#!/bin/bash
set -Eeo pipefail

# shellcheck disable=2154
trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR

# Paths
userConfPath="/etc/sftp/users.conf"
userConfPathLegacy="/etc/sftp-users.conf"
userConfFinalPath="/var/run/sftp/users.conf"

# Extended regular expression (ERE) for arguments
reUser='[A-Za-z0-9._][A-Za-z0-9._-]{0,31}' # POSIX.1-2008
rePass='[^:]{0,255}'
reUid='[[:digit:]]*'
reGid='[[:digit:]]*'
reDir='[^:]*'
#reArgs="^($reUser)(:$rePass)(:e)?(:$reUid)?(:$reGid)?(:$reDir)?$"
reArgsMaybe="^[^:[:space:]]+:.*$" # Smallest indication of attempt to use argument
reArgSkip='^([[:blank:]]*#.*|[[:blank:]]*)$' # comment or empty line

function log() {
    echo "[entrypoint] $*"
}

function validateArg() {
    name="$1"
    val="$2"
    re="$3"

    if [[ "$val" =~ ^$re$ ]]; then
        return 0
    else
        log "ERROR: Invalid $name \"$val\", do not match required regex pattern: $re"
        return 1
    fi
}

function createUser() {
    log "Parsing user data: \"$1\""
    IFS=':' read -ra args <<< "$1"

    skipIndex=0
    chpasswdOptions=""
    useraddOptions=(--no-user-group)

    user="${args[0]}"; validateArg "username" "$user" "$reUser" || return 1
    pass="${args[1]}"; validateArg "password" "$pass" "$rePass" || return 1

    if [ "${args[2]}" == "e" ]; then
        chpasswdOptions="-e"
        skipIndex=1
    fi

    uid="${args[$((skipIndex+2))]}"; validateArg "UID" "$uid" "$reUid" || return 1
    gid="${args[$((skipIndex+3))]}"; validateArg "GID" "$gid" "$reGid" || return 1
    dir="${args[$((skipIndex+4))]}"; validateArg "dirs" "$dir" "$reDir" || return 1

    if getent passwd "$user" > /dev/null; then
        log "WARNING: User \"$user\" already exists. Skipping."
        return 0
    fi

    if [ -n "$uid" ]; then
        useraddOptions+=(--non-unique --uid "$uid")
    fi

    if [ -n "$gid" ]; then
        if ! getent group "$gid" > /dev/null; then
            groupadd --gid "$gid" "group_$gid"
        fi

        useraddOptions+=(--gid "$gid")
    fi

    useradd "${useraddOptions[@]}" "$user"
    mkdir -p "/home/$user"
    chown root:root "/home/$user"
    chmod 755 "/home/$user"

    # Retrieving user id to use it in chown commands instead of the user name
    # to avoid problems on alpine when the user name contains a '.'
    uid="$(id -u "$user")"

    if [ -n "$pass" ]; then
        echo "$user:$pass" | chpasswd $chpasswdOptions
    else
        usermod -p "*" "$user" # disabled password
    fi

    # Add SSH keys to authorized_keys with valid permissions
    if [ -d "/home/$user/.ssh/keys" ]; then
        for publickey in "/home/$user/.ssh/keys"/*; do
            cat "$publickey" >> "/home/$user/.ssh/authorized_keys"
        done
        chown "$uid" "/home/$user/.ssh/authorized_keys"
        chmod 600 "/home/$user/.ssh/authorized_keys"
    fi

    # Make sure dirs exists
    if [ -n "$dir" ]; then
        IFS=',' read -ra dirArgs <<< "$dir"
        for dirPath in "${dirArgs[@]}"; do
            dirPath="/home/$user/$dirPath"
            if [ ! -d "$dirPath" ]; then
                log "Creating directory: $dirPath"
                mkdir -p "$dirPath"
                chown -R "$uid:users" "$dirPath"
            else
                log "Directory already exists: $dirPath"
            fi
        done
    fi
}

# Allow running other programs, e.g. bash
if [[ -z "$1" || "$1" =~ $reArgsMaybe ]]; then
    startSshd=true
else
    startSshd=false
fi

# Backward compatibility with legacy config path
if [ ! -f "$userConfPath" ] && [ -f "$userConfPathLegacy" ]; then
    mkdir -p "$(dirname $userConfPath)"
    ln -s "$userConfPathLegacy" "$userConfPath"
fi

# Create users only on first run
if [ ! -f "$userConfFinalPath" ]; then
    mkdir -p "$(dirname $userConfFinalPath)"

    # Append mounted config to final config
    if [ -f "$userConfPath" ]; then
        grep -v -E "$reArgSkip" < "$userConfPath" > "$userConfFinalPath"
    fi

    if $startSshd; then
        # Append users from arguments to final config
        for user in "$@"; do
            echo "$user" >> "$userConfFinalPath"
        done
    fi

    if [ -n "$SFTP_USERS" ]; then
        # Append users from environment variable to final config
        IFS=" " read -r -a usersFromEnv <<< "$SFTP_USERS"
        for user in "${usersFromEnv[@]}"; do
            echo "$user" >> "$userConfFinalPath"
        done
    fi

    # Check that we have users in config
    if [ -f "$userConfFinalPath" ] && [ "$(wc -l < "$userConfFinalPath")" -gt 0 ]; then
        # Import users from final conf file
        while IFS= read -r user || [[ -n "$user" ]]; do
            createUser "$user"
        done < "$userConfFinalPath"
    elif $startSshd; then
        log "FATAL: No users provided!"
        exit 3
    fi

    # Generate unique ssh keys for this container, if needed
    if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
        ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
    fi
    if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
        ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
    fi
fi

# Source custom scripts, if any
if [ -d /etc/sftp.d ]; then
    for f in /etc/sftp.d/*; do
        if [ -x "$f" ]; then
            log "Running $f ..."
            $f
        else
            log "Could not run $f, because it's missing execute permission (+x)."
        fi
    done
    unset f
fi

if $startSshd; then
    log "Executing sshd"
    exec /usr/sbin/sshd -D -e
else
    log "Executing $*"
    exec "$@"
fi