
};
}

bundle agent main {

methods:

"any" usebundle => test;

}

bundle agent test {
    vars:
        "restricted_user_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
        "restricted_user_ssh[ForceCommand]" string => "sftp";

        "sftponly_group_ssh[ChrootDirectory]" string => "/sftp-jail/%u";
        "sftponly_group_ssh[ForceCommand]" string => "internal-sftp";

    files:
        "/tmp/sshd_config"
            create      => "true",
            edit_line   => set_config_values_sshd_match_user("restricteduser", "test.restricted_user_ssh");

        "/tmp/sshd_config"
            create      => "true",
            edit_line   => set_config_values_sshd_match_group("sftponly", "test.sftponly_group_ssh");

}

bundle edit_line set_config_values_sshd_match_user(user, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
    vars:
        "settings_index" slist => getindices("$(settings)");
        "line"           string => "Match User $(user)";
        "cline"          string => canonify("$(line)");

    replace_patterns:
        "^(?!$(line))Match\s*User\s*$(user)$"
            replace_with => value("Match User $(user)"),
            comment => "Make sure there is consistency in form",
            classes => always("replace_done_$(cline)");

    insert_lines:
        "$(line)"
            ifvarclass => "replace_done_$(cline)";

    delete_lines:
        "\s*$(settings_index).*"
            select_region => sshd_config_match_user("$(user)");

    insert_lines:
        "    $(settings_index) $($(this.settings)[$(this.settings_index)])",
            select_region => sshd_config_match_user("$(user)");

}

bundle edit_line set_config_values_sshd_match_group(group, settings) {
# This bundle only manages settings that it is given, it does not remove
# extraneous settings in the section
    vars:
        "settings_index" slist => getindices("$(settings)");
        "line"           string => "Match Group $(group)";
        "cline"          string => canonify("$(line)");

    replace_patterns:
        "^(?!$(line))Match\s*Group\s*$(group)$"
            replace_with => value("Match Group $(group)"),
            comment => "Make sure there is consistency in form",
            classes => always("replace_done_$(cline)");

    insert_lines:
        "$(line)"
            ifvarclass => "replace_done_$(cline)";

    delete_lines:
        "\s*$(settings_index).*"
            select_region => sshd_config_match_group("$(group)");

    insert_lines:
        "    $(settings_index) $($(this.settings)[$(this.settings_index)])",
            select_region => sshd_config_match_group("$(group)");

}

body select_region sshd_config_match_user (x) {
    select_start => "^Match\s*User\s*$(x)";
    select_end   => "^Match\s.*";
    include_start_delimiter => "true";
    include_end_delimiter => "false";
}

body select_region sshd_config_match_group (x) {
    select_start => "^Match\s*Group\s*$(x)";
    select_end   => "^Match\s.*";
    include_start_delimiter => "true";
    include_end_delimiter => "false";
}