#!/bin/sh
set -eu

MAP="/data/layerops/ssh/mapping.json"

LOGTAG=relay-uuid
DEBUG=1

log(){ logger -t "$LOGTAG" -- "$@"; [ "$DEBUG" -ge 1 ] && printf '[%s] %s\n' "$LOGTAG" "$*" >&2; }
trap 'rc=$?; log "exit rc=$rc"; exit $rc' EXIT

UUID="${SSH_ORIGINAL_COMMAND:-}"
[ -n "$UUID" ] || { log "missing uuid"; printf 'Connection failed\n' >&2; exit 2; }
case "$UUID" in *[!A-Za-z0-9-]*|"") log "invalid uuid: $UUID"; printf 'Connection failed\n' >&2; exit 1;; esac

[ -n "${SSH_AUTH_SOCK:-}" ] || { log "no SSH_AUTH_SOCK (need -A)"; printf 'Connection failed\n' >&2; exit 2; }


[ -r "$MAP" ] || { log "map missing or unreadable: $MAP"; printf 'Connection failed\n' >&2; exit 1; }

# Mapping is a JSON list of objects: sshUuid, privateIp, containerId, command
VM_IP=$(jq -r --arg u "$UUID" '
  (if type=="array" then .[] else . end)
  | select(.sshUuid==$u)
  | .privateIp
' "$MAP" 2>/dev/null || true)
[ -n "$VM_IP" ] || { log "uuid not found: $UUID"; printf 'Connection failed\n' >&2; exit 1; }
echo "$VM_IP" | grep -Eq '^[0-9.]+$' || { log "bad ip in map"; printf 'Connection failed\n' >&2; exit 1; }

SRCIP="$(printf %s "${SSH_CONNECTION:-}" | awk '{print $1}')"

# hop to VM using client's forwarded agent, pass the UUID; VM side maps UUID->container
exec ssh -A -tt \
  -p 2222 \
  -o BatchMode=yes \
  -o UserKnownHostsFile=/home/dev/.ssh/known_hosts \
  -o StrictHostKeyChecking=accept-new \
  -o LogLevel=ERROR \
  -o ConnectTimeout=10 \
  "dev@$VM_IP" "$UUID" 2>/dev/null || { printf 'Connection failed\n' >&2; exit 1; }