alexa_skills_ruby 0.0.7 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1b4eda332ab8e4a78464b23a3dfc9307ac1cac0c
-  data.tar.gz: 7f48f5b4bbb293f6472f252a70250c13cb1075ad
+  metadata.gz: 51b36b59de95199d06f652746412db9e4c079f93
+  data.tar.gz: 228715baaf0c2b52a3b5686c342b463fb7a69773
 SHA512:
-  metadata.gz: cb5d5637a8c8c98678e30f8410482f4ca9d00c276ef1b8dabba34401dbca5286d907219f39b2cffeff8610584716080fdcb285f266adb3f203dac3b4336d0b16
-  data.tar.gz: fb16ac0c815dde299d5baa140ba1b9db8967ff8f6abd63efc1569c4aca0b350e3ea163c1d9d9cdb784397bbaf3520794c2b16a2e605bf33185f70a1a653bfe6c
+  metadata.gz: f24e5ef81403c726452728d74e0f66015f182244e78dcb8564a0d934d922fc06afea6c097a45fb8a21d5e248eacf26fc0d71f4c173dc3dfc4af0b103d752cc57
+  data.tar.gz: 50a2b116aa410629118124a902b5e6ea9164212f54d2f04ebd261e7f05494f2c93c86bae7945d4260e4b116c33a621e599ac88195078281575d0e22777586866

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.3.1

data/README.md

@@ -8,6 +8,7 @@ register event handlers.
 
 The following handlers are available:
 
+* `on_verify_signature` - called before checking message certificate and signature
 * `on_authenticate` - called before checking the ApplicationID
 * `on_session_start` - called first if the request is flagged as a new session
 * `on_launch` - called for a LaunchRequest
@@ -26,6 +27,12 @@ In event handlers, the following methods are available:
 The `AlexaSkillsRuby::Handler` constructor takes an options hash and processes the following keys:
 * `application_id` - If set, will raise a `AlexaSkillsRuby::InvalidApplicationId` if a request's application_id does not match
 * `logger` - Will be available through the `logger` method in the handler; not otherwise used by the base class
+* `skip_signature_validation` - If true, skips any message signature or certificate validation
+* `certificate_cache` - Optional key that allows use of an external cache for Amazon's certificate.  Must be an instance of an object that has the same method definitions as `AlexaSkillsRuby::SimpleCertificateCache`
+* `root_certificates` - If your CA certificates are not accessible to Ruby by default, you may pass a list of either filenames or OpenSSL::X509::Certificate objects for use in validating Amazon's certificate.
+
+The `AlexaSkillsRuby::Handler#handle` method takes 2 arguments: a string containing the body of the request, and a hash of HTTP headers.  If using
+signature validation, the headers hash _must_ contain the Signature and SignatureCertChainUrl HTTP headers.
 
 ## Example Sinatra App Using this Library
 
@@ -50,8 +57,9 @@ post '/' do
   handler = CustomHandler.new(application_id: ENV['APPLICATION_ID'], logger: logger)
 
   begin
-    handler.handle(request.body.read)
-  rescue AlexaSkillsRuby::InvalidApplicationId => e
+    hdrs = { 'Signature' => request.env['HTTP_SIGNATURE'], 'SignatureCertChainUrl' => request.env['HTTP_SIGNATURECERTCHAINURL'] }
+    handler.handle(request.body.read, hdrs)
+  rescue AlexaSkillsRuby::Error => e
     logger.error e.to_s
     403
   end

data/Rakefile

@@ -4,4 +4,9 @@ require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
 task :test => :spec
-task :default => :spec
+task :default => :spec
+
+desc "Open an irb session preloaded with this library"
+task :console do
+  sh "irb -rubygems -I lib -r alexa_skills_ruby.rb"
+end

data/alexa_skills_ruby.gemspec

@@ -18,9 +18,11 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency 'activesupport', '>= 4.2'
   spec.add_runtime_dependency "multi_json", "~> 1.0"
+  spec.add_runtime_dependency 'addressable', '~> 2.5'
 
