fix: add more logs and fetch fresh google creds each attestation (bcg…

…ov#40) Signed-off-by: Bryce McMath <[email protected]>
fullboar · Apr 3, 2024 · 3880a70 · 3880a70
1 parent a75dd05
commit 3880a70
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 28 deletions.
diff --git a/src/apple.py b/src/apple.py
@@ -80,9 +80,9 @@ def verify_x5c_certificates(attestation_object):
             attestation_object["attStmt"]["x5c"][1], default_backend()
         )
 
-        logger.info("root_certificate", root_certificate.subject)
-        logger.info("credential_certificate", credential_certificate.subject)
-        logger.info("intermediate_certificate", intermediate_certificate.subject)
+        logger.info(f"root_certificate: {str(root_certificate.subject)}")
+        logger.info(f"credential_certificate: {str(credential_certificate.subject)}")
+        logger.info(f"intermediate_certificate: {str(intermediate_certificate.subject)}")
 
         if intermediate_certificate.issuer == root_certificate.subject:
             logger.info("The child certificate was issued by the parent certificate.")
@@ -280,7 +280,7 @@ def verify_attestation_statement(attestation_object, key_id, nonce):
         return True
 
     except Exception as e:
-        logger.info("Error during Apple attestation:", e)
+        logger.error(f"Error during Apple attestation: {e}")
         return False
 
 

diff --git a/src/constants.py b/src/constants.py
@@ -17,6 +17,11 @@ class AttestationMethod(Enum):
 aaguid_end = 53
 cred_id_start = 55
 
+# Google Play Integrity
+integrity_scope = "https://www.googleapis.com/auth/playintegrity"
+bc_wallet_package_name = "ca.bc.gov.BCWallet"
+PLAY_RECOGNIZED = "PLAY_RECOGNIZED"
+
 # Redis
 auto_expire_nonce = 60 * 10  # 10 minutes
 

diff --git a/src/goog.py b/src/goog.py
@@ -3,6 +3,7 @@
 from googleapiclient.discovery import build
 from google.oauth2 import service_account
 from dotenv import load_dotenv
+from constants import integrity_scope, bc_wallet_package_name, PLAY_RECOGNIZED
 
 dev_mode = os.getenv("FLASK_ENV") == "development"
 allow_test_builds = os.getenv("ALLOW_TEST_BUILDS") == "true"
@@ -12,11 +13,6 @@
 
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
-path = os.getenv("GOOGLE_AUTH_JSON_PATH")
-creds = service_account.Credentials.from_service_account_file(
-    path, scopes=["https://www.googleapis.com/auth/playintegrity"]
-)
-
 
 # should eventually confirm nonce matches here
 def isValidVerdict(verdict, nonce):
@@ -37,36 +33,39 @@ def isValidVerdict(verdict, nonce):
 
         if (
             verdict_nonce == nonce
-            and request_package_name == "ca.bc.gov.BCWallet"
-            and package_name == "ca.bc.gov.BCWallet"
+            and request_package_name == bc_wallet_package_name
+            and package_name == bc_wallet_package_name
             and set(valid_device_verdicts).issubset(device_verdicts)
-            and (app_verdict == "PLAY_RECOGNIZED" or allow_test_builds)
+            and (app_verdict == PLAY_RECOGNIZED or allow_test_builds)
         ):
             return True
         else:
             return False
     except Exception as e:
-        print(e)
-        logger.info("Error evaluating verdict:", e)
+        logger.error(f"Error evaluating verdict: {e}")
         return False
 
 
 # decrypt the integrity token on google's servers
 def verify_integrity_token(token, nonce):
     try:
+        path = os.getenv("GOOGLE_AUTH_JSON_PATH")
+        creds = service_account.Credentials.from_service_account_file(
+            path, scopes=[integrity_scope]
+        )
         service = build("playintegrity", "v1", credentials=creds)
         body = {"integrityToken": token}
         instance = service.v1()
         verdict = instance.decodeIntegrityToken(
-            packageName="ca.bc.gov.BCWallet", body=body
+            packageName=bc_wallet_package_name, body=body
         ).execute()
 
         if isValidVerdict(verdict, nonce):
             return True
         else:
             return False
     except Exception as e:
-        logger.info("Error verifying integrity token:", e)
+        logger.error(f"Error verifying integrity token: {e}")
         return False
 
