# ==========================================
#  Mega Leaks Sample File for SecuLint
#  Contains MANY intentional fake secrets
#  Use ONLY for testing / demo purposes.
# ==========================================

# --- AWS style credentials ---
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

aws_access_key_id = "AKIA1234567890ABCD12"
aws_secret_access_key = "abcd1234abcd1234abcd1234abcd1234abcd1234"

# --- Generic passwords in code ---
DB_PASSWORD=mySuperSecretPassword123!
db_password = "pa$$w0rd!"
password = "Root@123"
user_password: str = "my_db_password_987"
PASSWORD = 'PlainTextPass2025'
admin_password = "SuperAdmin!@#"

# --- Tokens, API keys, and secrets ---
API_KEY=1234567890abcdef1234567890abcdef
api_key = "abcdef1234567890abcdef1234567890"
GITHUB_TOKEN = "ghp_1234567890abcdef1234567890abcdef1234"
SLACK_BOT_TOKEN = "xoxb-123456789012-1234567890123-ABCDEFGHijklmnopqrstu"
access_token = "access-token-secret-abc-123-xyz"
refresh_token = "refresh-token-0987654321"
auth_token="secret_auth_token_value"
secret = "this_is_a_secret_value"

# --- JWT-like strings ---
JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.secret.jwt.payload
jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.FAKE_PAYLOAD.SIGNATURE"
id_token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.FakePayload.Signature"

# --- Private keys ---
PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBK...\n-----END PRIVATE KEY-----"
# A more realistic PEM block marker (still fake data)
fake_rsa_key = """
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAynfQeQKxFakeKeyMaterial1234567890abcdefFakeFakeFake
FakeMoreKeyDataHereForTestingOnlyDoNotUseInProductionOrRealSystems
-----END RSA PRIVATE KEY-----
"""

# --- Database connection strings ---
DATABASE_URL="postgres://admin:qwerty123@localhost:5432/testdb"
DATABASE_URL = "mysql://root:Root@123@127.0.0.1:3306/prod_db"
connection_string = "Server=127.0.0.1;Database=Prod;User Id=sa;Password=SuperStrongPassword!;"

# --- Mongo style connection ---
MONGO_URI = "mongodb://admin:pa$$w0rd!@127.0.0.1:27017/mydb"

# --- Email/PII style leaks ---
admin_email = "admin@example.com"
support_email = "support@company.com"
user_email = "john.doe@demo.org"
phone_number = "+1-555-1212"
backup_contact = "Jane Doe <jane.doe@corp.local>"

# --- Plain text credentials in notes ---
# TODO: Change these test user creds before go-live
test_user_email = "qa_user@example.com"
test_user_password = "TestUser123!"
super_admin_email = "super.admin@example.com"
super_admin_password = "Sup3rAdminP@ss!"

# --- Dangerous patterns: verify=False (TLS) ---
import requests

def fetch_data_insecure(url):
    response = requests.get(url, verify=False)  # Should trigger DISABLE_TLS_VERIFICATION
    return response.text

def post_data_insecure(url, data):
    return requests.post(url, json=data, verify = False)

# --- Dangerous patterns: eval / exec ---
def run_dynamic_code(user_code):
    # Extremely unsafe example
    eval(user_code)

def run_exec_snippet(snippet):
    exec(snippet)

# --- Dangerous patterns: subprocess with shell=True ---
import subprocess

def run_system_command(cmd):
    # Insecure: potential command injection
    subprocess.run(cmd, shell=True)

def run_popen(cmd):
    subprocess.Popen(cmd, shell=True)

# --- Debug flags / insecure config ---
DEBUG = True
FLASK_DEBUG = True
DJANGO_DEBUG = True
CORS_ORIGIN="*"
CORS_ALLOWED_ORIGINS = "*"
ALLOWED_ORIGINS = ["*"]
ALLOWED_HOSTS = ["*"]

# --- Docker / env style secrets ---
SECRET_KEY=django-insecure-Secret123
SECRET="another_super_secret_value"
REDIS_PASSWORD="redisP@ss"
KAFKA_SASL_PASSWORD="kafka_secret_password"
S3_ACCESS_KEY="AKIAFAKEXAMPLE123456"
S3_SECRET_KEY="secret_s3_key_1234567890"

# --- Misc tokens in log style text ---
# Log snippet accidentally committed
log_line1 = '2025-11-24 12:00:00 [INFO] Using token: access-token-secret-abc-123-xyz'
log_line2 = '2025-11-24 12:05:00 [WARN] Refresh token used: refresh-token-0987654321'
log_line3 = '2025-11-24 12:10:00 [DEBUG] Password for user admin: Admin#2025'

# --- Random lines that should NOT be flagged (noise) ---
message = "This is just a normal sentence with the word token but no secret."
note = "We should not store secrets in code, configs, or logs."
placeholder = "password_placeholder_not_real"
comment = "# TODO: use environment variables instead of hard-coded secrets."

# --- JSON-like configs containing secrets ---
fake_config_json = {{
  "db": {{
    "user": "db_user",
    "password": "db_user_password_123"
  }},
  "service": {{
    "apiKey": "service-api-key-xyz-987654321",
    "token": "service-token-abcdefg"
  }},
  "mail": {{
    "smtp_password": "smtpSuperSecret"
  }}
}}

# --- YAML-like secret-looking config ---
fake_config_yaml = """
db:
  username: root
  password: RootP@ssword!
  host: localhost
  port: 5432

auth:
  jwt_secret: "super_jwt_secret_456"
  refresh_token: "another-refresh-token-321"

aws:
  access_key_id: "AKIATESTFAKEKEY00001234"
  secret_access_key: "FakeSecretKeyForTestingOnly1234567890"
"""

# --- CSV-like user dump ---
csv_data = '''
id,name,email,phone,password
1,Alice,alice@example.com,555-0001,MyPassword1
2,Bob,bob@example.com,555-0002,SecretPass2
3,Charlie,charlie@example.com,555-0003,P@ssw0rd3
'''

# --- Misc environment-like lines ---
ENV_DB_PASSWORD=myEnvPassword!
ENV_API_TOKEN=env-api-token-999999999
ENV_AUTH_SECRET_KEY=env-secret-key-abcxyz

# --- End of mega_leaks_sample.txt ---