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec", "~> 3.4.0"
-  spec.add_development_dependency "oj", "~> 2.10.2"
+  spec.add_development_dependency "rspec", "~> 3.5"
+  spec.add_development_dependency "oj", "~> 2.10"
+  spec.add_development_dependency "webmock", "~> 2.3"
 end

data/lib/alexa_skills_ruby.rb

@@ -1,6 +1,10 @@
 require 'active_support/core_ext/class/attribute'
 require 'active_support/callbacks'
+require 'addressable/uri'
+require 'base64'
 require 'multi_json'
+require 'net/http'
+require 'openssl'
 
 require 'alexa_skills_ruby/version'
 require 'alexa_skills_ruby/json_object'
@@ -20,6 +24,9 @@ require 'alexa_skills_ruby/json_objects/response'
 require 'alexa_skills_ruby/json_objects/skills_request'
 require 'alexa_skills_ruby/json_objects/skills_response'
 require 'alexa_skills_ruby/errors'
+require 'alexa_skills_ruby/certificate_validator'
+require 'alexa_skills_ruby/simple_certificate_cache'
+require 'alexa_skills_ruby/signature_validator'
 require 'alexa_skills_ruby/handler'
 
 module AlexaSkillsRuby

data/lib/alexa_skills_ruby/certificate_validator.rb

@@ -0,0 +1,65 @@
+module AlexaSkillsRuby
+  class CertificateValidator
+
+    def initialize(extra_cas = [])
+      @store = OpenSSL::X509::Store.new.tap { |store| store.set_default_paths }
+      extra_cas.each do |ca|
+        case ca
+          when String
+            @store.add_file(ca)
+          when OpenSSL::X509::Certificate
+            @store.add_cert(ca)
+          else
+            raise AlexaSkillsRuby::ConfigurationError, 'root_certificates config option must contain only filenames as strings or OpenSSL::X509::Certificate objects'
+        end
+      end
+    end
+
+    def get_signing_certificate(pem_data)
+      chain = chain_certs(get_certs(pem_data))
+      chain[0...-1].each do |c|
+        if @store.verify(c)
+          @store.add_cert(c)
+        end
+      end
+
+      if @store.verify(chain.last)
+        chain.last
+      else
+        nil
+      end
+    end
+
+    private
+
+    def get_certs(pem_data)
+      pem_data.scan(/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----\n?/m).map do |pem|
+        OpenSSL::X509::Certificate.new(pem)
+      end
+    end
+
+    def chain_certs(certs)
+      certs = certs.dup
+      failed = false
+      chain = [certs.pop]
+
+      while certs.length > 0 && !failed
+        failed = true
+
+        certs.each do |c|
+          if c.subject == chain.first.issuer
+            failed = false
+            chain.unshift(c)
+          elsif c.issuer == chain.last.subject
+            failed = false
+            chain << c
+          end
+        end
+      end
+
+      chain
+
+    end
+
+  end
+end

data/lib/alexa_skills_ruby/errors.rb

@@ -1,4 +1,17 @@
 module AlexaSkillsRuby
-  class InvalidApplicationId < StandardError
+
+  class Error < StandardError
+  end
+
+  class InvalidApplicationId < Error
+  end
+
+  class ConfigurationError < Error
+  end
+
+  class SignatureValidationError < Error
+  end
+
+  class TimestampValidationError < Error
   end
 end

data/lib/alexa_skills_ruby/handler.rb

@@ -1,10 +1,10 @@
 module AlexaSkillsRuby
   class Handler
     include ActiveSupport::Callbacks
-    define_callbacks :authenticate, :session_start, :launch, :intent, :session_end
+    define_callbacks :verify_signature, :authenticate, :session_start, :launch, :intent, :session_end
 
     attr_reader :request, :session, :response
-    attr_accessor :application_id, :logger
+    attr_accessor :application_id, :logger, :skip_signature_validation
 
     def initialize(opts = {})
       if opts[:application_id]
@@ -14,13 +14,21 @@ module AlexaSkillsRuby
       if opts[:logger]
         @logger = opts[:logger]
       end
+
+      certificate_cache = opts[:certificate_cache] || SimpleCertificateCache.new
+      @skip_signature_validation = !!opts[:skip_signature_validation]
+      @signature_validator = SignatureValidator.new(certificate_cache)
+
+      if opts[:root_certificates]
+        @signature_validator.add_certificate_authorities([opts[:root_certificates]].flatten)
+      end
     end
 
     def session_attributes
       @session.attributes ||= {}
     end
 
-    def handle(request_json)
+    def handle(request_json, request_headers = {})
       @skill_request = JsonObjects::SkillsRequest.new(MultiJson.load(request_json))
       @skill_response = JsonObjects::SkillsResponse.new
 
