#!/bin/sh
set -eu

echo "=========================================="
echo "  docker-bastion starting"
echo "=========================================="

# Trust every git repo regardless of UID — the bastion is a single-tenant
# isolated container, and ownership-mismatch on a bind-mounted repo
# (host uid != bastion uid) is the normal case here, not an attack vector.
# Without this, git refuses with "fatal: detected dubious ownership".
git config --system --add safe.directory '*' 2>/dev/null || true
echo "Date:        $(date)"
echo "Hostname:    $(hostname)"
echo "OpenSSH:     $(/usr/sbin/sshd -V 2>&1 | head -1 || echo n/a)"
echo "Docker CLI:  $(docker --version 2>/dev/null || echo n/a)"
echo "=========================================="

SSH_USER="agent"
SSH_PORT="${SSH_PORT:-22}"
HTTP_PORT="${HTTP_PORT:-8080}"
FORCE_COMMAND_VALUE="${FORCE_COMMAND:-}"
AUTHORIZED_KEYS_HOST="${AUTHORIZED_KEYS_HOST:-/etc/bastion/authorized_keys.host}"
AUTHORIZED_KEYS_REPO="${AUTHORIZED_KEYS_REPO:-/etc/bastion/authorized_keys.repo}"

# ---------------------------------------------------------------------------
# 1) Validate config
# ---------------------------------------------------------------------------
if [ -z "$FORCE_COMMAND_VALUE" ]; then
    echo "FATAL: FORCE_COMMAND must be set."
    echo "       e.g. FORCE_COMMAND='docker exec -it app bash'"
    echo "       or   FORCE_COMMAND='cd /workspace && ./deploy.sh'"
    exit 1
fi

# ---------------------------------------------------------------------------
# 2) Host keys — generate on first boot, persist via /etc/ssh/keys volume
# ---------------------------------------------------------------------------
echo "[1/5] Host keys..."
mkdir -p /etc/ssh/keys
chmod 700 /etc/ssh/keys
for keytype in ed25519 rsa; do
    keyfile="/etc/ssh/keys/ssh_host_${keytype}_key"
    if [ ! -f "$keyfile" ]; then
        echo "  Generating new $keytype host key"
        ssh-keygen -t "$keytype" -f "$keyfile" -N "" -q
    else
        echo "  Reusing existing $keytype host key"
    fi
    chmod 600 "$keyfile"
    [ -f "${keyfile}.pub" ] && chmod 644 "${keyfile}.pub"
done

# ---------------------------------------------------------------------------
# 3) Merge authorized_keys sources
# ---------------------------------------------------------------------------
echo "[2/5] Authorized keys..."
AUTH_FILE="/home/${SSH_USER}/.ssh/authorized_keys"
mkdir -p "$(dirname "$AUTH_FILE")"
: > "$AUTH_FILE"

added=0
for src in "$AUTHORIZED_KEYS_HOST" "$AUTHORIZED_KEYS_REPO"; do
    if [ -f "$src" ]; then
        echo "  + Merging $src"
        cat "$src" >> "$AUTH_FILE"
        # Force newline between sources (final file may not end with one).
        printf '\n' >> "$AUTH_FILE"
        added=$((added + 1))
    fi
done

# awk emits matching lines (non-blank, non-comment), wc -l counts them.
# Both exit 0 even on empty input — important under `set -e`, which
# `grep -c` would have triggered (exits 1 when nothing matches).
file_keys=$(awk 'NF && $0 !~ /^[[:space:]]*#/' "$AUTH_FILE" 2>/dev/null | wc -l)
file_keys=$(echo "$file_keys" | tr -d ' ')   # wc on busybox pads with spaces
echo "  Boot-merged: $file_keys key(s) from $added file source(s)"

# Live-read directory — sshd reads this via AuthorizedKeysCommand on every
# auth attempt. We just report the current count for visibility; new files
# dropped in later take effect immediately, no restart needed.
dir_keys=0
if [ -d "${AUTHORIZED_KEYS_DIR:-/etc/bastion/users.d}" ]; then
    dir_keys=$(find "${AUTHORIZED_KEYS_DIR}" -maxdepth 1 -name '*.pub' -type f 2>/dev/null | wc -l)
fi
echo "  Live drop-in: $dir_keys key file(s) in $AUTHORIZED_KEYS_DIR"

if [ "$file_keys" -eq 0 ] && [ "$dir_keys" -eq 0 ]; then
    echo "  WARN: zero authorized keys configured."
    echo "        Drop *.pub files into $AUTHORIZED_KEYS_DIR on the host"
    echo "        (or mount AUTHORIZED_KEYS_HOST / AUTHORIZED_KEYS_REPO);"
    echo "        until then every SSH attempt will fail with 'publickey denied'."
fi

