Grub: support a password stanza inside a boot/title section

The biggest change in this commit is changing the structure of lns: it now
says that boot sections have to come after the general menu_setting and
debian sections. Since 'password' is legal in both a top-level menu_setting
and in a boot section, that is necessary to keep the lens unambiguous.

Fixes hercules-team#229

lenses/grub.aug

@@ -84,7 +84,7 @@ module Grub =
     let kw_menu_arg (kw:regexp) = kw_arg kw "" " "
 
     (* View: password_arg *)
-    let password_arg = [ key "password" .
+    let password_arg = [ command "password" "" .
       (spc . [ switch "md5" ])? .
       (spc . [ switch "encrypted" ])? .
       spc . store (/[^ \t\n]+/ - /--[^ \t\n]+/) .
@@ -220,6 +220,7 @@ module Grub =
         | map_line
         | kw_pres "lock"
         | kw_pres "makeactive"
+        | password_arg
 
     (* View: boot *)
     let boot =
@@ -281,7 +282,8 @@ module Grub =
  *************************************************************************)
 
     (* View: lns *)
-    let lns = (comment | empty | menu_setting | boot | debian)*
+    let lns = (comment | empty | menu_setting | debian)*
+      . (boot . (comment | empty | boot)*)?
 
     (* View: filter *)
     let filter = incl "/boot/grub/grub.conf"

lenses/tests/test_grub.aug

@@ -240,3 +240,20 @@ password --encrypted ^9^32kwzzX./3WISQ0C /boot/grub/custom.lst
       { "splash" = "silent" }
       { "showopts" } }
     { "initrd" = "(hd0,0)/initrd" } }
+
+  (* Password protected kernel, issue #229 *)
+  test Grub.lns get "title Password Protected Kernel
+        root (hd0,0)
+        kernel /vmlinuz ro root=/dev/mapper/root
+        initrd /initramfs
+        password --md5 secret\n" =
+  { "title" = "Password Protected Kernel"
+    { "root" = "(hd0,0)" }
+    { "kernel" = "/vmlinuz"
+      { "ro" }
+      { "root" = "/dev/mapper/root" }
+    }
+    { "initrd" = "/initramfs" }
+    { "password" = "secret"
+      { "md5" }
+    } }