#!/usr/bin/python3

import os
import re
import yaml

config_path = "/etc/uyuni/"

# read from files
with open(config_path + "config.yaml") as source:
    config = yaml.safe_load(source)

with open(config_path + "ssh.yaml") as sshSource:
    sshConfig = yaml.safe_load(sshSource).get("ssh")

    SSH_PUSH_KEY_FILE="id_susemanager_ssh_push"
    SSH_PUSH_USER="mgrsshtunnel"
    SSH_PUSH_USER_HOME=f"/var/lib/spacewalk/{SSH_PUSH_USER}"
    SSH_PUSH_KEY_DIR=f"{SSH_PUSH_USER_HOME}/.ssh"

    # create ssh push tunnel user
    os.system(f'groupadd -r {SSH_PUSH_USER}')
    os.system(f'useradd -r -g {SSH_PUSH_USER} -m -d {SSH_PUSH_USER_HOME} -c "susemanager ssh push tunnel" {SSH_PUSH_USER}')

    # create .ssh dir in home and set permissions
    os.makedirs(SSH_PUSH_KEY_DIR)
    os.system(f'chown {SSH_PUSH_USER}:{SSH_PUSH_USER} {SSH_PUSH_KEY_DIR}')
    os.system(f'chmod 700 {SSH_PUSH_KEY_DIR}')

    # store the ssh push server/parent key files
    with open(f"{SSH_PUSH_KEY_DIR}/{SSH_PUSH_KEY_FILE}", "w") as file:
        file.write(sshConfig.get("server_ssh_push"))
    with open(f"{SSH_PUSH_KEY_DIR}/{SSH_PUSH_KEY_FILE}.pub", "w") as file:
        file.write(sshConfig.get("server_ssh_push_pub"))
    
    # change owner to {SSH_PUSH_USER}
    os.system(f'chown {SSH_PUSH_USER}:{SSH_PUSH_USER} {SSH_PUSH_KEY_DIR}/{SSH_PUSH_KEY_FILE}')
    os.system(f'chmod 600 {SSH_PUSH_KEY_DIR}/{SSH_PUSH_KEY_FILE}')
    os.system(f'chown {SSH_PUSH_USER}:{SSH_PUSH_USER} {SSH_PUSH_KEY_DIR}/{SSH_PUSH_KEY_FILE}.pub')
    os.system(f'chmod 644 {SSH_PUSH_KEY_DIR}/{SSH_PUSH_KEY_FILE}.pub')

    # Authorize the server to ssh into this container
    with open(f"{SSH_PUSH_KEY_DIR}/authorized_keys", "w") as file:
        file.write(sshConfig.get("server_ssh_key_pub"))

    # append to existing config file
    with open("/etc/ssh/sshd_config", "r+") as config_file:
        file_content = config_file.read()
        file_content = re.sub(r"#HostKey .*", f"HostKey {SSH_PUSH_KEY_DIR}/{SSH_PUSH_KEY_FILE}", file_content, 1)
        # writing back the content
        config_file.seek(0,0)
        config_file.write(file_content)
        config_file.truncate()
        config_file.write(f'''Match user {SSH_PUSH_USER}
        ForceCommand /usr/sbin/mgr-proxy-ssh-force-cmd
        KbdInteractiveAuthentication no
        PasswordAuthentication no
        PubkeyAuthentication yes
        X11Forwarding no
        PermitTTY no
        ''')

# Note: we don't need pam_loginuid.so module to be loaded. In the container's world users from the outside to the inside are different,
# and they do not match with the pam_loginuid module's logic behavior. The module makes the sshd process to crash if it fails itself, but
# inside the container we will have always and only the root user to start only the sshd process and nothing else. We can safely disable it
#
# References to the explanation as above:
# The bug report - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726661#41
# The pam module - https://man7.org/linux/man-pages/man8/pam_loginuid.8.html
# Statement of "not being a bug", just a container configuration issue - https://github.com/containers/podman/issues/3651#issuecomment-549031347
# So, we configure it to disable the module
#
# edit the existing config file
with open("/etc/pam.d/sshd", "r+") as config_file:
    file_content = config_file.read()
    file_content = re.sub(r"(session( *)required( *)pam_loginuid.so)", "#\g<0>", file_content)
    config_file.seek(0,0)
    config_file.write(file_content)
    config_file.truncate()