(command.CommandList
  children: [
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:tid)
          op: assign_op.Equal
          rhs: {(DQ <'AllowUsers/DenyUsers'>)}
          spids: [7]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:me)
          op: assign_op.Equal
          rhs: {(DQ ($ Id.VSub_DollarName '$LOGNAME'))}
          spids: [13]
        )
      ]
    )
    (command.If
      arms: [
        (if_arm
          cond: 
            (condition.Shell
              commands: [
                (command.Sentence
                  child: 
                    (C {<Id.Lit_LBracket '['>} {(DQ <x> ($ Id.VSub_DollarName '$me'))} 
                      {<Id.Lit_Equals '='>} {(DQ <x>)} {<Id.Lit_RBracket ']'>}
                    )
                  terminator: <Id.Op_Semi _>
                )
              ]
            )
          action: [
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:me)
                  op: assign_op.Equal
                  rhs: {(command_sub left_token:<Id.Left_Backtick '`'> child:(C {<whoami>}))}
                  spids: [39]
                )
              ]
            )
          ]
          spids: [18 36]
        )
      ]
    )
    (command.ShAssignment
      pairs: [
        (assign_pair
          lhs: (sh_lhs_expr.Name name:other)
          op: assign_op.Equal
          rhs: {(DQ <nobody>)}
          spids: [48]
        )
      ]
    )
    (command.ShFunction
      name: test_auth
      body: 
        (BraceGroup
          children: [
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:deny)
                  op: assign_op.Equal
                  rhs: {(DQ ($ Id.VSub_Number '$1'))}
                  spids: [61]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:allow)
                  op: assign_op.Equal
                  rhs: {(DQ ($ Id.VSub_Number '$2'))}
                  spids: [67]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:should_succeed)
                  op: assign_op.Equal
                  rhs: {(DQ ($ Id.VSub_Number '$3'))}
                  spids: [73]
                )
              ]
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:failmsg)
                  op: assign_op.Equal
                  rhs: {(DQ ($ Id.VSub_Number '$4'))}
                  spids: [79]
                )
              ]
            )
            (C {<start_sshd>} {<-oDenyUsers> <Id.Lit_Equals '='> (DQ ($ Id.VSub_DollarName '$deny'))} 
              {<-oAllowUsers> <Id.Lit_Equals '='> (DQ ($ Id.VSub_DollarName '$allow'))}
            )
            (C {(${ Id.VSub_Name SSH)} {<-F>} {($ Id.VSub_DollarName '$OBJ') <'/ssh_config'>} 
              {(DQ ($ Id.VSub_DollarName '$me') <'@somehost'>)} {<true>}
            )
            (command.ShAssignment
              pairs: [
                (assign_pair
                  lhs: (sh_lhs_expr.Name name:status)
                  op: assign_op.Equal
                  rhs: {($ Id.VSub_QMark '$?')}
                  spids: [119]
                )
              ]
            )
            (command.If
              arms: [
                (if_arm
                  cond: 
                    (condition.Shell
                      commands: [
                        (command.Sentence
                          child: 
                            (command.AndOr
                              ops: [Id.Op_DPipe]
                              children: [
                                (command.Subshell
                                  child: 
                                    (command.AndOr
                                      ops: [Id.Op_DAmp]
                                      children: [
                                        (C {<test>} {($ Id.VSub_DollarName '$status')} {<-eq>} {<0>})
                                        (command.Pipeline
                                          children: [(C {($ Id.VSub_DollarName '$should_succeed')})]
                                          negated: T
                                        )
                                      ]
                                    )
                                )
                                (command.Subshell
                                  child: 
                                    (command.AndOr
                                      ops: [Id.Op_DAmp]
                                      children: [
                                        (C {<test>} {($ Id.VSub_DollarName '$status')} {<-ne>} {<0>})
                                        (C {($ Id.VSub_DollarName '$should_succeed')})
                                      ]
                                    )
                                )
                              ]
                            )
                          terminator: <Id.Op_Semi _>
                        )
                      ]
                    )
                  action: [(C {<fail>} {(DQ ($ Id.VSub_DollarName '$failmsg'))})]
                  spids: [124 161]
                )
              ]
            )
            (C {<stop_sshd>})
          ]
        )
    )
    (C {<test_auth>} {(DQ )} {(DQ )} {<true>} {(DQ <'user in neither DenyUsers nor AllowUsers denied'>)})
    (C {<test_auth>} {(DQ ($ Id.VSub_DollarName '$other') <' '> ($ Id.VSub_DollarName '$me'))} {(DQ )} 
      {<false>} {(DQ <'user in DenyUsers allowed'>)}
    )
    (C {<test_auth>} {(DQ ($ Id.VSub_DollarName '$me') <' '> ($ Id.VSub_DollarName '$other'))} {(DQ )} 
      {<false>} {(DQ <'user in DenyUsers allowed'>)}
    )
    (C {<test_auth>} {(DQ )} {(DQ ($ Id.VSub_DollarName '$other'))} {<false>} 
      {(DQ <'user not in AllowUsers allowed'>)}
    )
    (C {<test_auth>} {(DQ )} {(DQ ($ Id.VSub_DollarName '$other') <' '> ($ Id.VSub_DollarName '$me'))} 
      {<true>} {(DQ <'user in AllowUsers denied'>)}
    )
    (C {<test_auth>} {(DQ )} {(DQ ($ Id.VSub_DollarName '$me') <' '> ($ Id.VSub_DollarName '$other'))} 
      {<true>} {(DQ <'user in AllowUsers denied'>)}
    )
    (C {<test_auth>} {(DQ ($ Id.VSub_DollarName '$me') <' '> ($ Id.VSub_DollarName '$other'))} 
      {(DQ ($ Id.VSub_DollarName '$me') <' '> ($ Id.VSub_DollarName '$other'))} {<false>} {(DQ <'user in both DenyUsers and AllowUsers allowed'>)}
    )
    (C {<test_auth>} {(DQ ($ Id.VSub_DollarName '$other') <' '> ($ Id.VSub_DollarName '$me'))} 
      {(DQ ($ Id.VSub_DollarName '$other') <' '> ($ Id.VSub_DollarName '$me'))} {<false>} {(DQ <'user in both DenyUsers and AllowUsers allowed'>)}
    )
  ]
)