alexa_ruby 1.3.1 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a28d3e44888f08923d448b5a675e682385fcada0
-  data.tar.gz: be3114c0d065b28dd04f48bb8237a0198c38cea7
+  metadata.gz: 28630927ffe709806449fc5c67540dbef0753e4f
+  data.tar.gz: 84c0caa9f8f813736565eaee144634fa4a6bc457
 SHA512:
-  metadata.gz: e92206b7c69748dbd3ff41762a0bffc1c2d0190a308174b3939a0c8653cafaae6bc2fd50b1613c112317f76d27f5f035a0099c6150d2cbecf8cb376d1e1576b2
-  data.tar.gz: e6a018b12bac14cbfe84b92ffe8ef061e1ab03db338df73a5a5c7ed0b3c906dca5360180ef26329d8f3020d1efff87c8c0d81574cfeae666198e768bf7a28e65
+  metadata.gz: dc51a947340ba26899fc75e033372c5842edc5c653770608f56c67c934e878eceac2d9dcf1137ba286b87555895d889154e756712c91e904a9388385e9e02b57
+  data.tar.gz: c9524f193e8ff842a9f007050da4cebd727cf0ccfb9da5c131b5ca7857cfa7ae14009b91f0164371bdb36570b7accee08baee8befaeb2c9af720fb4d97adc970

data/CHANGELOG

@@ -1,3 +1,6 @@
+[1.4.0]
+- Validate Amazon request signature and SSL certificates
+
 [1.3.1]
 - Slot can have no value at all
 

data/Gemfile.lock

@@ -2,13 +2,17 @@ PATH
   remote: .
   specs:
     alexa_ruby (1.3.1)
+      addressable (>= 2.5.1)
       bundler (>= 1.6.9)
+      httparty (>= 0.15.5)
       oj (~> 3.0)
       rake
 
 GEM
   remote: https://rubygems.org/
   specs:
+    addressable (2.5.1)
+      public_suffix (~> 2.0, >= 2.0.2)
     ansi (1.5.0)
     builder (3.2.3)
     coveralls (0.8.21)
@@ -18,6 +22,8 @@ GEM
       thor (~> 0.19.4)
       tins (~> 1.6)
     docile (1.1.5)
+    httparty (0.15.5)
+      multi_xml (>= 0.5.2)
     json (2.1.0)
     minitest (5.10.2)
     minitest-reporters (1.1.14)
@@ -25,7 +31,9 @@ GEM
       builder
       minitest (>= 5.0)
       ruby-progressbar
-    oj (3.0.10)
+    multi_xml (0.6.0)
+    oj (3.1.3)
+    public_suffix (2.0.5)
     rake (12.0.0)
     ruby-progressbar (1.8.1)
     simplecov (0.14.1)
@@ -48,4 +56,4 @@ DEPENDENCIES
   minitest-reporters (~> 1.1, >= 1.1.14)
 
 BUNDLED WITH
-   1.15.0
+   1.15.3

data/README.md

@@ -63,12 +63,22 @@ class App < Roda
 end
 ```
 
-Request validations can be disabled:
+Request structure validations can be disabled:
 