@@ -28,6 +36,19 @@ module AlexaSkillsRuby
       @request = @skill_request.request
       @response = @skill_response.response
 
+      run_callbacks :verify_signature do
+        unless @skip_signature_validation
+          cert_chain_url = request_headers['SignatureCertChainUrl'].to_s.strip
+          signature = request_headers['Signature'].to_s.strip
+          if cert_chain_url.empty? || signature.empty?
+            raise AlexaSkillsRuby::ConfigurationError, 'Missing "SignatureCertChainUrl" or "Signature" header but signature validation is enabled'
+          end
+          @signature_validator.validate(request_json, cert_chain_url, signature)
+        end
+      end
+
+      timestamp_diff = (Time.now - Time.iso8601(@request.timestamp)).abs
+      raise TimestampValidationError, "Invalid timstamp" if timestamp_diff > 150
 
       run_callbacks :authenticate do
         if @application_id
@@ -59,6 +80,10 @@ module AlexaSkillsRuby
       MultiJson.dump(@skill_response.as_json)
     end
 
+    def self.on_verify_signature(&block)
+      set_callback :verify_signature, :before, block
+    end
+
     def self.on_authenticate(&block)
       set_callback :authenticate, :before, block
     end

data/lib/alexa_skills_ruby/signature_validator.rb

@@ -0,0 +1,109 @@
+module AlexaSkillsRuby
+  class SignatureValidator
+
+    def initialize(certificate_cache)
+      @certificate_cache = certificate_cache
+      @extra_cas = []
+    end
+
+    def validate(body, signature_cert_chain_url, signature)
+
+      cert_uri = Addressable::URI.parse(signature_cert_chain_url).normalize
+
+      raise SignatureValidationError, "Invalid signature URL: [#{cert_uri.to_s}]" unless valid_cert_uri?(cert_uri)
+
+      pem_data = @certificate_cache.get(cert_uri.to_s) || fetch_data(cert_uri.to_s)
+      validator = CertificateValidator.new(@extra_cas)
+      cert = validator.get_signing_certificate(pem_data)
+
+      raise SignatureValidationError, "Invalid certificate" unless cert
+
+      @certificate_cache.set(cert_uri.to_s, pem_data)
+
+      public_key = cert.public_key
+      signature = Base64.decode64(signature)
+      unless public_key.verify(OpenSSL::Digest::SHA1.new, signature, body)
+        raise SignatureValidationError, "Signature is invalid"
+      end
+    end
+
+    def add_certificate_authorities(certs)
+      @extra_cas = certs
+    end
+
+    private
+
+    def get_pem_from_cache(url)
+      pem_data = @certificate_cache.get(url)
+      if pem_data
+        cert = OpenSSL::X509::Certificate.new(cert_data)
+        if valid_cert?(cert)
+          cert
+        else
+          nil
+        end
+      else
+        nil
+      end
+    end
+
+    def valid_cert_uri?(uri)
+      case
+        when uri.scheme != 'https'
+          false
+        when uri.host != 's3.amazonaws.com'
+          false
+        when ![nil, 443].include?(uri.port)
+          false
+        when uri.path !~ /^\/echo.api\//
+          false
+        else
+          true
+      end
+    end
+
+    def valid_cert?(cert)
+      cert_errors(cert).empty?
+    end
+
+    def cert_errors(cert)
+      errors = []
+      unless certificate_store.verify(cert)
+        errors << 'Unable to verify identity'
+      end
+
+      unless (cert.not_before..cert.not_after).include?(Time.now)
+        errors << 'Invalid for current date'
+      end
+
+      errors
+    end
+
+    def certificate_valid?(cert)
+      certificate_store.verify(cert)
+    end
+
+    def certificate_store
+      @store ||= OpenSSL::X509::Store.new.tap do |store|
+        store.set_default_paths
+      end
+    end
+
+    def fetch_data(uri_str, limit = 10)
+      raise SignatureValidationError, "too many HTTP redirects while fetching #{uri_str}" if limit == 0
+
+      response = Net::HTTP.get_response(URI(uri_str))
+
+      case response
+        when Net::HTTPSuccess then
+          response.body
+        when Net::HTTPRedirection then
+          location = response['location']
+          fetch(location, limit - 1)
+        else
+          response.value
+      end
+    end
+
+  end
+end

