Authorized Keys.sublime-syntax

%YAML 1.2
---
# https://www.sublimetext.com/docs/syntax.html
# https://man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE_FORMAT
# https://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT
name: Authorized Keys
scope: text.authorized_keys
version: 2
extends: SSH Crypto.sublime-syntax

file_extensions:
  - authorized_keys
  - pub

hidden_file_extensions:
  - authorized_keys2

contexts:
  main:
    - include: comments-number-sign
    - match: ^
      push:
        - meta_scope: meta.line.authorized-key.authorized_keys
        - include: pop-before-nl
        - include: pop-nl
        - include: ssh-key-types
        - include: ssh-fingerprint-with-label
        - include: flag-options
        - include: value-options
        - include: strings
        - match: =
          scope: keyword.operator.assignment.authorized_keys
        - include: punctuation-comma-sequence

  flag-options:
    - match: (?:no-)?(?:pty|user-rc|(?:agent|port|X11)-forwarding)
      scope: keyword.other.authorized_keys
    - match: (?:no-touch-required|verify-required|cert-authority|restrict)
      scope: keyword.other.authorized_keys

  value-options:
    - match: (principals)(=)
      captures:
        1: keyword.other.authorized_keys
        2: keyword.operator.assignment.authorized_keys
      with_prototype:
        - include: punctuation-comma-sequence
      push: value-option-body

    - match: (tunnel)(=)
      captures:
        1: keyword.other.authorized_keys
        2: keyword.operator.assignment.authorized_keys
      with_prototype:
        - match: \d{1,3}
          scope: meta.number.integer.decimal.authorized_keys
                 constant.numeric.value.authorized_keys
      push: value-option-body

    - match: (?:(expiry-time)|(valid-before))(=)
      captures:
        1: keyword.other.authorized_keys
        2: invalid.deprecated.authorized_keys
        3: keyword.operator.assignment.authorized_keys
      with_prototype:
        - match: |-
            (?x:
              \d{4}               # Year
              (?:0\d|1[12])       # Month
              (?:[0-2]\d|3[01])   # Day
              (?:                 # Optionally:
                (?:[01]\d|2[0-3])   # HH
                (?:[0-5]\d){1,2}    # MM and maybe SS
              )?
              Z?        # Optional UTC
            )
          scope: meta.constant.date.authorized_keys
                 constant.numeric.integer.date.authorized_keys
      push: value-option-body

    # Technically, permitopen requires a host, but let's be lenient
    - match: (permitlisten|permitopen)(=)
      captures:
        1: keyword.other.authorized_keys
        2: keyword.operator.assignment.authorized_keys
      with_prototype:
        - include: ipv4
        - include: ipv6-square-bracket
        - match: (?:([^"]*)(:))?(?:({{zero_to_65535}})|(\*))
          captures:
            1: meta.string.host.authorized_keys
            2: punctuation.separator.sequence.authorized_keys
            3: meta.number.integer.decimal.authorized_keys
               constant.numeric.port-number.authorized_keys
            4: constant.other.wildcard.asterisk.authorized_keys
      push: value-option-body

    - match: (from)(=)
      captures:
        1: keyword.other.authorized_keys
        2: keyword.operator.assignment.authorized_keys
      with_prototype:
        - include: operator-exclamation
        - include: punctuation-comma-sequence
        - include: punctuation-dot-sequence
        - include: wildcards
      push: value-option-body

    - match: (environment)(=)
      captures:
        1: keyword.other.authorized_keys
        2: keyword.operator.assignment.authorized_keys
      with_prototype:
        - match: (\w+)(=)
          captures:
            1: variable.other.readwrite.authorized_keys
            2: keyword.operator.assignment.authorized_keys
      push: value-option-body

    - match: (command)(=)(")
      captures:
        1: keyword.other.authorized_keys
        2: keyword.operator.assignment.authorized_keys
        3: string.quoted.double.authorized_keys
           punctuation.definition.string.begin.authorized_keys
      # TODO: Allow escaped double-quote
      embed: scope:source.shell.bash
      embed_scope: source.shell.embedded
      escape: '"|(?=$)'
      escape_captures:
        0: string.quoted.double.authorized_keys
           punctuation.definition.string.end.authorized_keys

  value-option-body:
    - include: strings
    - match: (?=,|\s)
      pop: 1
    - match: .
      scope: invalid.illegal.authorized_keys
      pop: 1

  strings:
    - match: '"'
      scope: punctuation.definition.string.begin.authorized_keys
      push:
        - meta_scope: string.quoted.double.authorized_keys
        - match: \\"
          scope: constant.character.escape.authorized_keys
        - match: '"'
          scope: punctuation.definition.string.end.authorized_keys
          pop: 1