<?xml version="1.0"?>
<interfaceDefinition>
  <node name="system">
    <children>
      <node name="login" owner="${vyos_conf_scripts_dir}/system_login.py">
        <properties>
          <help>System User Login Configuration</help>
          <priority>400</priority>
        </properties>
        <children>
          <tagNode name="user">
            <properties>
              <help>Local user account information</help>
              <constraint>
                #include <include/constraint/login-username.xml.i>
              </constraint>
              <constraintErrorMessage>Username contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage>
            </properties>
            <children>
              <node name="authentication">
                <properties>
                  <help>Authentication settings</help>
                </properties>
                <children>
                  <leafNode name="encrypted-password">
                    <properties>
                      <help>Encrypted password</help>
                      <constraint>
                        <regex>(\*|\!)</regex>
                        <regex>[a-zA-Z0-9\.\/]{13}</regex>
                        <regex>\$1\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{22}</regex>
                        <regex>\$5\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{43}</regex>
                        <regex>\$6\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{86}</regex>
                      </constraint>
                      <constraintErrorMessage>Invalid encrypted password for $VAR(../../@).</constraintErrorMessage>
                    </properties>
                    <defaultValue>!</defaultValue>
                  </leafNode>
                  <node name="otp">
                    <properties>
                      <help>One-Time-Pad (two-factor) authentication parameters</help>
                    </properties>
                    <children>
                      <leafNode name="rate-limit">
                        <properties>
                          <help>Limit number of logins (rate-limit) per rate-time</help>
                          <valueHelp>
                            <format>u32:1-10</format>
                            <description>Number of attempts</description>
                          </valueHelp>
                          <constraint>
                            <validator name="numeric" argument="--range 1-10"/>
                          </constraint>
                          <constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage>
                        </properties>
                        <defaultValue>3</defaultValue>
                      </leafNode>
                      <leafNode name="rate-time">
                        <properties>
                          <help>Limit number of logins (rate-limit) per rate-time</help>
                          <valueHelp>
                            <format>u32:15-600</format>
                            <description>Time interval</description>
                          </valueHelp>
                          <constraint>
                            <validator name="numeric" argument="--range 15-600"/>
                          </constraint>
                          <constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage>
                        </properties>
                        <defaultValue>30</defaultValue>
                      </leafNode>
                      <leafNode name="window-size">
                        <properties>
                          <help>Set window of concurrently valid codes</help>
                          <valueHelp>
                            <format>u32:1-21</format>
                            <description>Window size</description>
                          </valueHelp>
                          <constraint>
                            <validator name="numeric" argument="--range 1-21"/>
                          </constraint>
                          <constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage>
                        </properties>
                        <defaultValue>3</defaultValue>
                      </leafNode>
                      <leafNode name="key">
                        <properties>
                          <help>Key/secret the token algorithm (see RFC4226)</help>
                          <valueHelp>
                            <format>txt</format>
                            <description>Base32 encoded key/token</description>
                          </valueHelp>
                          <constraint>
                            <regex>[a-zA-Z2-7]{26,10000}</regex>
                          </constraint>
                          <constraintErrorMessage>Key must only include base32 characters and be at least 26 characters long</constraintErrorMessage>
                        </properties>
                      </leafNode>
                    </children>
                  </node>
                  <leafNode name="plaintext-password">
                    <properties>
                      <help>Plaintext password used for encryption</help>
                    </properties>
                  </leafNode>
                  <tagNode name="public-keys">
                    <properties>
                      <help>Remote access public keys</help>
                      <valueHelp>
                        <format>txt</format>
                        <description>Key identifier used by ssh-keygen (usually of form user@host)</description>
                      </valueHelp>
                    </properties>
                    <children>
                      <leafNode name="key">
                        <properties>
                          <help>Public key value (Base64 encoded)</help>
                          <constraint>
                            <validator name="base64"/>
                          </constraint>
                        </properties>
                      </leafNode>
                      <leafNode name="options">
                        <properties>
                          <help>Optional public key options</help>
                        </properties>
                      </leafNode>
                      <leafNode name="type">
                        <properties>
                          <help>SSH public key type</help>
                          <completionHelp>
                            <list>ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519@openssh.com</list>
                          </completionHelp>
                          <valueHelp>
                            <format>ssh-dss</format>
                            <description>Digital Signature Algorithm (DSA) key support</description>