data/lib/alexa_skills_ruby/simple_certificate_cache.rb

@@ -0,0 +1,17 @@
+module AlexaSkillsRuby
+  class SimpleCertificateCache
+
+    def initialize
+      @cache = {}
+    end
+
+    def get(url)
+      @cache[url]
+    end
+
+    def set(url, value)
+      @cache[url] = value
+    end
+
+  end
+end

data/lib/alexa_skills_ruby/version.rb

@@ -1,3 +1,3 @@
 module AlexaSkillsRuby
-  VERSION = '0.0.7'
+  VERSION = '1.0.0'
 end

data/spec/spec_helper.rb

@@ -2,6 +2,8 @@ require 'rubygems'
 require 'bundler/setup'
 require 'oj'
 require 'rspec'
+require 'time'
+require 'webmock/rspec'
 require File.expand_path('../../lib/alexa_skills_ruby', __FILE__)
 
 MultiJson.use :oj

data/spec/support/fixture_support.rb

@@ -8,4 +8,14 @@ module FixtureSupport
     Oj.load(load_json(name))
   end
 
+  def add_timestamp(json)
+    json['request']['timestamp'] = Time.now.iso8601
+  end
+
+  def load_example_json(name)
+    exp = load_fixture(name)
+    add_timestamp(exp)
+    Oj.dump(exp)
+  end
+
 end

data/spec/support/x509_support.rb

@@ -0,0 +1,75 @@
+RSpec.shared_context('x509', { x509: true }) do
+
+  let(:root_key) { OpenSSL::PKey::RSA.new 512 }
+  let(:root_ca) { build_root_ca(root_key) }
+  let(:signing_key) { OpenSSL::PKey::RSA.new 512 }
+  let(:signing_cert) { build_signing_cert(root_ca, signing_key) }
+
+  let(:certificate_url) { 'https://s3.amazonaws.com/echo.api/echo-api-cert.pem' }
+
+  before do
+    stub_request(:get, certificate_url).to_return { |_| { status: 200, body: signing_cert.to_s } }
+  end
+
+  def build_headers(body)
+    {
+        'SignatureCertChainUrl' => certificate_url,
+        'Signature' => Base64.encode64(get_signature(body))
+    }
+  end
+
+  def get_signature(body)
+    signing_key.sign(OpenSSL::Digest::SHA1.new, body)
+  end
+
+  def get_serial
+    @serial_counter ||= 0
+    @serial_counter += 1
+  end
+
+  def build_root_ca(key)
+    root_ca = OpenSSL::X509::Certificate.new
+    root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
+    root_ca.serial = get_serial
+    root_ca.subject = OpenSSL::X509::Name.parse "/DC=org/DC=umn/CN=mpc-root"
+    root_ca.issuer = root_ca.subject # root CA's are "self-signed"
+    root_ca.public_key = key.public_key
+    root_ca.not_before = Time.now
+    root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = root_ca
+    ef.issuer_certificate = root_ca
+    root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
+    root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
+    root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+    root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
+    root_ca.sign(key, OpenSSL::Digest::SHA256.new)
+
+    root_ca
+  end
+
+  def build_signing_cert(root_ca, signing_key, valid = true)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = get_serial
+    cert.subject = OpenSSL::X509::Name.parse "/DC=org/DC=umn/CN=mpc-root-#{get_serial}"
+    cert.issuer = root_ca.subject # root CA is the issuer
+    cert.public_key = signing_key.public_key
+    if valid
+      cert.not_before = Time.now
+    else
+      cert.not_before = Time.now + 500
+    end
+    cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.subject_certificate = cert
+    ef.issuer_certificate = root_ca
+    cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
+    cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+    cert.add_extension(ef.create_extension("subjectAltName","DNS:echo-api.amazon.com",false))
+    cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+
+    cert
+  end
+
+end

