# ─────────────────────────────────────────────
# Stage 1 : compilation de sshproxy v2.1.0
# ─────────────────────────────────────────────
FROM golang:1.24-bookworm AS builder
ARG SSHPROXY_VERSION=2.1.0
RUN apt-get update && apt-get install -y --no-install-recommends \
    git ca-certificates make && rm -rf /var/lib/apt/lists/*
WORKDIR /build
RUN git clone --depth 1 --branch v${SSHPROXY_VERSION} \
    https://github.com/cea-hpc/sshproxy.git .
# Compile uniquement les 4 binaires Go — on saute les man pages (pas besoin en conteneur)
RUN go build -mod=vendor -ldflags "-X main.SshproxyVersion=${SSHPROXY_VERSION}" \
      -o bin/sshproxy       github.com/cea-hpc/sshproxy/cmd/sshproxy && \
    go build -mod=vendor -ldflags "-X main.SshproxyVersion=${SSHPROXY_VERSION}" \
      -o bin/sshproxy-dumpd github.com/cea-hpc/sshproxy/cmd/sshproxy-dumpd && \
    go build -mod=vendor -ldflags "-X main.SshproxyVersion=${SSHPROXY_VERSION}" \
      -o bin/sshproxy-replay github.com/cea-hpc/sshproxy/cmd/sshproxy-replay && \
    go build -mod=vendor -ldflags "-X main.SshproxyVersion=${SSHPROXY_VERSION}" \
      -o bin/sshproxyctl     github.com/cea-hpc/sshproxy/cmd/sshproxyctl

# ─────────────────────────────────────────────
# Stage 2 : image finale gateway
# ─────────────────────────────────────────────
FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
    openssh-server \
    ca-certificates && \
    rm -rf /var/lib/apt/lists/*

# Binaires sshproxy — make build les pose dans ./bin/
COPY --from=builder /build/bin/sshproxy       /usr/sbin/sshproxy
COPY --from=builder /build/bin/sshproxy-dumpd /usr/sbin/sshproxy-dumpd
COPY --from=builder /build/bin/sshproxyctl    /usr/bin/sshproxyctl
COPY --from=builder /build/bin/sshproxy-replay /usr/bin/sshproxy-replay
RUN chmod 755 /usr/sbin/sshproxy /usr/sbin/sshproxy-dumpd \
              /usr/bin/sshproxyctl /usr/bin/sshproxy-replay

# Compte testuser — le mot de passe est requis pour déverrouiller le compte
# même en auth par clé (PAM bloque les comptes sans mot de passe)
RUN useradd -m -s /bin/bash testuser && \
    echo "testuser:testuser" | chpasswd && \
    mkdir -p /home/testuser/.ssh && \
    chmod 700 /home/testuser/.ssh

# Clé privée gateway (pour rebond vers dest1/dest2)
# Générée par le script init-keys.sh avant le build
# DOIT être lisible par testuser qui lance sshproxy via ForceCommand sshd
RUN mkdir -p /etc/sshproxy && chmod 755 /etc/sshproxy
COPY keys/gateway_rsa     /etc/sshproxy/gateway_rsa
RUN chmod 600 /etc/sshproxy/gateway_rsa && chown testuser:testuser /etc/sshproxy/gateway_rsa

# Clé publique Windows → authorized_keys de la gateway
COPY keys/lab_rsa.pub /home/testuser/.ssh/authorized_keys
RUN chmod 600 /home/testuser/.ssh/authorized_keys && \
    chown -R testuser:testuser /home/testuser/.ssh

# sshd_config gateway
RUN mkdir -p /run/sshd
COPY gateway/sshd_config /etc/ssh/sshd_config

# sshproxy config
COPY gateway/sshproxy.yaml /etc/sshproxy/sshproxy.yaml

# Wrapper sshproxy — détecte shell interactif vs commandes
COPY gateway/sshproxy-wrapper.sh /usr/sbin/sshproxy-wrapper
RUN chmod 755 /usr/sbin/sshproxy-wrapper

EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]