FROM golang:1.23-bookworm AS go-builder
ENV GOPATH=/go
ENV PATH=$PATH:/go/bin

# Install Go tools - Web Security & OSINT
RUN go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest && \
    go install github.com/projectdiscovery/httpx/cmd/httpx@latest && \
    go install github.com/projectdiscovery/katana/cmd/katana@latest && \
    go install github.com/projectdiscovery/naabu/v2/cmd/naabu@latest && \
    go install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest && \
    go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest && \
    go install github.com/ffuf/ffuf/v2@latest && \
    go install github.com/OJ/gobuster/v3@latest && \
    go install github.com/tomnomnom/waybackurls@latest && \
    go install github.com/tomnomnom/anew@latest && \
    go install github.com/zricethezav/gitleaks/v8@latest && \
    go install github.com/aquasecurity/trivy/cmd/trivy@latest && \
    go install github.com/lc/gau/v2/cmd/gau@latest && \
    go install github.com/hahwul/dalfox/v2@latest && \
    go install github.com/epi052/feroxbuster@latest || true

# Build amass from source (requires specific version handling)
RUN go install github.com/owasp-amass/amass/v4/...@latest || \
    go install github.com/OWASP/Amass/v3/...@latest || true

FROM debian:stable-slim AS downloader
RUN apt-get update && apt-get install -y wget unzip && rm -rf /var/lib/apt/lists/*
WORKDIR /downloads

# Download Kiterunner (amd64 only, skip on other architectures)
RUN ARCH=$(dpkg --print-architecture) && \
    if [ "$ARCH" = "amd64" ]; then \
    wget -q https://github.com/assetnote/kiterunner/releases/download/v1.0.2/kiterunner_1.0.2_linux_amd64.tar.gz && \
    tar xzf kiterunner_1.0.2_linux_amd64.tar.gz && \
    mv kr /usr/local/bin/kr; \
    else \
    echo "Kiterunner not available for $ARCH, skipping..." && \
    touch /usr/local/bin/kr; \
    fi

# Download Burp Suite Community JAR
RUN wget -q "https://portswigger.net/burp/releases/download?product=community&version=2024.12&type=Jar" -O /downloads/burpsuite_community.jar || \
    echo "Burp download failed, creating placeholder" && touch /downloads/burpsuite_community.jar

FROM kalilinux/kali-rolling

ARG DEBIAN_FRONTEND=noninteractive

# 1. Base System & Runtimes
RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    curl \
    wget \
    git \
    vim \
    zsh \
    unzip \
    jq \
    iputils-ping \
    python3-full \
    python3-pip \
    python3-venv \
    pipx \
    default-jre \
    libpcap-dev \
    && rm -rf /var/lib/apt/lists/*

# 2. Core Kali Tools (Web & Network)
RUN apt-get update && apt-get install -y --no-install-recommends \
    nmap \
    masscan \
    sqlmap \
    nikto \
    hydra \
    wafw00f \
    whatweb \
    seclists \
    zaproxy \
    amass \
    feroxbuster \
    theharvester \
    && rm -rf /var/lib/apt/lists/*

# 3. Report Generation Tools
RUN apt-get update && apt-get install -y --no-install-recommends \
    pandoc \
    && rm -rf /var/lib/apt/lists/*

# 4. Copy Go Binaries
COPY --from=go-builder /go/bin/* /usr/local/bin/

# 5. Copy Downloaded Tools
COPY --from=downloader /usr/local/bin/kr /usr/local/bin/
COPY --from=downloader /downloads/burpsuite_community.jar /opt/burpsuite_community.jar

# 6. Python Tools (via pipx) including dependency scanning & OSINT
ENV PATH=$PATH:/root/.local/bin
RUN pipx install arjun && \
    pipx install dirsearch && \
    pipx install uro && \
    pipx install pip-audit && \
    pipx install xsser || true

# 7. Node.js and npm-audit (for JavaScript dependency scanning)
RUN apt-get update && apt-get install -y --no-install-recommends \
    nodejs \
    npm \
    && rm -rf /var/lib/apt/lists/* && \
    npm install -g npm-audit-html

# 8. Create non-root user for security
RUN useradd -m -s /bin/zsh pentest && \
    mkdir -p /app /data && \
    chown -R pentest:pentest /app /data

# 9. Nuclei Templates - Download official templates
RUN mkdir -p /home/pentest/nuclei-templates && \
    git clone --depth 1 https://github.com/projectdiscovery/nuclei-templates.git /home/pentest/nuclei-templates && \
    chown -R pentest:pentest /home/pentest/nuclei-templates

# 10. Tool Configurations - Copy config files
RUN mkdir -p /home/pentest/.config/nuclei \
    /home/pentest/.config/httpx \
    /home/pentest/.config/naabu \
    /home/pentest/.config/katana \
    /home/pentest/.config/subfinder \
    /home/pentest/.config/amass

COPY configs/nuclei.yaml /home/pentest/.config/nuclei/config.yaml
COPY configs/httpx.yaml /home/pentest/.config/httpx/config.yaml
COPY configs/naabu.yaml /home/pentest/.config/naabu/config.yaml
COPY configs/katana.yaml /home/pentest/.config/katana/config.yaml
COPY configs/subfinder.yaml /home/pentest/.config/subfinder/config.yaml
COPY configs/amass.yaml /home/pentest/.config/amass/config.yaml

RUN chown -R pentest:pentest /home/pentest/.config

# 11. Configuration (as root for initial setup)
WORKDIR /app
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

# Setup Zsh for pentest user
USER pentest
RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended || true

# Switch back to root for entrypoint (entrypoint can drop privileges if needed)
USER root

# Ensure pentest user can access necessary directories
RUN chown -R pentest:pentest /home/pentest

VOLUME ["/data"]
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
