Skill's app ID: Secure to include in public repository? - amazon-web-services

I am developing an Alexa Skill with Skill Kit SDK, and now I prepare to publish my Skill's repository on Github. During development I included my Skill's app ID in the according index.js file and diligently committed my work with my local git.
Is there a risk involved in publishing my Skill's repository with my actual app ID? I could imagine that a malicious party might use the app ID (together with the ARN of my Skill's Lambda function) to send lots of requests and thus incur costs on AWS, but maybe there are other risks.
It seems to be good practice not to include the app ID in the public repository, since no example Skill of the official Amazon Alexa organization has their respective app ID included.

Commonly, people put these keys/secrets in as an environmental variable and in the code write process.env.SKILL_KIT_KEY to retrieve it.
I would strongly recommend, if you make the switch, to deactivate the key you've used and that lives in plain-text in the repo's history and obtain a new one.

Another approach is to include a configuration file that contains all login or password information. You might name this file config.js. Then exclude this file from being checked into Git by listing it in the .gitignore file.
To help others to recreate this file with their own information, provide a well commented template version of this file in the project. Append "Template" to the name (eg. config_template.js) with instructions to rename it to config.js after editing it to include all their own information.

Related

Would it be advisable to upload my Django Project to github?

I know that Django websites contain a secret key which is not to be disclosed to anyone. However, I really want to showcase my website on GitHub, as I feel it is nice. Unfortunately, I am worried about the secret key's security, and if it would be safe to upload that website to GitHub where everyone can see.
The website type is a personal portfolio website that showcases my projects and more.
So, would it be okay to upload my entire Django Project to GitHub? The only sensitive information I can think of would be my superuser information, and maybe my database, where I store all my project Models for displaying on the website. Pretty much all I know I need to guard is my superuser information
The django secret key should not be publicly available (see https://docs.djangoproject.com/en/2.0/ref/settings/#std:setting-SECRET_KEY)
Many sites use an environment variable to set the key.
So your settings file could have something like:
SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY', '')
Have a look at https://github.com/jpadilla/django-dotenv.
You can set your secret_key inside a .env file which you should add to your .gitignore. This means it will not be tracked or added to any git commit, hence, won't be shown in Github.

bpmn explorer # wso2

I need to customize the Search module of the BPMN Explorer integrated in wso2.
More exactly I want to be able to search using one of the task variables as search parameters.
I have looked in the git repository and came across https://github.com/wso2/carbon-business-process/blob/c6e60e57ab0de5d8de59041647f5cb9b7834d9c7/components/bpmn/org.wso2.carbon.bpmn.ui/src/main/resources/web/bpmn/instance_list_view.jsp
However this script is not in my BPS release (latest available downloaded already).
Could anyone please provide some pointers at least to how I could go about customizing the search function for bpmn explorer ?
Thanks!
Edit:
I managed to modify the gui (searchView.jag file )of the search function, but cannot add functionality for those new fields
You can do the necessary modifications (customize the seach function) to searchModel.jag file for the fields you added in searchView.jag. Please find it (searchModel.jag) under <BPS_HOME>/repository/deployment/server/jaggeryapps/bpmn-explorer/model directory.
If you look at the bpmn-explorer folder you can see three sub-folders namely controller, model and template. Here controller folder includes set of .jag files which are used to check the request is secure or not, hold the session and build basic structure of the rendering pages. .jag files in model folder are used to implement the business logic say as an example invoke activiti rest api to get the process variables, process information, etc. The .jag files in the template folder are used to render the UI elements with appropriate results. Hope this resolves your issue.

File browser with Django and Alfresco

I have a Django site and a local install of Alfresco (community edition). One of my model contains a file reference which maps to a document in Alfresco. The view should have a field that spawns a file browser that can access the repository structure within Alfresco so that the user can pick whichever file they want at whichever version.
I looked at the CMSIlib module and it seems to be providing all the interaction I need for the back end code. Although downloading a document seems clunky.
There are lots of Django file browsers but none seem to interface with CMSIlib.
Do I have to code my own or have I missed something?
The version is Alfresco Community v5.0.0 (d r99759-b2) schema 8022 Spring Surf and Spring WebScripts - v5.0.0.
To be honest, I am not a python guy ! But I heard over the official #alfresco IRC channel that cmislib is not so much of an active project, and questions about it only bump once in a while .... The RESTful api however may be considered as a good alternative in your use case:
To access alfresco content using the RESTful api, you should be querying this webscript: /alfresco/d/<d|a>/<workspace>/<store>/<nodeId>/<filename>
where :
d and a refer to direct / attached mode
<workspace>, <store> and <nodeId> reference your content nodeRef
<filename> a file name of your choice
So you should be making a GET Request an a URL that looks something like this http://<host>:<port>/alfresco/d/d/workspace/SpacesStore/8444ad61-4734-40e3-b2d4-b8b1c81347fd/myFile.ext
Note : Depending on the permission set on your node, you might need to attach an alf_ticket to the URL for an authenticated alfresco user. Please check this for further insights.
UPDATE 1:
If you have a problem identifying your file nodeRef, then you can setup a repo webscript implementing your custom logic (browsing some folder / searching for a document by name or metadata ....)
If your are not familiar with webscript development check Jeff Pott's tutorial on the subject
UPDATE 2:
To get started with your webscript development check out Alfresco docs/wiki!
Check this wiki page to learn how to retrieve children for a given node !
Or check this wiki page to learn how to develop webscripts implementing your custom business logic.
If you do not have anything against the YUI javascript library (that is no longer actively maintained), you can integrate the object-finder already available in Alfresco Share. The library is in
share/components/object-finder/object-finder.js
You will need to modify it a bit given that you are not inside Share.
To be totally honest, I do not know if it is feasible because it has other dependencies but being a browser site library, in theory can be integrated everywhere.

