"""
PUROLATOR SOAP API - CREDENTIAL USAGE TRACE

Full flow from app code to API call showing where hardcoded credentials are used.
"""

print("="*80)
print("PUROLATOR SOAP API - CREDENTIAL USAGE ANALYSIS")
print("="*80)
print()

print("STEP 1: Credentials Stored in APK")
print("-" * 80)
print("""
File: com/purolator/mobileapp/utils/security/X.java
Location: Line 77

Hardcoded encrypted credentials:
- TNUOCCA (Account): "FQ/E1KpKybV2Kn87ao2UAcZXf3JbzOsZHek7d09yXrsn+nghl" + firebase_value
- DRAC_TIDERC (Credit Card): "FQ/E1KpK3qZubmgVYoyUEsZWf3FUkesZCew7cGIpXZUkpW0Ijyv" + firebase_value

Decrypted values (via X.b() method):
- Account: Basic ZWY3NDc1ZWY3MGI0NGY0Njg3MTU4ZmJiYjlmZjNmNDc6fEhYWTIpLjY=
           (ef7475ef70b44f4687158fbbb9ff3f47:|HXY2).6)
           
- Credit Card: Basic MDAwYjk0ZDY2MDFmNGM5NmJhNzVkODQ0MzMxN2EyYTk6eHlBfUZXb0Q=
               (000b94d6601f4c96ba75d844331 7a2a9:xyA}FWoD)
""")
print()

print("STEP 2: App Initializes SOAP Client")
print("-" * 80)
print("""
File: com/purolator/mobileapp/PurolatorApplication.java
Method: w() - Line 295-305

Creates Retrofit client with:
- Base URL: https://webservices.purolator.com
- Interceptor: ServicesBasicAuthInterceptor
- Passes BOTH credentials to interceptor:
  
  new ServicesBasicAuthInterceptor(
      X.INSTANCE.b(this, X.DRAC_TIDERC),  // Credit card credential
      X.INSTANCE.b(this, X.TNUOCCA)       // Account credential
  )
""")
print()

print("STEP 3: User Creates/Voids Shipment in App")
print("-" * 80)
print("""
THREE use cases found:

A) CREATE SHIPMENT (with payment):
   File: com/purolator/mobileapp/pages/createShipment/MakePaymentFragment.java
   Line 70: PurolatorApplication.i().x().paymentCreateShipment(
                APIConstants.SERVICES_TYPE_ACCOUNT, 
                soapEnvelope
            )
   
   Endpoint: POST /EWS/v2/Shipping/ShippingService.asmx
   SOAPAction: http://purolator.com/pws/service/v2/CreateShipment
   Payment tag: SERVICES_TYPE_ACCOUNT or SERVICES_TYPE_CREDIT_CARD

B) VOID SHIPMENT (from history):
   File: com/purolator/mobileapp/pages/shipmentHistory/ShipmentHistoryFragment.java
   Line 172: PurolatorApplication.i().x().voidShipment(paymentType, soapEnvelope)
   
   Endpoint: POST /EWS/v2/Shipping/ShippingService.asmx
   SOAPAction: http://purolator.com/pws/service/v2/VoidShipment

C) VOID SHIPMENT (from delivery options):
   File: com/purolator/mobileapp/pages/createShipment/deliveryoptions/DeliveryOptionsShipmentFragment.java
   Line 72: PurolatorApplication.i().x().voidShipment(paymentType, soapEnvelope)
""")
print()

print("STEP 4: Interceptor Adds Credentials")
print("-" * 80)
print("""
File: com/purolator/mobileapp/PurolatorApplication.java
Class: ServicesBasicAuthInterceptor
Method: intercept() - Lines 90-99

Flow:
1. Gets original request
2. Checks payment type from @Tag parameter
3. Selects credential based on type:
   
   if (SERVICES_TYPE_ACCOUNT) {
       credential = accountCredentials;  // ef7475ef70b44f4687158fbbb9ff3f47:|HXY2).6
   } else {
       credential = creditCardCredentials;  // 000b94d6601f4c96ba75d844331 7a2a9:xyA}FWoD
   }

4. Adds header to request:
   request.addHeader(
       X.INSTANCE.b(app, X.P_HTUA),  // Header name (likely "Authorization")
       credential                     // Basic auth value
   )
""")
print()

print("STEP 5: Request Sent to Server")
print("-" * 80)
print("""
Expected request format:
POST https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx
Content-Type: text/xml; charset=utf-8
SOAPAction: http://purolator.com/pws/service/v2/CreateShipment
Authorization: Basic ZWY3NDc1ZWY3MGI0NGY0Njg3MTU4ZmJiYjlmZjNmNDc6fEhYWTIpLjY=

<SOAP envelope with shipment data>

NOTE: Our POC test shows server requires AWS Sig v4, but app code shows
      only Basic auth. This suggests either:
      - Missing native library doing signing
      - Server-side accepts Basic auth from known mobile clients
      - Additional gateway/proxy layer
""")
print()

print("="*80)
print("SECURITY IMPACT")
print("="*80)
print("""
VULNERABILITIES CONFIRMED:

1. HARDCODED CREDENTIALS IN APK
   - Two sets of credentials stored encrypted in binary
   - Decryption key in Firebase Remote Config (publicly accessible)
   - All components needed for extraction present in APK
   
2. CREDENTIALS USED FOR SOAP API OPERATIONS
   - paymentCreateShipment - Create billable shipments
   - voidShipment - Cancel existing shipments
   - Endpoints: https://webservices.purolator.com/EWS/v2/Shipping/ShippingService.asmx

3. POTENTIAL IMPACT IF CREDENTIALS WORK
   - Create shipments billed to customer accounts
   - Void legitimate shipments (denial of service)
   - Depends on server-side validation:
     * Valid account numbers required?
     * Device fingerprinting?
     * Rate limiting?

RECOMMENDATION:
- Test with PMA/EWS team using actual account number
- Verify server-side authorization checks
- Consider rotating these credentials
- Implement certificate pinning for this endpoint
- Move to device-specific or session-specific credentials
""")
print()