 

diff --git a/src/traction.py b/src/traction.py
@@ -17,6 +17,7 @@ def fetch_bearer_token():
     global bearer_token
 
     if bearer_token:
+        logger.info("Found existing bearer token, returning it")
         return bearer_token
 
     base_url = os.environ.get("TRACTION_BASE_URL")
@@ -35,9 +36,13 @@ def fetch_bearer_token():
         response_data = json.loads(response.text)
 
         bearer_token = response_data["token"]
+        if bearer_token is None:
+            logger.error("Token doesn't exist in response data")
+
         return bearer_token
     else:
-        logger.info(f"Error fetcing token: {response.status_code}")
+        logger.error(f"Error fetching token: {response.status_code}")
+        logger.error(f"Text content for error: {response.text}")
 
 
 def get_connection(conn_id):
@@ -58,10 +63,11 @@ def get_connection(conn_id):
     response = requests.get(url, headers=headers)
 
     if response.status_code == 200:
-        logger.info("Conneciton fetched successfully")
+        logger.info("Connection fetched successfully")
         return json.loads(response.text)
     else:
-        logger.info(f"Error fetcing conneciton message: {response.status_code}")
+        logger.error(f"Error fetching connection message: {response.status_code}")
+        logger.error(f"Text content for error: {response.text}")
 
     return None
 
@@ -99,7 +105,7 @@ def send_generic_message(conn_id, endpoint, message):
     if response.status_code == 200:
         logger.info("Message sent successfully")
     else:
-        logger.info(f"Error sending message: {response.status_code} {response.text}")
+        logger.error(f"Error sending message: {response.status_code} {response.text}")
 
 
 def send_message(conn_id, content):
@@ -123,7 +129,7 @@ def send_message(conn_id, content):
     if response.status_code == 200:
         logger.info("Message sent successfully")
     else:
-        logger.info(f"Error sending message: {response.status_code}")
+        logger.error(f"Error sending message: {response.status_code}")
 
 
 def offer_attestation_credential(offer):
@@ -148,7 +154,8 @@ def offer_attestation_credential(offer):
     if response.status_code == 200:
         logger.info("Offer sent successfully")
     else:
-        logger.info(f"Error sending offer: {response.status_code}")
+        logger.error(f"Error sending offer: {response.status_code}")
+        logger.error(f"Text content for error: {response.text}")
 
 
 def get_schema(schema_id):
@@ -171,13 +178,14 @@ def get_schema(schema_id):
     if response.status_code == 200:
         logger.info("Schema queried successfully")
     else:
-        logger.info(f"Error quering schema: {response.status_code}")
+        logger.error(f"Error querying schema: {response.status_code}")
+        logger.error(f"Text content for error: {response.text}")
 
     return response.json()
 
 
 def get_cred_def(schema_id):
-    logger.info("get_schema")
+    logger.info("get_cred_def")
 
     base_url = os.environ.get("TRACTION_BASE_URL")
     endpoint = "/credential-definitions/created"
@@ -194,9 +202,10 @@ def get_cred_def(schema_id):
     response = requests.get(url, headers=headers, params={"schema_id": schema_id})
 
     if response.status_code == 200:
-        logger.info("Schema queried successfully")
+        logger.info("Cred def queried successfully")
     else:
-        logger.info(f"Error quering schema: {response.status_code}")
+        logger.error(f"Error querying cred def: {response.status_code}")
+        logger.error(f"Text content for error: {response.text}")
 
     return response.json()
 
@@ -227,7 +236,8 @@ def create_schema(schema_name, schema_version, attributes):
     if response.status_code == 200:
         logger.info("Schema created successfully")
     else:
-        logger.info(f"Error creating schema: {response.status_code}")
+        logger.error(f"Error creating schema: {response.status_code}")
+        logger.error(f"Text content for error: {response.text}")
 
     return response.json()
 
@@ -264,6 +274,7 @@ def create_cred_def(schema_id, tag, revocation_registry_size=0):
         return response.json()
 
     else:
-        logger.info(f"Error creating request: {response.status_code}")
+        logger.error(f"Error creating request: {response.status_code}")
+        logger.error(f"Text content for error: {response.text}")
 
     return None