data/spec/unit/handler_spec.rb

@@ -1,13 +1,14 @@
 require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
 
-describe AlexaSkillsRuby::Handler do
+describe AlexaSkillsRuby::Handler, x509: true do
 
   class TestHandler < AlexaSkillsRuby::Handler
 
-    attr_reader :auths, :intents, :launch, :ends, :starts
+    attr_reader :verifies, :auths, :intents, :launch, :ends, :starts
 
     def initialize(*args)
       super
+      @verifies = []
       @auths = []
       @intents = []
       @launch = []
@@ -15,6 +16,10 @@ describe AlexaSkillsRuby::Handler do
       @starts = []
     end
 
+    on_verify_signature do
+      @verifies << request
+    end
+
     on_session_start do
       @starts << request
     end
@@ -40,14 +45,15 @@ describe AlexaSkillsRuby::Handler do
     end
   end
 
-  let(:handler) { TestHandler.new }
+  let(:handler) { TestHandler.new(root_certificates: root_ca) }
 
   describe 'with a launch request' do
-    let(:request_json) { load_json 'example_launch.json' }
+    let(:request_json) { load_example_json 'example_launch.json' }
 
     it 'fires the handlers' do
-      handler.handle(request_json)
+      handler.handle(request_json, build_headers(request_json))
 
+      expect(handler.verifies.count).to eq 1
       expect(handler.auths.count).to eq 1
       expect(handler.intents.count).to eq 0
       expect(handler.ends.count).to eq 0
@@ -57,11 +63,12 @@ describe AlexaSkillsRuby::Handler do
   end
 
   describe 'with an intent request' do
-    let(:request_json) { load_json 'example_intent.json' }
+    let(:request_json) { load_example_json 'example_intent.json' }
 
     it 'fires the handlers' do
-      handler.handle(request_json)
+      handler.handle(request_json, build_headers(request_json))
 
+      expect(handler.verifies.count).to eq 1
       expect(handler.auths.count).to eq 1
       expect(handler.intents.count).to eq 1
       expect(handler.ends.count).to eq 0
@@ -74,12 +81,14 @@ describe AlexaSkillsRuby::Handler do
     let(:request_json) do
       json = load_fixture 'example_intent.json'
       json['request']['intent']['name'] = 'special'
+      add_timestamp(json)
       Oj.dump(json)
     end
 
     it 'fires the handlers' do
-      handler.handle(request_json)
+      handler.handle(request_json, build_headers(request_json))
 
+      expect(handler.verifies.count).to eq 1
       expect(handler.auths.count).to eq 1
       expect(handler.intents.count).to eq 2
       expect(handler.ends.count).to eq 0
@@ -89,11 +98,12 @@ describe AlexaSkillsRuby::Handler do
   end
 
   describe 'with a session ended request' do
-    let(:request_json) { load_json 'example_session_ended.json' }
+    let(:request_json) { load_example_json 'example_session_ended.json' }
 
     it 'fires the handlers' do
-      handler.handle(request_json)
+      handler.handle(request_json, build_headers(request_json))
 
+      expect(handler.verifies.count).to eq 1
       expect(handler.auths.count).to eq 1
       expect(handler.intents.count).to eq 0
       expect(handler.ends.count).to eq 1
@@ -104,14 +114,15 @@ describe AlexaSkillsRuby::Handler do
 
   describe 'with an application_id set' do
 
-    let(:handler) { TestHandler.new({application_id: 'amzn1.echo-sdk-ams.app.000000-d0ed-0000-ad00-000000d00ebe'}) }
+    let(:handler) { TestHandler.new({application_id: 'amzn1.echo-sdk-ams.app.000000-d0ed-0000-ad00-000000d00ebe', root_certificates: root_ca}) }
 
     describe 'with a valid app id in request' do
-      let(:request_json) { load_json 'example_session_ended.json' }
+      let(:request_json) { load_example_json 'example_session_ended.json' }
 
       it 'fires the handlers' do
-        handler.handle(request_json)
+        handler.handle(request_json, build_headers(request_json))
 