# chown -R is best-effort: if the caller bind-mounts read-only files into
# /home/agent/.ssh/ (e.g. an id_rsa for git push from FORCE_COMMAND), chown
# on those will fail with "Read-only file system" — which under `set -e`
# previously killed the boot script. The dir itself + the file we just
# wrote are what matter; everything else is the caller's business.
chown -R "${SSH_USER}:${SSH_USER}" "$(dirname "$AUTH_FILE")" 2>/dev/null || true
chmod 700 "$(dirname "$AUTH_FILE")"
chmod 600 "$AUTH_FILE"

# ---------------------------------------------------------------------------
# 4) ForceCommand wrapper
#
# Write the configured command to a plain file, then a small wrapper that
# exec's `sh -c "$(cat ...)"`. This way:
#   - Shell metacharacters in $FORCE_COMMAND work (&&, |, redirects, cd).
#   - The wrapper itself stays static (no escaping of user input into a
#     heredoc), and the command file is read at session start so changes
#     to $FORCE_COMMAND only need a container restart, not a rebuild.
# ---------------------------------------------------------------------------
echo "[3/5] ForceCommand..."
mkdir -p /etc/bastion
printf '%s\n' "$FORCE_COMMAND_VALUE" > /etc/bastion/force-command.cmd
chmod 0644 /etc/bastion/force-command.cmd

cat > /etc/bastion/force-command <<'WRAPPER'
#!/bin/sh
# Auto-generated by docker-bastion start-container.
# sshd invokes this script for every authenticated session; the HTTP CGI
# exec's it after auth.
# SSH_ORIGINAL_COMMAND is intentionally ignored — clients cannot override.
#
# Force HOME for the agent user so git / ssh / xdg lookups land in the
# right place. sshd sets this already; busybox httpd's CGI doesn't, so
# without this fix `git push` complains about /root/.config/git/* perms.
export HOME=/home/agent

# If a deploy SSH key is mounted at the conventional location, point git
# at it explicitly. Setting HOME alone isn't enough when the CGI runs as
# root (HTTP_AS_ROOT=1) — ssh ignores HOME-based ~/.ssh/ lookup in that
# path and silently uses /root/.ssh/, which is empty.
if [ -f /home/agent/.ssh/id_rsa ]; then
    export GIT_SSH_COMMAND="ssh -o IdentityFile=/home/agent/.ssh/id_rsa -o UserKnownHostsFile=/home/agent/.ssh/known_hosts -o StrictHostKeyChecking=accept-new"
fi

exec sh -c "$(cat /etc/bastion/force-command.cmd)"
WRAPPER
chmod 0755 /etc/bastion/force-command
echo "  $FORCE_COMMAND_VALUE"

# ---------------------------------------------------------------------------
# 5) Docker socket — if mounted, align group membership so the agent user
#    can talk to dockerd without --privileged.
# ---------------------------------------------------------------------------
echo "[4/5] Docker socket..."
if [ -S /var/run/docker.sock ]; then
    sock_gid=$(stat -c '%g' /var/run/docker.sock)
    echo "  Socket present, host gid=$sock_gid"

    grp_name=$(getent group "$sock_gid" | cut -d: -f1 || true)
    if [ -z "$grp_name" ]; then
        grp_name="dockerhost"
        addgroup -g "$sock_gid" "$grp_name" 2>/dev/null || true
        echo "  Created group $grp_name (gid=$sock_gid)"
    else
        echo "  Reusing existing group $grp_name (gid=$sock_gid)"
    fi
    addgroup "$SSH_USER" "$grp_name" 2>/dev/null || true
    echo "  Added $SSH_USER to $grp_name"
else
    echo "  WARN: /var/run/docker.sock not mounted — docker-based FORCE_COMMAND will fail."
fi

# ---------------------------------------------------------------------------
# 6) Adjust sshd_config port if non-default
# ---------------------------------------------------------------------------
if [ "$SSH_PORT" != "22" ]; then
    sed -i "s/^Port 22\$/Port ${SSH_PORT}/" /etc/ssh/sshd_config
fi

