alexa_verifier 0.1.0 → 1.0.0

data/lib/alexa_verifier/verifier/certificate_u_r_i_verifier.rb

@@ -0,0 +1,93 @@
+module AlexaVerifier
+  class Verifier
+    # Given an Alexa certificate URI, validate it according to:
+    # https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#h2_verify_sig_cert
+    #
+    # @since 0.1
+    module CertificateURIVerifier
+      VALIDATIONS = {
+        scheme: 'https',
+        port:   443,
+        host:   's3.amazonaws.com'
+      }.freeze
+
+      PATH_REGEX = %r{\A\/echo.api\/}
+
+      class << self
+        # Check that a given certificate URI meets Amazon's requirements.
+        # Raise an error if it does not.
+        #
+        # @param [String] uri The URI value from HTTP_SIGNATURECERTCHAINURL
+        #
+        # @raise [AlexaVerifier::InvalidCertificateURIError] An error
+        #   raised when the URI does not meet a requirement
+        #
+        # @return [true] This method will either raise an error or return true
+        def valid!(uri)
+          begin
+            uri = URI.parse(uri)
+          rescue URI::InvalidURIError => e
+            puts e
+
+            raise AlexaVerifier::InvalidCertificateURIError,
+                  "#{uri} : #{e.message}"
+          end
+
+          test_validations(uri)
+
+          test_path(uri)
+
+          true
+        end
+
+        # Check that a given certificate URI meets Amazon's requirements
+        # Return true if it does, or false if it does not.
+        #
+        # @param [String] uri The URI value from HTTP_SIGNATURECERTCHAINURL
+        #
+        # @return [Boolean] Returns true if the uri is valid and false if not
+        def valid?(uri)
+          begin
+            valid!(uri)
+          rescue AlexaVerifier::InvalidCertificateURIError => e
+            puts e
+
+            return false
+          end
+
+          true
+        end
+
+        private
+
+        # Test that a given URI meets all of our 'simple' validation rules.
+        #
+        # @param [URI] uri the URI object to test
+        def test_validations(uri)
+          VALIDATIONS.each do |method, value|
+            next if uri.send(method) == value
+
+            raise AlexaVerifier::InvalidCertificateURIError.new(
+              "URI #{method} must be '#{value}'",
+              uri.send(method)
+            )
+          end
+        end
+
+        # Test that a given URI matches our 'path' regex.
+        #
+        # @param [URI] uri the URI object to test
+        def test_path(uri)
+          path = File.absolute_path(uri.path)
+
+          return if path.match(PATH_REGEX) # rubocop:disable Performance/RegexpMatch # Disabled for backwards compatibility below 2.4
+
+          raise AlexaVerifier::InvalidCertificateURIError.new(
+            "URI path must start with '/echo.api/'",
+            uri.path
+          )
+        end
+      end
+    end
+  end
+end