+        expect(handler.verifies.count).to eq 1
         expect(handler.auths.count).to eq 1
         expect(handler.intents.count).to eq 0
         expect(handler.ends.count).to eq 1
@@ -124,12 +135,14 @@ describe AlexaSkillsRuby::Handler do
       let(:request_json) do
         json = load_fixture 'example_intent.json'
         json['session']['application']['applicationId'] = 'broke'
+        add_timestamp(json)
         Oj.dump(json)
       end
 
       it 'fires the handlers' do
-        expect { handler.handle(request_json) }.to raise_error AlexaSkillsRuby::InvalidApplicationId
+        expect { handler.handle(request_json, build_headers(request_json)) }.to raise_error AlexaSkillsRuby::InvalidApplicationId
 
+        expect(handler.verifies.count).to eq 1
         expect(handler.auths.count).to eq 1
         expect(handler.intents.count).to eq 0
         expect(handler.ends.count).to eq 0
@@ -139,4 +152,58 @@ describe AlexaSkillsRuby::Handler do
     end
   end
 
+  describe 'with signature validation disabled' do
+    let(:handler) { TestHandler.new({skip_signature_validation: true}) }
+    let(:request_json) { load_example_json 'example_launch.json' }
+
+    it 'fires the handlers' do
+      handler.handle(request_json, build_headers(request_json))
+
+      expect(handler.verifies.count).to eq 1
+      expect(handler.auths.count).to eq 1
+      expect(handler.intents.count).to eq 0
+      expect(handler.ends.count).to eq 0
+      expect(handler.starts.count).to eq 1
+      expect(handler.launch.count).to eq 1
+    end
+
+    it 'ignores the headers' do
+      handler.handle(request_json)
+
+      expect(handler.verifies.count).to eq 1
+      expect(handler.auths.count).to eq 1
+      expect(handler.intents.count).to eq 0
+      expect(handler.ends.count).to eq 0
+      expect(handler.starts.count).to eq 1
+      expect(handler.launch.count).to eq 1
+    end
+  end
+
+  describe 'with bad timestamps' do
+    let(:request_json) do
+      json = load_fixture 'example_intent.json'
+      json['request']['timestamp'] = (Time.now - 200).iso8601
+      Oj.dump(json)
+    end
+
+    it 'raises an error' do
+      expect { handler.handle(request_json, build_headers(request_json)) }.to raise_error AlexaSkillsRuby::TimestampValidationError
+    end
+
+    it 'fires the handlers' do
+      begin
+        handler.handle(request_json, build_headers(request_json))
+      rescue
+      end
+
+      expect(handler.verifies.count).to eq 1
+      expect(handler.auths.count).to eq 0
+      expect(handler.intents.count).to eq 0
+      expect(handler.ends.count).to eq 0
+      expect(handler.starts.count).to eq 0
+      expect(handler.launch.count).to eq 0
+
+    end
+  end
+
 end