 ```ruby
 AlexaRuby.new(request, disable_validations: true)
 ```
 
+If needed, you can validate request signature and Amazon SSL certificates chain. To do so specify several parameters:
+
+```ruby
+AlexaRuby.new(
+  request,
+  certificates_chain_url: url,
+  request_signature: signature
+)
+```
+
 After initializing new AlexaRuby instance you will have a possibility to access
 all parameters of the received request.
 

data/lib/alexa_ruby/alexa.rb

@@ -15,16 +15,19 @@ module AlexaRuby
       invalid_request_exception if invalid_request?
       @request = define_request
       raise ArgumentError, 'Unknown type of Alexa request' if @request.nil?
+      @request.valid? if ssl_check?
       @response = Response.new(@request.type, @request.version)
     end
 
     private
 
-    # Check if validations are enabled
-    #
-    # @return [Boolean]
-    def validations_enabled?
-      !@opts[:disable_validations] || @opts[:disable_validations].nil?
+    # Request structure isn't valid, raise exception
+    def invalid_request_exception
+      raise ArgumentError,
+            'Invalid request structure, ' \
+            'please, refer to the Amazon Alexa manual: ' \
+            'https://developer.amazon.com/public/solutions' \
+            '/alexa/alexa-skills-kit/docs/alexa-skills-kit-interface-reference'
     end
 
     # Check if it is an invalid request
@@ -34,13 +37,11 @@ module AlexaRuby
       @req[:version].nil? || @req[:request].nil? if validations_enabled?
     end
 
-    # Request structure isn't valid, raise exception
-    def invalid_request_exception
-      raise ArgumentError,
-            'Invalid request structure, ' \
-            'please, refer to the Amazon Alexa manual: ' \
-            'https://developer.amazon.com/public/solutions' \
-            '/alexa/alexa-skills-kit/docs/alexa-skills-kit-interface-reference'
+    # Check if validations are enabled
+    #
+    # @return [Boolean]
+    def validations_enabled?
+      !@opts[:disable_validations] || @opts[:disable_validations].nil?
     end
 
     # Initialize proper request object
@@ -58,5 +59,15 @@ module AlexaRuby
         AudioPlayerRequest.new(@req)
       end
     end
+
+    # Check if we have SSL certificates URL and request signature
+    # and need to validate Amazon request
+    #
+    # @return [Boolean]
+    def ssl_check?
+      @request.certificates_chain_url = @opts[:certificates_chain_url]
+      @request.signature = @opts[:request_signature]
+      @request.certificates_chain_url && @request.signature
+    end
   end
 end

data/lib/alexa_ruby/request/base_request/validator/certificates.rb

@@ -0,0 +1,84 @@
+require 'httparty'
+require 'openssl'
+
+module AlexaRuby
+  # SSL certificates validator
+  class Certificates
+    # Setup new certificates chain
+    #
+    # @param certificates_chain_url [String] SSL certificates chain URL
+    # @param signature [String] HTTP request signature
+    # @param request [String] plain HTTP request body
+    def initialize(certificates_chain_url, signature, request)
+      download_certificates(certificates_chain_url)
+      @signature = signature
+      @request = request
+    end
+
+    # Check if it is a valid certificates chain and request signature
+    #
+    # @return [Boolean]
+    def valid?
+      raise ArgumentError, 'Inactive Amazon SSL certificate' unless active?
+      raise ArgumentError, 'Inactive host in SSL certificate' unless amazon?
+      raise ArgumentError, 'Signature and request mismatch' unless verified?
+      true
+    end
+
+    private
+
+    # Download SSL certificates chain from Amazon URL
+    #
+    # @param certificates_chain_url [String] SSL certificates chain URL
+    def download_certificates(certificates_chain_url)
+      resp = HTTParty.get(certificates_chain_url)
+      raise ArgumentError, 'Invalid certificates chain' unless resp.code == 200
+      @cert = OpenSSL::X509::Certificate.new(resp.body)
+    end
+
+    # Check if it is an active certificate
+    #
+    # @return [Boolean]
+    def active?
+      now = Time.now
+      @cert.not_before < now && @cert.not_after > now
+    end
+
+    # Check if Subject Alternative Names includes Amazon domain name
+    #
+    # @return [Boolean]
+    def amazon?
+      @cert.subject.to_a.flatten.include? 'echo-api.amazon.com'
+    end
+
+    # Check if given signature matches given request
+    #
+    # @return [Boolean]
+    def verified?
+      sign = decode_signature
+      pkey = public_key
+      pkey.verify(hash, sign, @request)
+    end
+
+    # Decode base64-encoded signature
+    #
+    # @return [String] decoded signature
+    def decode_signature
+      Base64.decode64(@signature)
+    end
+
+    # Get public key from certificate
+    #
+    # @return [OpenSSL::PKey::RSA] OpenSSL PKey object
+    def public_key
+      @cert.public_key
+    end
+
+    # Get hash type for comparison
+    #
+    # @return [OpenSSL::Digest::SHA1] OpenSSL SHA1 hash
+    def hash
+      OpenSSL::Digest::SHA1.new
+    end
+  end
+end

data/lib/alexa_ruby/request/base_request/validator/uri.rb

@@ -0,0 +1,54 @@
+module AlexaRuby
+  # URI request validator
+  class URI
+    attr_reader :uri
+
+    # Setup new URI
+    #
+    # @param uri [String] URI
+    def initialize(uri)
+      @uri = Addressable::URI.parse(uri).normalize!
+    end
+
+    # Check if it is a valid Amazon URI
+    #
+    # @return [Boolean]
+    def valid?
+      raise ArgumentError, 'Certificates chain URL must be HTTPS' unless https?
+      raise ArgumentError, 'Not Amazon host in certificates URL' unless amazon?
+      raise ArgumentError, 'Invalid certificates chain URL' unless echo_api?
+      raise ArgumentError, 'Certificates chain URL must be HTTPS' unless port?
+      true
+    end
+
+    private
+
+    # Check if URI scheme is HTTPS
+    #
+    # @return [Boolean]
+    def https?
+      @uri.scheme == 'https'
+    end
+
