if [ -z "${BASH_VERSION:-}" ]; then
    return 0 2>/dev/null || exit 0
fi

case $- in
    *i*) ;;
    *) return 0 2>/dev/null || exit 0 ;;
esac

if [ "${SSH_AUDIT_PROMPT_INSTALLED:-0}" = "1" ]; then
    return 0 2>/dev/null || exit 0
fi

export SSH_AUDIT_PROMPT_INSTALLED=1

# Force history append and ignore duplicates
shopt -s histappend
export HISTCONTROL=ignoredups

SSH_AUDIT_REMOTE_IP="${SSH_CLIENT%% *}"
if [ -z "$SSH_AUDIT_REMOTE_IP" ]; then
    SSH_AUDIT_REMOTE_IP="${SSH_CONNECTION%% *}"
fi
if [ -z "$SSH_AUDIT_REMOTE_IP" ]; then
    # Traverse parent processes to recover SSH_CLIENT lost across sudo -i boundary
    _pid="$PPID"
    while [ "${_pid:-0}" -gt 1 ] 2>/dev/null; do
        _found=$(cat "/proc/$_pid/environ" 2>/dev/null | tr '\0' '\n' | sed -n 's/^SSH_CLIENT=\([^ ]*\).*/\1/p' | head -1)
        if [ -n "$_found" ]; then
            SSH_AUDIT_REMOTE_IP="$_found"
            break
        fi
        _pid=$(awk '/^PPid:/{print $2}' "/proc/$_pid/status" 2>/dev/null)
    done
    unset _pid _found
fi
if [ -z "$SSH_AUDIT_REMOTE_IP" ]; then
    SSH_AUDIT_REMOTE_IP="unknown"
fi

# Recover the real Teleport identity. Teleport sets SSH_TELEPORT_USER in every
# session, but (like SSH_CLIENT) it is lost across the "sudo -i" boundary, so
# traverse parent processes to recover it from /proc/<pid>/environ.
SSH_AUDIT_TELEPORT_USER="${SSH_TELEPORT_USER:-}"
if [ -z "$SSH_AUDIT_TELEPORT_USER" ]; then
    _pid="$PPID"
    while [ "${_pid:-0}" -gt 1 ] 2>/dev/null; do
        _found=$(cat "/proc/$_pid/environ" 2>/dev/null | tr '\0' '\n' | sed -n 's/^SSH_TELEPORT_USER=\(.*\)/\1/p' | head -1)
        if [ -n "$_found" ]; then
            SSH_AUDIT_TELEPORT_USER="$_found"
            break
        fi
        _pid=$(awk '/^PPid:/{print $2}' "/proc/$_pid/status" 2>/dev/null)
    done
    unset _pid _found
fi
if [ -z "$SSH_AUDIT_TELEPORT_USER" ]; then
    SSH_AUDIT_TELEPORT_USER="-"
fi

# Skip the first execution to avoid the login initialization command.
export PROMPT_COMMAND='if [ -z "$AUDIT_FLAG" ]; then AUDIT_FLAG=1; else logger -p local6.info -t bash_audit "EPOCH=$(date +%s) LOGIN_USER=${SUDO_USER:-$USER} USER=$USER TELEPORT_USER='"$SSH_AUDIT_TELEPORT_USER"' IP='"$SSH_AUDIT_REMOTE_IP"' TTY=$(tty) CMD=$(builtin fc -ln -1 | sed "s/^[[:space:]]*//")"; fi'

readonly PROMPT_COMMAND