data/spec/unit/signature_validator_spec.rb

@@ -0,0 +1,55 @@
+require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+
+describe AlexaSkillsRuby::SignatureValidator, x509: true do
+
+  let(:cert_cache) { AlexaSkillsRuby::SimpleCertificateCache.new }
+  let(:validator) { AlexaSkillsRuby::SignatureValidator.new(cert_cache).tap { |v| v.add_certificate_authorities([root_ca]) } }
+  let(:body) { load_example_json('example_launch.json') }
+  let(:signature) { Base64.encode64(get_signature(body)) }
+
+  it 'validates a good signature' do
+    validator.validate(body, certificate_url, signature)
+  end
+
+  it 'raises on invalid URLs' do
+    [
+        'http://s3.amazonaws.com/echo.api/echo-api-cert.pem',
+        'https://notamazon.com/echo.api/echo-api-cert.pem',
+        'https://s3.amazonaws.com/EcHo.aPi/echo-api-cert.pem',
+        'https://s3.amazonaws.com/invalid.path/echo-api-cert.pem',
+        'https://s3.amazonaws.com:563/echo.api/echo-api-cert.pem'
+    ].each do |url|
+
+      stub_request(:get, url).to_return(status: 200, body: signing_cert.to_s)
+
+      expect { validator.validate(body, url, signature) }.to raise_error(AlexaSkillsRuby::SignatureValidationError, /Invalid signature URL:/)
+    end
+  end
+
+  it 'validates with valid URLs' do
+    [
+        'https://s3.amazonaws.com/echo.api/echo-api-cert.pem',
+        'https://s3.amazonaws.com:443/echo.api/echo-api-cert.pem',
+        'https://s3.amazonaws.com/echo.api/../echo.api/echo-api-cert.pem'
+    ].each do |url|
+
+      stub_request(:get, url).to_return(status: 200, body: signing_cert.to_s)
+
+      validator.validate(body, url, signature)
+    end
+  end
+
+  it 'raises on invalid signature' do
+    different_body = load_example_json('example_intent.json')
+    expect { validator.validate(different_body, certificate_url, signature) }.to raise_error(AlexaSkillsRuby::SignatureValidationError, /Signature is invalid/)
+  end
+
+  describe 'with an invalid signing cert' do
+    let(:signing_cert) { build_signing_cert(root_ca, signing_key, false) }
+
+    it 'raises an error' do
+      expect { validator.validate(body, certificate_url, signature) }.to raise_error(AlexaSkillsRuby::SignatureValidationError, /Invalid certificate/)
+    end
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: alexa_skills_ruby
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 1.0.0
 platform: ruby
 authors:
 - Dan Elbert
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-07 00:00:00.000000000 Z
+date: 2016-12-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -72,28 +86,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.0
+        version: '3.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.0
+        version: '3.5'
 - !ruby/object:Gem::Dependency
   name: oj
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.10.2
+        version: '2.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.10.2
+        version: '2.3'
 description: 
 email:
 - dan.elbert@gmail.com
@@ -102,6 +130,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".ruby-version"
 - ".travis.yml"
 - Gemfile
 - LICENSE
@@ -111,6 +140,7 @@ files:
 - gemfiles/as-4.2.gemfile
 - gemfiles/as-5.0.gemfile
 - lib/alexa_skills_ruby.rb
+- lib/alexa_skills_ruby/certificate_validator.rb
 - lib/alexa_skills_ruby/errors.rb
 - lib/alexa_skills_ruby/handler.rb
 - lib/alexa_skills_ruby/json_object.rb
@@ -129,6 +159,8 @@ files:
 - lib/alexa_skills_ruby/json_objects/skills_request.rb
 - lib/alexa_skills_ruby/json_objects/skills_response.rb
 - lib/alexa_skills_ruby/json_objects/user.rb
+- lib/alexa_skills_ruby/signature_validator.rb
+- lib/alexa_skills_ruby/simple_certificate_cache.rb
 - lib/alexa_skills_ruby/version.rb
 - spec/fixtures/example_intent.json
 - spec/fixtures/example_launch.json
@@ -136,10 +168,12 @@ files:
 - spec/fixtures/example_session_ended.json
 - spec/spec_helper.rb
 - spec/support/fixture_support.rb
+- spec/support/x509_support.rb
 - spec/unit/handler_spec.rb
 - spec/unit/json_object_spec.rb
 - spec/unit/json_objects/skills_request_spec.rb
 - spec/unit/json_objects/skills_response_spec.rb
+- spec/unit/signature_validator_spec.rb
 homepage: https://github.com/DanElbert/alexa_skills_ruby
 licenses: []
 metadata: {}
@@ -159,7 +193,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Simple library to interface with the Alexa Skills Kit
@@ -170,7 +204,9 @@ test_files:
 - spec/fixtures/example_session_ended.json
 - spec/spec_helper.rb
 - spec/support/fixture_support.rb
+- spec/support/x509_support.rb
 - spec/unit/handler_spec.rb
 - spec/unit/json_object_spec.rb
 - spec/unit/json_objects/skills_request_spec.rb
 - spec/unit/json_objects/skills_response_spec.rb
+- spec/unit/signature_validator_spec.rb