#!/bin/bash

PERSON="$1"
WORKSPACE="$SSH_ORIGINAL_COMMAND"
IMAGE="localhost:5100/analytics-backend-workspace:latest"
DEV_USER="devuser"

XDG_RUNTIME_DIR="/run/user/$(id -u)"
LOG_FILE="/tmp/.ssh-router-${PERSON}.log"

log() {
  echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" >>"$LOG_FILE"
}

if [[ ! -t 0 ]]; then
  log "❌ No TTY allocated — refusing to run tmux without an interactive terminal"
  echo "Error: No TTY. Use 'ssh -t'" >&2
  exit 1
fi

# log "🧩 IMAGE = '$IMAGE'"
# log "🧩 WORKSPACE = '$WORKSPACE'"
# log "🧩 PERSON = '$PERSON'"

# Fallbacks
if [[ -z "${WORKSPACE:-}" ]]; then
  WORKSPACE="$PERSON"
  log "ℹī¸ Defaulted WORKSPACE to $WORKSPACE"
fi

TMUX_SESSION="$WORKSPACE|analytics-backend"

# Start podman socket service if it's not running
if [[ ! -S "$XDG_RUNTIME_DIR/podman/podman.sock" ]]; then
  log "🔄 Starting Podman socket service for user $USER"
  systemctl --user start podman.socket || {
    log "❌ Failed to start podman.socket via systemd"
    exit 1
  }

  # Wait briefly for socket to appear
  sleep 1
fi

if [[ ! -S "$XDG_RUNTIME_DIR/podman/podman.sock" ]]; then
  log "❌ Podman socket still missing after startup attempt"
  exit 1
fi

# Check if image exists locally
if ! podman image exists "$IMAGE"; then
  log "đŸ“Ļ Image $IMAGE not found locally. Pulling from registry..."

  # Attempt to pull the image from the local registry (insecure HTTP)
  if ! podman pull --tls-verify=false "$IMAGE"; then
    log "❌ Failed to pull image from $IMAGE"
    exit 1
  fi

  log "✅ Successfully pulled $IMAGE"
fi

case "$SSH_ORIGINAL_COMMAND" in
*scp* | *sftp* | *rsync* | *tar*)
  log "❌ File transfers are disabled"
  exit 1
  ;;
esac

# Function to start the container if not running
start_container_if_needed() {
  if ! podman container exists "$WORKSPACE"; then
    log "🚀 Creating container $WORKSPACE..."
    podman run -dit \
      --userns=keep-id \
      --name "$WORKSPACE" \
      --user "$DEV_USER" \
      --hostname "$WORKSPACE" \
      --label auto-cleanup=true \
      -v "${XDG_RUNTIME_DIR}"/podman/podman.sock:/run/podman/podman.sock \
      -v /home/infilytics/data/"$WORKSPACE":/app \
      -v /home/infilytics/secrets/"$WORKSPACE"/gitconfig:/home/"$DEV_USER"/.gitconfig:ro \
      -v /home/infilytics/secrets/"$WORKSPACE"/id_ed25519:/home/"$DEV_USER"/.ssh/id_ed25519:ro \
      -v /home/infilytics/secrets/"$WORKSPACE"/id_ed25519.pub:/home/"$DEV_USER"/.ssh/id_ed25519.pub:ro \
      --entrypoint "/home/$DEV_USER/start.sh" \
      "$IMAGE" "${TMUX_SESSION}"
  elif ! podman inspect -f '{{.State.Running}}' "$WORKSPACE" | grep -q true; then
    log "⚡ Starting existing container $WORKSPACE..."
    podman start "$WORKSPACE" >/dev/null 2>&1
  fi
  sleep 1
}

# After devuser exits...
check_devuser_attached() {
  # Get list of clients
  client_users=$(podman exec "$WORKSPACE" tmux list-clients -t "$TMUX_SESSION" -F "#{client_user}" 2>/dev/null)

  if echo "$client_users" | grep -q "$DEV_USER"; then
    log "💡 devuser still attached — container stays running"
    return 0
  else
    log "🏃 $PERSON has logged out — stopping container"
    podman stop "$WORKSPACE" >/dev/null 2>&1
    return 1
  fi
}

get_access_mode() {
  local yaml_file="access.yml"
  local workspace="$1"
  local person="$2"

  if [[ ! "$workspace" =~ ^[a-zA-Z0-9._-]+$ ]]; then
    log "❌ Invalid container name: $WORKSPACE"
    exit 1
  fi

  # Special case: user accessing their own workspace
  if [[ "$workspace" == "$person" ]]; then
    echo "access=rw"
    return 0
  fi

  # Check rw
  if yq '.["'"$person"'"].rw // []' "$yaml_file" | grep -q "\b$workspace\b"; then
    echo "access=rw"
    return 0
  fi

  # Check ro
  if yq '.["'"$person"'"].ro // []' "$yaml_file" | grep -q "\b$workspace\b"; then
    echo "access=ro"
    return 0
  fi

  # No access → exit with error
  log "❌ $person has no access to $workspace" >&2
  exit 1
}

# === Main ===

read -r access_line < <(get_access_mode "$WORKSPACE" "$PERSON") || exit 1
MODE="${access_line#access=}"

case "$MODE" in
rw)
  start_container_if_needed

  # Run tmux session inside the container
  if ! podman exec -it --user "$DEV_USER" "$WORKSPACE" tmux has-session -t "$TMUX_SESSION" >/dev/null 2>&1; then
    if ! podman exec -it -e EDITOR=nvim --user "$DEV_USER" "$WORKSPACE" tmux new-session -d -s "$TMUX_SESSION" >/dev/null 2>&1; then
      log "❌ Could not create new tmux session. Please contact admin or try again later."
      exit 1
    fi
  fi

  log "⚡ $PERSON is working on $WORKSPACE's workspace"
  if ! podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" tmux attach -t "$TMUX_SESSION"; then
    log "❌ Could not attach to tmux session. Please contact admin or try again later."
    exit 1
  fi
  log "⚡ $PERSON finished working on $WORKSPACE's worksapce"

  check_devuser_attached
  exit 0
  ;;
ro)
  if (podman container exists "$WORKSPACE" && podman inspect -f '{{.State.Running}}' "$WORKSPACE" | grep -q true) >/dev/null 2>&1; then
    log "📜 $PERSON is viewing $WORKSPACE's workspace"
    if ! podman exec -it -e TERM="$TERM" --user "$DEV_USER" "$WORKSPACE" tmux attach -r -t "$TMUX_SESSION"; then
      log "❌ Could not attach to tmux session. Please contact admin or try again later."
      exit 1
    fi
    log "🏃 $PERSON stopped viewing $WORKSPACE's workspace"
    exit 0
  else
    log "❌ Workspace for $WORKSPACE does not exist."
    exit 1
  fi
  ;;
*)
  log "❌ Invalid access mode: $MODE"
  exit 1
  ;;
esac