                          </valueHelp>
                          <valueHelp>
                            <format>ssh-rsa</format>
                            <description>Key pair based on RSA algorithm</description>
                          </valueHelp>
                          <valueHelp>
                            <format>ecdsa-sha2-nistp256</format>
                            <description>Elliptic Curve DSA with NIST P-256 curve</description>
                          </valueHelp>
                          <valueHelp>
                            <format>ecdsa-sha2-nistp384</format>
                            <description>Elliptic Curve DSA with NIST P-384 curve</description>
                          </valueHelp>
                          <valueHelp>
                            <format>ecdsa-sha2-nistp521</format>
                            <description>Elliptic Curve DSA with NIST P-521 curve</description>
                          </valueHelp>
                          <valueHelp>
                            <format>ssh-ed25519</format>
                            <description>Edwards-curve DSA with elliptic curve 25519</description>
                          </valueHelp>
                          <valueHelp>
                            <format>sk-ecdsa-sha2-nistp256@openssh.com</format>
                            <description>Elliptic Curve DSA security key</description>
                          </valueHelp>
                          <valueHelp>
                            <format>sk-ssh-ed25519@openssh.com</format>
                            <description>Elliptic curve 25519 security key</description>
                          </valueHelp>
                          <constraint>
                            <regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519|sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com)</regex>
                          </constraint>
                        </properties>
                      </leafNode>
                    </children>
                  </tagNode>
                </children>
              </node>
              #include <include/generic-disable-node.xml.i>
              <leafNode name="full-name">
                <properties>
                  <help>Full name of the user (use quotes for names with spaces)</help>
                  <constraint>
                    <regex>[^:]*</regex>
                  </constraint>
                  <constraintErrorMessage>Cannot use ':' in full name</constraintErrorMessage>
                </properties>
              </leafNode>
              <leafNode name="home-directory">
                <properties>
                  <help>Home directory</help>
                  <valueHelp>
                    <format>txt</format>
                    <description>Path to home directory</description>
                  </valueHelp>
                  <constraint>
                    <regex>\/$|(\/[a-zA-Z_0-9-.]+)+</regex>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </tagNode>
          #include <include/radius-server-ipv4-ipv6.xml.i>
          <node name="radius">
            <children>
              <tagNode name="server">
                <children>
                  #include <include/radius-timeout.xml.i>
                  #include <include/radius-priority.xml.i>
                  <leafNode name="priority">
                    <defaultValue>255</defaultValue>
                  </leafNode>
                </children>
              </tagNode>
              #include <include/interface/vrf.xml.i>
            </children>
          </node>
          <node name="tacacs">
            <properties>
              <help>TACACS+ based user authentication</help>
            </properties>
            <children>
              <tagNode name="server">
                <properties>
                  <help>TACACS+ server configuration</help>
                  <valueHelp>
                    <format>ipv4</format>
                    <description>TACACS+ server IPv4 address</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ipv4-address"/>
                  </constraint>
                </properties>
                <children>
                  #include <include/generic-disable-node.xml.i>
                  #include <include/radius-server-key.xml.i>
                  #include <include/port-number.xml.i>
                  <leafNode name="port">
                    <defaultValue>49</defaultValue>
                  </leafNode>
                </children>
              </tagNode>
              #include <include/source-address-ipv4.xml.i>
              <leafNode name="security-mode">
                <properties>
                  <help>Security mode for TACACS+ authentication</help>
                  <completionHelp>
                    <list>mandatory optional</list>
                  </completionHelp>
                  <valueHelp>
                    <format>mandatory</format>
                    <description>Deny access immediately if TACACS+ answers with REJECT</description>
                  </valueHelp>
                  <valueHelp>
                    <format>optional</format>
                    <description>Pass to the next authentication method if TACACS+ answers with REJECT</description>
                  </valueHelp>
                  <constraint>
                    <regex>(mandatory|optional)</regex>
                  </constraint>
                </properties>
                <defaultValue>optional</defaultValue>
              </leafNode>
              #include <include/radius-timeout.xml.i>
              #include <include/interface/vrf.xml.i>
            </children>
          </node>
          <leafNode name="max-login-session">
            <properties>
              <help>Maximum number of all login sessions</help>
              <valueHelp>
                <format>u32:1-65536</format>
                <description>Maximum number of all login sessions</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 1-65536"/>
              </constraint>
              <constraintErrorMessage>Maximum logins must be between 1 and 65536</constraintErrorMessage>
            </properties>
          </leafNode>
          <leafNode name="timeout">
            <properties>
              <help>Session timeout</help>
              <valueHelp>
                <format>u32:5-604800</format>
                <description>Session timeout in seconds</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 5-604800"/>
              </constraint>
              <constraintErrorMessage>Timeout must be between 5 and 604800 seconds</constraintErrorMessage>
            </properties>
          </leafNode>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>