Using fossil embedded documents

I'm using fossil to manage some home projects and keeping notes in the wiki. After running like this for a few months, I'd like to at least try to use embedded documentation; mainly so as to be able easily to go back to previous versions.
I've studied the website page about managing project documentation which confirms that this is a technique I want to follow up, but I can't make out how to do it.
I've cut-and-pasted one of my wiki pages and added it to my fossil repo, but I can't work out where it should go in the directory structure to be accessible as described on the above page.
I've tried in a few places none of which worked. The document is currently %fossil-root%\doc\foo.wiki, (I'm on Windows), where %fossil-root% is the directory holding _ _FOSSIL__ (slighly mangled filename because of markdown), but having started a server with fossil ui, when I point my browser at http://localhost:8080/doc/foo.wiki, fossil presents me with a nicely formatted page saying it can't find index.html. I created /doc/index.html to see what would happen, but it made no difference.
Please can someone help me out, and/or point me to an example repository containing embedded documentation or another "how-to" document.
If your document is located in %fossil-root%\doc\foo.wiki, you can access it at the following URL:
http://localhost:8080/doc/trunk/doc/foo.wiki
This URL breaks down as follows:
http://localhost:8080 is the root URL to access Fossil when you run fossil ui
/doc signals that you want to access embedded documentation
/trunk indicates the checkin containing the documentation you wish to access
/doc/foo.wiki is the path of the document inside the repository
Instead of trunk, you can also specify a tag, or a branch name, or even a hexadecimal checkin identifier.
In the URL you were using, http://localhost:8080/doc/foo.wiki, foo.wiki is interpreted as the checkin name, and no document path is specified, which logically means Fossil won't find anything.
As for an example repository containing embedded documentation, the homepage of the Fossil website itself is a prime example:
https://www.fossil-scm.org/index.html/doc/trunk/www/index.wiki
where
https://www.fossil-scm.org/index.html is Fossil's root URL
/doc indicates a request for embedded documentation
/trunk indicates we want to fetch files from the trunk
/www/ is the path to the requested file inside the repository
index.wiki is the name of the file inside the repository.
So, in the 'trunk' branch of the repository, the file www/index.wiki contains the home page of the Fossil website.
You simply need to put the documentation under the %fossil-root%\www\ directory (or any other directory under version control) in your repository and then you can, for example, add the following line to your header's mainmenu section to link to it:
html "<a href='$home/doc/trunk/www/foo.wiki'>Documentation</a>\n"
As I said, it can be any directory under version control. To test this, pick any file in the repository, let's say a README file at the top level, and go to http://localhost:8080/doc/trunk/README. You should see the README file load up in your browser in a raw text format. By putting wiki or html files under a particular directory such as www you make it easy to organize the files that you specifically want rendered as documentation, which makes it easier to link to them.
http://www.fossil-scm.org/index.html/doc/trunk/www/embeddeddoc.wiki
After fossil 1.33, just prepare your document in the repository.
If the wiki file is put in
/doc/index.wiki
And use web browser to setup -> Admin -> Configuration.
There is a "Index Page" field, fill in your main index.html.
For example:
/doc/trunk/doc/index.wiki
Or if you just want the released version:
/doc/<version>/doc/index.wiki

Restricting access to static files in Django/Nginx

I am building a system that allows users to generate a documents and then download them. The documents are PDFs (not that it matters for the sake of this question) and when they are generated I store them on my local file system that the web server is running on with uuid file names
c7d43358-7532-4812-b828-b10b26694f0f.pdf
but I know "security through obscurity" is not the right solution ...
I want to restrict access to they files on a per account basis if possible. One thing I think I could do is upload them to S3 and provide a signed URL, but I want to avoid that for now if possible.
I am using Nginx/Django/Gunicorn/EC2/S3
What are some other solutions?
If you are serving small files, you can indeed use Django to serve them directly, writing the file into the HttpResponse object.
If you're serving large files however, you might want to leave that task to your webserver, you can use the X-Accel-Redirect header on Nginx (and X-Sendfile for Apache & Lighttpd) to have your webserver serve the file for you.
You can find more information about the header itself in Nginx's documentation here, and you could find some inspiration as to how to use that in Django here.
Once you're done sending files through Django views, enforcing user authentication should be pretty straightfoward using Django's auth framework.
How about enforcing user==owner at the view level, preventing access to the files, storing them as FileFields, and only retrieving the file if that condition is met.
e.g. You could use the #login_required decorator on the view to allow access only if logged in. This could be refined using request.user to check against the owner of the file. The User Auth section of the Django documentation is likely to be helpful here.
The other option, as you mention is via S3 itself, generating urls within Django which have a querystring allowing an authenticated user access to download a particular s3 object with a time limit. Details on that can be found at the s3 documentation. A similar question has been asked before here on SO.
I've used django-private-files with great success, it enforces protection at the view level and uses differente backends to do the actual file transfer.