#!/usr/bin/env python3
"""
Deception Technology Deployment Agent
Deploys and manages honeypots, honeytokens, and canary files to detect
lateral movement and credential abuse with near-zero false positive alerts.
"""

import hashlib
import json
import os
import secrets
import sys
import threading
from datetime import datetime, timezone
from http.server import HTTPServer, BaseHTTPRequestHandler


def generate_honeytoken_credentials(count: int = 5) -> list[dict]:
    """Generate fake credential honeytokens for deployment in AD and databases."""
    honeytokens = []
    templates = [
        ("svc_backup_admin", "Service account - backup system"),
        ("admin_legacy", "Legacy admin account"),
        ("db_migration_user", "Database migration service account"),
        ("api_service_prod", "Production API service account"),
        ("deploy_automation", "CI/CD deployment service account"),
    ]

    for i in range(min(count, len(templates))):
        username, description = templates[i]
        token_id = secrets.token_hex(4)
        honeytokens.append({
            "token_id": f"HT-{token_id}",
            "type": "credential",
            "username": f"{username}_{token_id[:4]}",
            "password": secrets.token_urlsafe(24),
            "description": description,
            "deployment_location": "Active Directory / LSASS memory",
            "alert_on": "Any authentication attempt",
            "created": datetime.now(timezone.utc).isoformat(),
        })

    return honeytokens


def generate_canary_files(output_dir: str, count: int = 5) -> list[dict]:
    """Generate canary files that trigger alerts when accessed."""
    canary_templates = [
        ("passwords.xlsx", "Fake password spreadsheet"),
        ("salary_data_2024.csv", "Fake salary data"),
        ("aws_credentials.txt", "Fake AWS access keys"),
        ("vpn_config_backup.ovpn", "Fake VPN configuration"),
        ("database_backup_prod.sql", "Fake database backup"),
    ]

    canary_files = []
    os.makedirs(output_dir, exist_ok=True)

    for i in range(min(count, len(canary_templates))):
        filename, description = canary_templates[i]
        filepath = os.path.join(output_dir, filename)
        token_id = secrets.token_hex(4)

        content = f"# CANARY FILE - Token: {token_id}\n"
        content += f"# This file is a decoy. Any access triggers a security alert.\n"
        content += f"# Description: {description}\n"
        content += f"# Generated: {datetime.now(timezone.utc).isoformat()}\n\n"

        if "credentials" in filename or "password" in filename:
            content += "admin:P@ssw0rd_fake_canary_2024\n"
            content += "root:SuperSecret_fake_canary!\n"
        elif "aws" in filename:
            content += f"[default]\naws_access_key_id = AKIA{secrets.token_hex(8).upper()}\n"
            content += f"aws_secret_access_key = {secrets.token_hex(20)}\n"

        with open(filepath, "w") as f:
            f.write(content)

        canary_files.append({
            "token_id": f"CF-{token_id}",
            "type": "canary_file",
            "filename": filename,
            "filepath": filepath,
            "description": description,
            "sha256": hashlib.sha256(content.encode()).hexdigest(),
            "alert_on": "File open / read access",
            "created": datetime.now(timezone.utc).isoformat(),
        })

    return canary_files


def generate_dns_canary_tokens(domain: str, count: int = 3) -> list[dict]:
    """Generate DNS canary tokens that alert on resolution."""
    tokens = []
    for i in range(count):
        token_id = secrets.token_hex(8)
        hostname = f"{token_id}.{domain}"
        tokens.append({
            "token_id": f"DNS-{token_id[:8]}",
            "type": "dns_canary",
            "hostname": hostname,
            "usage": f"Embed in config files, documents, or network shares",
            "alert_on": "DNS resolution of hostname",
            "created": datetime.now(timezone.utc).isoformat(),
        })

    return tokens


class HoneypotHTTPHandler(BaseHTTPRequestHandler):
    """Simple HTTP honeypot handler that logs all requests."""

    alerts = []

    def do_GET(self):
        alert = {
            "timestamp": datetime.now(timezone.utc).isoformat(),
            "source_ip": self.client_address[0],
            "source_port": self.client_address[1],
            "method": "GET",
            "path": self.path,
            "headers": dict(self.headers),
            "severity": "HIGH",
        }
        HoneypotHTTPHandler.alerts.append(alert)
        print(f"[ALERT] Honeypot hit: {alert['source_ip']} -> GET {self.path}")
        self.send_response(401)
        self.send_header("WWW-Authenticate", 'Basic realm="Restricted Area"')
        self.end_headers()
        self.wfile.write(b"Authentication Required")

    def do_POST(self):
        content_length = int(self.headers.get("Content-Length", 0))
        body = self.rfile.read(content_length).decode("utf-8", errors="ignore")

        alert = {
            "timestamp": datetime.now(timezone.utc).isoformat(),
            "source_ip": self.client_address[0],
            "method": "POST",
            "path": self.path,
            "body_preview": body[:200],
            "severity": "CRITICAL",
        }
        HoneypotHTTPHandler.alerts.append(alert)
        print(f"[ALERT] Honeypot credential capture: {alert['source_ip']}")
        self.send_response(403)
        self.end_headers()
        self.wfile.write(b"Access Denied")

    def log_message(self, format, *args):
        pass


def start_http_honeypot(host: str = "0.0.0.0", port: int = 8888) -> HTTPServer:
    """Start an HTTP honeypot server in a background thread."""
    server = HTTPServer((host, port), HoneypotHTTPHandler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    print(f"[*] HTTP honeypot listening on {host}:{port}")
    return server


def generate_deployment_report(
    credentials: list, canary_files: list, dns_tokens: list
) -> str:
    """Generate deception technology deployment report."""
    total = len(credentials) + len(canary_files) + len(dns_tokens)
    lines = [
        "DECEPTION TECHNOLOGY DEPLOYMENT REPORT",
        "=" * 50,
        f"Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
        f"Total Decoys Deployed: {total}",
        "",
        f"HONEYTOKEN CREDENTIALS ({len(credentials)}):",
    ]
    for cred in credentials:
        lines.append(f"  [{cred['token_id']}] {cred['username']} - {cred['description']}")

    lines.append(f"\nCANARY FILES ({len(canary_files)}):")
    for cf in canary_files:
        lines.append(f"  [{cf['token_id']}] {cf['filename']} - {cf['description']}")

    lines.append(f"\nDNS CANARY TOKENS ({len(dns_tokens)}):")
    for dns in dns_tokens:
        lines.append(f"  [{dns['token_id']}] {dns['hostname']}")

    return "\n".join(lines)


if __name__ == "__main__":
    output_dir = sys.argv[1] if len(sys.argv) > 1 else "canary_files"
    dns_domain = sys.argv[2] if len(sys.argv) > 2 else "canary.example.com"

    print("[*] Deploying deception technology...")

    credentials = generate_honeytoken_credentials(5)
    canary_files = generate_canary_files(output_dir, 5)
    dns_tokens = generate_dns_canary_tokens(dns_domain, 3)

    report = generate_deployment_report(credentials, canary_files, dns_tokens)
    print(report)

    inventory = {
        "credentials": credentials,
        "canary_files": canary_files,
        "dns_tokens": dns_tokens,
    }
    output = f"deception_inventory_{datetime.now(timezone.utc).strftime('%Y%m%d')}.json"
    with open(output, "w") as f:
        json.dump(inventory, f, indent=2)
    print(f"\n[*] Inventory saved to {output}")