#!/usr/bin/env python3
"""
Simulated internal service for CVE-2026-32255 PoC.

This script mimics an internal API that exposes sensitive configuration data.
In a real scenario, this would be a service only accessible from within the
internal network (e.g., a config server, metadata endpoint, or admin API).

Usage: python3 internal-service.py [port]
"""

import json
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 8888

SENSITIVE_DATA = {
    "service": "internal-config-api",
    "credentials": {
        "db_host": "10.0.0.5",
        "db_user": "admin",
        "db_password": "s3cret_passw0rd!",
        "api_key": "sk-internal-4f8a2b1c9d3e7f6a5b0c8d2e1f4a7b3c",
    },
}


class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-Type", "application/json")
        self.end_headers()
        self.wfile.write(json.dumps(SENSITIVE_DATA, indent=2).encode())

    def log_message(self, format, *args):
        print(f"[internal-service] {args[0]}")


if __name__ == "__main__":
    server = HTTPServer(("0.0.0.0", PORT), Handler)
    print(f"[*] Internal service listening on http://0.0.0.0:{PORT}")
    try:
        server.serve_forever()
    except KeyboardInterrupt:
        print("\n[*] Shutting down")
        server.shutdown()