# Use Ubuntu 24.04 as base for the QA Docker toolbox
FROM ubuntu:24.04

# Set build arguments (these can be overridden at build time)
ARG USER_ID=1000
ARG GROUP_ID=1000
ARG USERNAME=toolbox

# Set up environment and install essential packages
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    curl \
    gnupg \
    lsb-release \
    git \
    unzip \
    wget \
    && rm -rf /var/lib/apt/lists/*

# Install Docker CLI
RUN install -m 0755 -d /etc/apt/keyrings \
    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
    && chmod a+r /etc/apt/keyrings/docker.gpg \
    && echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
    tee /etc/apt/sources.list.d/docker.list > /dev/null \
    && apt-get update \
    && apt-get install -y --no-install-recommends docker-ce-cli \
    && rm -rf /var/lib/apt/lists/*

# Install hadolint for Dockerfile linting
RUN wget -O /usr/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 \
    && chmod +x /usr/bin/hadolint

# Install dive for exploring Docker image layers
RUN wget -O /tmp/dive_0.10.0_linux_amd64.deb https://github.com/wagoodman/dive/releases/download/v0.10.0/dive_0.10.0_linux_amd64.deb \
    && dpkg -i /tmp/dive_0.10.0_linux_amd64.deb \
    && rm /tmp/dive_0.10.0_linux_amd64.deb

# Create non-root user
RUN if ! getent group "${USERNAME}" >/dev/null; then \
        groupadd --gid "${GROUP_ID}" "${USERNAME}"; \
    fi && \
    if ! id "${USERNAME}" >/dev/null 2>&1; then \
        useradd --uid "${USER_ID}" --gid "${GROUP_ID}" --shell /bin/bash --create-home "${USERNAME}"; \
    fi

# Install aqua for package management
RUN curl -sSfL https://raw.githubusercontent.com/aquaproj/aqua-installer/v3.0.0/aqua-installer | bash -s -- -v v3.0.0 \
    && mv /usr/local/bin/aqua /usr/local/bin/aqua-tmp \
    && mkdir -p /root/.local/share/aquaproj-aqua/bin \
    && mv /usr/local/bin/aqua-tmp /root/.local/share/aquaproj-aqua/bin/aqua \
    && ln -s /root/.local/share/aquaproj-aqua/bin/aqua /usr/local/bin/aqua

# Copy the aqua.yaml configuration for the non-root user and install packages
COPY aqua.yaml /tmp/aqua.yaml
RUN chown "${USER_ID}:${GROUP_ID}" /tmp/aqua.yaml \
    && mkdir -p /home/${USERNAME}/.config/aquaproj-aqua \
    && chown "${USER_ID}:${GROUP_ID}" /home/${USERNAME}/.config/aquaproj-aqua \
    && su - "${USERNAME}" -c 'cp /tmp/aqua.yaml /home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml' \
    && su - "${USERNAME}" -c 'AQUA_GLOBAL_CONFIG=/home/${USERNAME}/.config/aquaproj-aqua/aqua.yaml aqua install'

# Prepare workspace directory with appropriate ownership
RUN mkdir -p /workspace \
    && chown "${USER_ID}:${GROUP_ID}" /workspace

# Remove sudo to ensure no root escalation is possible at runtime
RUN apt-get remove -y sudo 2>/dev/null || true && apt-get autoremove -y 2>/dev/null || true && rm -rf /var/lib/apt/lists/* 2>/dev/null || true

ENV PATH=/root/.local/share/aquaproj-aqua/bin:/home/${USERNAME}/.local/share/aquaproj-aqua/bin:/usr/local/bin:${PATH}

WORKDIR /workspace
USER ${USERNAME}

CMD ["/bin/bash"]