+    # Check if URI host is a valid Amazon host
+    #
+    # @return [Boolean]
+    def amazon?
+      @uri.host.casecmp('s3.amazonaws.com').zero?
+    end
+
+    # Check if URI path starts with /echo.api/
+    #
+    # @return [Boolean]
+    def echo_api?
+      @uri.path[0..9] == '/echo.api/'
+    end
+
+    # Check if URI port is 443 if port is present
+    #
+    # @return [Boolean]
+    def port?
+      @uri.port.nil? || @uri.port == 443
+    end
+  end
+end

data/lib/alexa_ruby/request/base_request/validator.rb

@@ -0,0 +1,54 @@
+module AlexaRuby
+  # Validator is responsible for Amazon request validation:
+  #   - SignatureCertChainUrl validation
+  #   - Amazon Alexa request signature validation
+  class Validator
+    TIMESTAMP_TOLERANCE = 150
+
+    # Setup new validator
+    #
+    # @param cert_chain_url [String] SSL certificates chain URI
+    # @param signature [String] HTTP request signature
+    # @param request [Object] json request
+    # @param timestamp_diff [Integer] valid distance in seconds between
+    #                                 current time and the request timestamp
+    def initialize(cert_chain_url, signature, request, timestamp_diff = nil)
+      @chain_url = cert_chain_url
+      @signature = signature
+      @request = request
+      @timestamp_diff = timestamp_diff || TIMESTAMP_TOLERANCE
+    end
+
+    # Check if it is a valid Amazon request
+    #
+    # @return [Boolean]
+    def valid_request?
+      raise ArgumentError, 'Outdated request' unless timestamp_tolerant?
+      valid_uri? && valid_certificates?
+    end
+
+    private
+
+    # Check if request is timestamp tolerant
+    #
+    # @return [Boolean]
+    def timestamp_tolerant?
+      request_ts = @request[:request][:timestamp]
+      Time.parse(request_ts) >= (Time.now - @timestamp_diff)
+    end
+
+    # Check if it is a valid Amazon URI
+    #
+    # @return [Boolean]
+    def valid_uri?
+      URI.new(@chain_url).valid?
+    end
+
+    # Check if it is a valid certificates chain and request signature
+    #
+    # @return [Boolean]
+    def valid_certificates?
+      Certificates.new(@chain_url, @signature, Oj.to_json(@request)).valid?
+    end
+  end
+end

data/lib/alexa_ruby/request/base_request.rb

@@ -2,6 +2,7 @@ module AlexaRuby
   # Amazon Alexa web service request
   class BaseRequest
     attr_reader :version, :type, :session, :context, :id, :timestamp, :locale
+    attr_accessor :certificates_chain_url, :signature
 
     # Initialize new request object
     #
@@ -17,6 +18,14 @@ module AlexaRuby
       parse_base_params(@req[:request])
     end
 
+    # Check if it is a valid Amazon request
+    #
+    # @return [Boolean]
+    def valid?
+      validator = Validator.new(certificates_chain_url, signature, @req)
+      validator.valid_request?
+    end
+
     # Return JSON representation of given request
     #
     # @return [String] request json

data/lib/alexa_ruby/response/audio_player.rb

@@ -84,7 +84,7 @@ module AlexaRuby
     # @param url [String] some URL
     # @return [Boolean]
     def invalid_url?(url)
-      URI.parse(url).scheme != 'https'
+      Addressable::URI.parse(url).scheme != 'https'
     end
 
     # Get station token

data/lib/alexa_ruby/response/card.rb

@@ -95,7 +95,7 @@ module AlexaRuby
     # @param url [String] some URL
     # @return [Boolean]
     def invalid_url?(url)
-      URI.parse(url).scheme != 'https'
+      Addressable::URI.parse(url).scheme != 'https'
     end
   end
 end

data/lib/alexa_ruby/version.rb

@@ -1,3 +1,3 @@
 module AlexaRuby
-  VERSION = '1.3.1'.freeze
+  VERSION = '1.4.0'.freeze
 end

data/lib/alexa_ruby.rb

@@ -1,4 +1,5 @@
 # Utilities
+require 'addressable/uri'
 require 'oj'
 require 'securerandom'
 
@@ -8,6 +9,9 @@ require 'alexa_ruby/request/base_request'
 require 'alexa_ruby/request/base_request/context'
 require 'alexa_ruby/request/base_request/context/device'
 require 'alexa_ruby/request/base_request/session'
+require 'alexa_ruby/request/base_request/validator'
+require 'alexa_ruby/request/base_request/validator/uri'
+require 'alexa_ruby/request/base_request/validator/certificates'
 require 'alexa_ruby/request/base_request/user'
 require 'alexa_ruby/request/audio_player_request'
 require 'alexa_ruby/request/launch_request'
@@ -28,6 +32,8 @@ module AlexaRuby
     #                         can be hash or JSON encoded string
     # @param opts [Hash] additional options:
     #   :disable_validations [Boolean] disables request validation if true
+    #   :certificates_chain_url [String] URL of Amazon SSL certificates chain
+    #   :request_signature [String] Base64-encoded request signature
     # @return [Object] new Request object instance
     # @raise [ArgumentError] if given object isn't a valid JSON object
     def new(request, opts = {})

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: alexa_ruby
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.4.0
 platform: ruby
 authors:
 - Mike Mulev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-24 00:00:00.000000000 Z
+date: 2017-08-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.5.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.5.1
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.15.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.15.5
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -113,6 +141,9 @@ files:
 - lib/alexa_ruby/request/base_request/context/device.rb
 - lib/alexa_ruby/request/base_request/session.rb
 - lib/alexa_ruby/request/base_request/user.rb
+- lib/alexa_ruby/request/base_request/validator.rb
+- lib/alexa_ruby/request/base_request/validator/certificates.rb
+- lib/alexa_ruby/request/base_request/validator/uri.rb
 - lib/alexa_ruby/request/intent_request.rb
 - lib/alexa_ruby/request/intent_request/slot.rb
 - lib/alexa_ruby/request/launch_request.rb
@@ -142,7 +173,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
 summary: Ruby toolkit for Amazon Alexa API