# CVE-2026-42588 — Apache ActiveMQ Classic Jolokia addNetworkConnector RCE
#
# Two services on a private bridge network:
#   broker   — vulnerable ActiveMQ 6.1.4; web console / Jolokia published to
#              127.0.0.1:8161 on the host (the exploit's only surface).
#   attacker — HTTP host serving the Spring payload XML the broker fetches.
#              Reachable from the broker by service name `attacker:8888`.
#              NOT published to the host; it only needs broker-side reach.
#
# The broker's filesystem is never network-exposed: the marker the broker
# writes is reachable only via `docker exec` (the verifier's privileged
# channel), not over any surface the exploit holds.

services:
  broker:
    build:
      context: .
      dockerfile: Dockerfile.broker
    image: cve-2026-42588-broker:6.1.4
    container_name: cve-2026-42588-broker
    networks:
      - cve-net
    ports:
      # Host -> broker web console / Jolokia. Loopback only (rule #9).
      - "127.0.0.1:8161:8161"
    healthcheck:
      # Console up and serving the Jolokia version op (read-only, always allowed).
      test: ["CMD-SHELL", "curl -fsS -u admin:admin -H 'Origin: http://localhost:8161' http://127.0.0.1:8161/api/jolokia/version >/dev/null || exit 1"]
      interval: 5s
      timeout: 5s
      retries: 30
      start_period: 20s

  attacker:
    build:
      context: .
      dockerfile: Dockerfile.attacker
    image: cve-2026-42588-attacker:latest
    container_name: cve-2026-42588-attacker
    networks:
      - cve-net
    volumes:
      # Exploiter drops payload.xml here; served at http://attacker:8888/payload.xml
      - ./attacker-www:/www
    healthcheck:
      test: ["CMD-SHELL", "python3 -c \"import urllib.request,sys; urllib.request.urlopen('http://127.0.0.1:8888/'); sys.exit(0)\" || exit 1"]
      interval: 5s
      timeout: 5s
      retries: 10
      start_period: 5s

networks:
  cve-net:
    driver: bridge