# ---------------------------------------------------------------------------
# 7) Optional HTTP listener (opt-in via $HTTP_BASIC_AUTH or $HTTP_TOKEN)
#
# Two mutually-exclusive auth modes. Pick one and set the matching env var:
#
#   HTTP_BASIC_AUTH=user:pass  → Basic auth. Works with browser URL bars,
#                                `curl -u user:pass`, and the URL syntax
#                                `https://user:pass@host/cgi-bin/run`.
#                                Handled by busybox's built-in -c auth.
#   HTTP_TOKEN=secret          → Bearer auth via Authorization header.
#                                `curl -H 'Authorization: Bearer secret'`.
#                                Handled by the CGI script.
#
# Why mutually exclusive: busybox httpd *strips* `Authorization: Basic` from
# the CGI env (it expects to handle basic auth itself), so a CGI-side check
# for Basic doesn't work. Conversely, when busybox is enforcing Basic via
# its conf file, Bearer requests get rejected by busybox before the CGI runs.
#
# Both modes exec the same /etc/bastion/force-command wrapper SSH uses;
# output streams back as the command produces it.
# ---------------------------------------------------------------------------
echo "[5/6] HTTP listener..."
if [ -n "${HTTP_BASIC_AUTH:-}" ]; then
    echo "  Auth: Basic — enabling httpd on port ${HTTP_PORT}"
    mkdir -p /var/www/cgi-bin
    # httpd.conf format for basic auth: `/path:user:password` per line.
    # Plaintext is supported; for crypt hashes use $1$/$5$/$6$ prefixes.
    printf '/cgi-bin/:%s\n' "$HTTP_BASIC_AUTH" > /etc/bastion/httpd.conf
    # httpd drops to $SSH_USER before reading -c CONFFILE, so the file
    # must be readable by that user. chown rather than world-read because
    # the conf holds the plaintext password.
    chown "${SSH_USER}:${SSH_USER}" /etc/bastion/httpd.conf
    chmod 0600 /etc/bastion/httpd.conf
    # CGI: auth already done by httpd before we got here.
    cat > /var/www/cgi-bin/run <<'CGI'
#!/bin/sh
# Auto-generated. Auth was validated by busybox httpd via httpd.conf
# before this script ran — REMOTE_USER holds the authenticated username.
printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
exec /etc/bastion/force-command 2>&1
CGI
    chmod 0755 /var/www/cgi-bin/run
    # -c CONFFILE = auth + content-type rules; httpd reads it as root before
    # dropping to -u USER. CGI scripts then run as USER.
    #
    # Set HTTP_AS_ROOT=1 to skip the -u drop, so httpd (and the CGI it
    # spawns) run as root. Use this when FORCE_COMMAND is a deploy-style
    # script that needs full filesystem write + docker-socket access +
    # arbitrary chown — busybox httpd's `-u USER` drop does setuid/setgid
    # but not setgroups, so supplementary groups (e.g. dockerhost for the
    # mounted /var/run/docker.sock) don't reach the CGI even when the user
    # is a member on paper. Bastion already has socket = host root, so
    # this doesn't enlarge the trust envelope.
    if [ "${HTTP_AS_ROOT:-0}" = "1" ]; then
        echo "  HTTP_AS_ROOT=1 — httpd + CGI run as root"
        httpd -f -p "${HTTP_PORT}" -h /var/www -c /etc/bastion/httpd.conf &
    else
        httpd -f -p "${HTTP_PORT}" -h /var/www -u "${SSH_USER}" -c /etc/bastion/httpd.conf &
    fi
    HTTP_PID=$!
    echo "  httpd PID ${HTTP_PID}, endpoint: /cgi-bin/run (basic auth)"

elif [ -n "${HTTP_TOKEN:-}" ]; then
    echo "  Auth: Bearer — enabling httpd on port ${HTTP_PORT}"
    mkdir -p /var/www/cgi-bin
    cat > /var/www/cgi-bin/run <<'CGI'
#!/bin/sh
# Auto-generated. Bearer auth handled here in the CGI.
case "${HTTP_AUTHORIZATION:-}" in
    "Bearer ${HTTP_TOKEN}") ;;
    *)
        printf 'Status: 401 Unauthorized\r\nContent-Type: text/plain\r\nWWW-Authenticate: Bearer\r\n\r\nUnauthorized\n'
        exit 0
        ;;
esac
printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
exec /etc/bastion/force-command 2>&1
CGI
    chmod 0755 /var/www/cgi-bin/run
    if [ "${HTTP_AS_ROOT:-0}" = "1" ]; then
        echo "  HTTP_AS_ROOT=1 — httpd + CGI run as root"
        httpd -f -p "${HTTP_PORT}" -h /var/www &
    else
        httpd -f -p "${HTTP_PORT}" -h /var/www -u "${SSH_USER}" &
    fi
    HTTP_PID=$!
    echo "  httpd PID ${HTTP_PID}, endpoint: /cgi-bin/run (bearer token)"

else
    echo "  HTTP disabled (set HTTP_BASIC_AUTH or HTTP_TOKEN to enable)"
fi

# ---------------------------------------------------------------------------
# 8) sshd config sanity check + launch
# ---------------------------------------------------------------------------
echo "[6/6] sshd config check..."
/usr/sbin/sshd -t -f /etc/ssh/sshd_config

echo "=========================================="
echo "  SSH:           port ${SSH_PORT}"
[ -n "${HTTP_TOKEN:-}" ] && echo "  HTTP:          port ${HTTP_PORT} (token-protected)"
echo "  User:          ${SSH_USER}"
echo "  ForceCommand:  ${FORCE_COMMAND_VALUE}"
echo "=========================================="

# -D = foreground, -e = log to stderr (so docker logs picks it up).
exec /usr/sbin/sshd -D -e