data/lib/alexa_verifier/verifier/certificate_verifier.rb

@@ -0,0 +1,99 @@
+require 'json'
+require 'time'
+require 'net/http'
+require 'openssl'
+require 'base64'
+
+module AlexaVerifier
+  class Verifier
+    # Given an OpenSSL certificate, validate it according to:
+    # https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#h2_verify_sig_cert
+    #
+    # @since 0.1
+    module CertificateVerifier
+      SAN = 'echo-api.amazon.com'.freeze
+
+      class << self
+        # Check that a given certificate meet's Amazon's requirements.
+        # Raise an error if it does not.
+        #
+        # @param [OpenSSL::X509::Certificate] certificate certificate to check.
+        # @param [Array<OpenSSL::X509::Certificate>] chain chain of certificates to a root trusted CA.
+        #
+        # @raise [AlexaVerifier::InvalidCertificateError] raised when
+        #   the provided certificate does not meet a requirement
+        #
+        # @return [true] either returns true or raises an error.
+        def valid!(certificate, chain)
+          check_that_certificate_is_in_date(certificate)
+
+          check_that_certificate_has_the_expected_extensions(certificate)
+
+          check_that_we_can_create_a_chain_of_trust_to_a_root_ca(certificate, chain)
+
+          true
+        end
+
+        # Check that a given certificate meet's Amazon's requirements.
+        # Returns a boolean.
+        #
+        # @param [OpenSSL::X509::Certificate] certificate certificate to check.
+        # @param [Array<OpenSSL::X509::Certificate>] chain chain of certificates to a root CA.
+        #
+        # @return [Boolean] returns the result of our checks.
+        def valid?(certificate, chain)
+          begin
+            valid!(certificate, chain)
+          rescue AlexaVerifier::InvalidCertificateError => e
+            puts e
+
+            return false
+          end
+
+          true
+        end
+
+        private
+
+        # Given a certificate file, check that it is in date.
+        #
+        # @param [OpenSSL::X509::Certificate] certificate the certificate we should check
+        #
+        # @raise [AlexaVerifier::InvalidCertificateError] raised if the certificate is not in date
+        def check_that_certificate_is_in_date(certificate)
+          certificate_in_date = Time.now.between?(certificate.not_before, certificate.not_after)
+          raise AlexaVerifier::InvalidCertificateError, 'Certificate is not in date.' unless certificate_in_date
+        end
+
+        # Given a certificate file, check that it contains our expected extensions
+        #
+        # @param [OpenSSL::X509::Certificate] certificate the certificate we should check
+        #
+        # @raise [AlexaVerifier::InvalidCertificateError] raised if the extensions are not present
+        def check_that_certificate_has_the_expected_extensions(certificate)
+          valid_sans = certificate.extensions.select do |extension|
+            valid_oid = (extension.oid == 'subjectAltName')
+            valid_value = (extension.value == "DNS:#{SAN}")
+
+            valid_oid && valid_value
+          end
+          raise AlexaVerifier::InvalidCertificateError, "Certificate does not contain SAN: #{SAN}." if valid_sans.empty?
+        end
+
+        # Check that the certificate, along with any chain from our downloaded certificate file, makes a chain of trust to a trusted root CA
+        #
+        # @param [OpenSSL::X509::Certificate] certificate certificate we should check
+        # @param [Array<OpenSSL::X509::Certificate>] chain chain of certificates to a root trusted CA
+        #
+        # @raise [AlexaVerifier::InvalidCertificateError] raised if a chain of trust could not be established
+        def check_that_we_can_create_a_chain_of_trust_to_a_root_ca(certificate, chain)
+          openssl_x509_store = OpenSSL::X509::Store.new
+          openssl_x509_store.set_default_paths
+
+          valid_certificate_chain = openssl_x509_store.verify(certificate, chain)
+          raise AlexaVerifier::InvalidCertificateError, "Unable to create a 'chain of trust' from the provided certificate to a trusted root CA." unless valid_certificate_chain
+        end
+      end
+    end
+  end
+end

data/lib/alexa_verifier/version.rb

@@ -0,0 +1,3 @@
+module AlexaVerifier
+  VERSION = '1.0.0'.freeze
+end

metadata

@@ -1,102 +1,163 @@
 --- !ruby/object:Gem::Specification
 name: alexa_verifier
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Christopher Mullins
+- Matt Rayner
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-08-03 00:00:00.000000000 Z
+date: 2017-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.21
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.21
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.9'
 - !ruby/object:Gem::Dependency
-  name: curb
+  name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.16
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.16
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
-description: 
+        version: '3.0'
+description: This gem is designed to work with Rack applications that serve as back-ends
+  for Amazon Alexa skills.
 email:
 - chris@sidoh.org
+- m@rayner.io
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".hound.yml"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
 - Gemfile
-- LICENSE.txt
+- LICENSE
 - README.md
 - Rakefile
 - alexa_verifier.gemspec
+- bin/console
+- bin/setup
 - lib/alexa_verifier.rb
-homepage: http://www.github.com/sidoh/alexa_verifier
+- lib/alexa_verifier/base_error.rb
+- lib/alexa_verifier/certificate_store.rb
+- lib/alexa_verifier/configuration.rb
+- lib/alexa_verifier/invalid_certificate_error.rb
+- lib/alexa_verifier/invalid_certificate_u_r_i_error.rb
+- lib/alexa_verifier/invalid_request_error.rb
+- lib/alexa_verifier/verifier.rb
+- lib/alexa_verifier/verifier/certificate_u_r_i_verifier.rb
+- lib/alexa_verifier/verifier/certificate_verifier.rb
+- lib/alexa_verifier/version.rb
+homepage: https://github.com/sidoh/alexa_verifier
 licenses:
 - MIT
 metadata: {}
@@ -106,18 +167,18 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.7.2
 signing_key: 
 specification_version: 4
-summary: Verifies requests sent to an Alexa skill are sent from Amazon
+summary: Verify HTTP requests sent to an Alexa skill are sent from Amazon.
 test_files: []