Add certificate, URL, and AppID verification

[jingai]

The skill should verify before continuing on:

• Application ID
• Incoming request is from Amazon
• Certificate URL comes from Amazon
• Timestamp of certificate is valid
• Certificate signature can be verified

I have code for all of this, but I need to factor it out of my other local changes.

[jingai]

For AWS Lambda, I'm not in a position to test these changes, so I figured I'd talk a bit about them here.

To verify the certificate validity, I currently get at the certificate and signature via the server environment variables HTTP_SIGNATURECERTCHAINURL and HTTP_SIGNATURE. I then check the DNS field is exactly 'echo-api.amazon.com'; the expiration time of the certificate is not greater than the current server time; the incoming request is from 's3.amazonaws.com' and the url starts with '/echo.api/'; and finally, that the signature actually verifies.

Does all of that sound like it would work on AWS Lambda? I'm just trying to avoid people spamming you with support requests.

I'll push this all up to a branch for you to look at soon.

[digiltd]

Sounds great if you are self hosting the Python side of things.

When using AWS Lambda I'm pretty sure all the security between Echo and the Skill is handled for you.

https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/developing-an-alexa-skill-as-a-lambda-function

But of course that doesn't include the traffic in and out of your Kodi box.

[jingai]

I honestly don't know, which is why I asked. I can just only enable this stuff in the WSGI handler if that's what we decide to do.

[digiltd]

According to the docs AWS does handle the security between the two

• You do not need an SSL certificate.
• You do not need to verify that requests are coming from the Alexa service yourself. Access to execute your function is controlled by permissions within AWS instead.
• AWS Lambda runs your code only when you need it and scales with your usage, so there is no need to provision or continuously run servers.
• Alexa encrypts its communications with Lambda utilizing TLS.

Lambda uses the same wsgi.py so it would need to be a configurable option.

Do you know of a way we can refactor the code to accommodate these types of variations yet still keep the bulk of the kodi/alexa bit the same? I have some local tweaks that I think would be worth sharing, i.e. using https and a reverse proxy to speak to your local network.

[m0ngr31]

They both use the same wsgi.py file, but they are handled by different methods. 'lambda_handler' for lambda and 'application' for wsgi

[jingai]

It already sends it to a separate handler in wsgi.py, so it's already separate. I'd just add these things to the wsgi handler.

Does AWS also handle verifying the appid? I'd think not, and since this is an unpublished skill for everyone, I personally like to make sure it's my copy of the skill making the requests to my server.

On my local copy, I've moved configuration out of environment variables and into a config file (I called it 'wsgi.ini'). I had planned on adding two bools: one to enable cert validation, and one to enable appid verification. They'd both default to off so once this change is merged, it shouldn't suddenly break for everyone using this skill.

I can make similar toggles for the Lambda handler too, and someone who actually has it deployed that way could enable them and see if it works (i.e., m0ngr31).

As for HTTPS, what do you mean exactly? Between the skill server and Kodi? From Amazon to skill server it's already HTTPS.

[digiltd]

From skill to Kodi, at the moment kodi.py is only using http to speak to the jsonrpc

# These two methods construct the JSON-RPC message and send it to the Kodi player
def SendCommand(command):
  # Change this to the IP address of your Kodi server or always pass in an address
  KODI = os.getenv('KODI_ADDRESS', '127.0.0.1')
  PORT = int(os.getenv('KODI_PORT', 8080))
  USER = os.getenv('KODI_USERNAME', 'kodi')
  PASS = os.getenv('KODI_PASSWORD', 'kodi')

  print KODI

  url = "http://%s:%d/jsonrpc" % (KODI, PORT)

Changing it to:

# These two methods construct the JSON-RPC message and send it to the Kodi player
def SendCommand(command):

# Change this to the IP address of your Kodi server or always pass in an address
SCHEME = os.getenv('KODI_SCHEME', 'http')
KODI = os.getenv('KODI_ADDRESS', '127.0.0.1')
PORT = os.getenv('KODI_PORT', '8080')
USER = os.getenv('KODI_USERNAME', 'kodi')
PASS = os.getenv('KODI_PASSWORD', 'kodi')

print KODI

url = "%s://%s:%s/jsonrpc" % (SCHEME, KODI, PORT)

and adding the scheme to the .env

KODI_SCHEME = https
KODI_ADDRESS = 
KODI_PORT =
KODI_USERNAME = 
KODI_PASSWORD = 
LAMBDA_ENV_VARS = KODI_SCHEME,KODI_PASSWORD,KODI_USERNAME,KODI_PORT,KODI_ADDRESS

changes that, but you do need a certificate at the local end, which is the reason I didn't want to PR it just yet.

[digiltd]

Does AWS also handle verifying the appid? I'd think not, and since this is an unpublished skill for everyone, I personally like to make sure it's my copy of the skill making the requests to my server.

I thought the appid was unique to the developer's account it was created on. Whilst it is in development you can only use it on the Echo registered to the the same development account. The developer has to add users/roles to allow other amazon account holders access.

[jingai]

HTTPS between skill and Kodi would be nice, yes. I honestly hadn't considered it much because the server that hosts the skill for me is on the same LAN as the Kodi box I'm controlling.

I thought the appid was unique to the developer's account it was created on. Whilst it is in development you can only use it on the Echo registered to the the same development account. The developer has to add users/roles to allow other amazon account holders access.

The scenario is if another user of this skill points it at your web server. Without verifying the appid within the skill, someone else can pass commands through to you.

[jingai]

See PR #32 for the bulk of this.

@digiltd, you should make a separate Issue for HTTPS from skill <-> Kodi so we can track it.

[jingai]

Could a Heroku user please test as requested in PR #32?