initial commit

Author: TitanNano

.gitignore

@@ -0,0 +1,2 @@
+/target
+.DS_Store

Cargo.lock

@@ -0,0 +1,16 @@
+[package]
+name = "hass-alexa-relay"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = { version = "1.0.65", features = ["backtrace"] }
+clap = { version = "3.2.21", features = ["derive", "env"] }
+lambda_runtime = "0.6.1"
+log = "0.4.17"
+onetun = { version = "0.3.3", default-features = false }
+pretty_env_logger = "0.4.0"
+reqwest = { version = "0.11.11", features = ["rustls-tls-native-roots"], default-features = false }
+serde = { version = "1.0.144", features = ["serde_derive"] }
+serde_json = "1.0.85"
+tokio = { version = "1.21.1", features = ["tokio-macros"] }

Cargo.toml

@@ -0,0 +1,16 @@
+# HASS Alexa Relay
+
+An AWS lambda function that enables the connection between Amazons Alexa and a Home Assistant instance via a wireguard VPN tunnel.
+
+## Why?
+This lambda implementation of the home assistant Alexa skill lambda enables the connection to a home assistant instance that is only accessible via a Wireguard VPN.
+
+## Installation
+
+### Pre-built Binary
+Download the pre-built binary from the release page and upload the zip file to your lambda function. Make sure to set the runtime to `Custom runtime on Amazon Linux 2`,
+the architecture to `x86_64` and under Configuration > General Configuration set the timeout to about 15 seconds.
+
+### Build from source
+Make sure to have a properly set up rust build environment. Install `cargo-lambda` via `cargo install cargo-lambda`.
+Build the crate via `cargo lambda build --release --output-format Zip`. Afterwards follow the steps for the pre-build version.

README.md

@@ -0,0 +1,151 @@
+use anyhow::{anyhow, Context, Result};
+use lambda_runtime::LambdaEvent;
+use reqwest::{
+    header::{HeaderMap, HeaderValue},
+    StatusCode,
+};
+use serde::Deserialize;
+use serde_json::json;
+
+#[derive(Deserialize)]
+struct LambdaPayload {
+    directive: LambdaDirective,
+}
+
+#[derive(Deserialize)]
+struct LambdaDirective {
+    header: LambdaDirectiveHeaders,
+    endpoint: Option<LambdaDirectiveEndpoint>,
+    payload: Option<LambdaDirectivePayload>,
+}
+
+#[derive(Deserialize)]
+struct LambdaDirectiveHeaders {
+    #[serde(rename = "payloadVersion")]
+    payload_version: String,
+}
+
+#[derive(Deserialize)]
+struct LambdaDirectiveEndpoint {
+    scope: LambdaDirectiveScope,
+}
+
+#[derive(Deserialize)]
+struct LambdaDirectivePayload {
+    grantee: Option<LambdaDirectiveScope>,
+    scope: Option<LambdaDirectiveScope>,
+}
+
+#[derive(Deserialize)]
+struct LambdaDirectiveScope {
+    #[serde(rename = "type")]
+    ty: String,
+    token: Option<String>,
+}
+
+/// Handle incoming Alexa directive.
+pub async fn lambda_handler(
+    event: LambdaEvent<serde_json::Value>,
+    access_token: Option<String>,
+) -> Result<serde_json::Value> {
+    let (event, _context) = event.into_parts();
+    let payload: LambdaPayload =
+        serde_json::from_value(event.clone()).context("Failed to parse event payload")?;
+
+    let base_url = "http://127.0.0.1:8080"; // os.environ.get('BASE_URL')
+
+    if payload.directive.header.payload_version != "3" {
+        return Err(anyhow!("only payload version 3 is supported!"));
+    }
+
+    let scope = payload
+        .directive
+        .endpoint
+        .as_ref()
+        .map(|e| &e.scope)
+        .or_else(|| {
+            payload
+                .directive
+                .payload
+                .as_ref()
+                .and_then(|p| p.grantee.as_ref())
+        })
+        .or_else(|| {
+            payload
+                .directive
+                .payload
+                .as_ref()
+                .and_then(|p| p.scope.as_ref())
+        })
+        .ok_or_else(|| anyhow!("missing endpoint.scope"))?;
+
+    if scope.ty != "BearerToken" {
+        return Err(anyhow!("only BearerToken is supported"));
+    }
+
+    let token = scope
+        .token
+        .clone()
+        .or_else(|| access_token.map(|t| t.to_owned()))
+        .ok_or_else(|| anyhow!("access token missing!"))?;
+
+    let client = reqwest::Client::new();
+    let mut headers = HeaderMap::new();
+
+    headers.insert(
+        "Authorization",
+        HeaderValue::from_str(&format!("Bearer {token}"))
+            .context("Failed to create auth header")?,
+    );
+    headers.insert("Content-Type", HeaderValue::from_static("application/json"));
+
+    let has_event_payload =
+        serde_json::to_string(&event).context("Failed to serialize event payload!")?;
+
+    let response = client
+        .post(format!("{base_url}/api/alexa/smart_home"))
+        .headers(headers)
+        .body(has_event_payload)
+        .send()
+        .await
+        .context("Failed to send upstream hass request!")?;
+
+    let error_type = match response.status() {
+        StatusCode::OK
+        | StatusCode::CREATED
+        | StatusCode::ACCEPTED
+        | StatusCode::NON_AUTHORITATIVE_INFORMATION
+        | StatusCode::NO_CONTENT
+        | StatusCode::RESET_CONTENT
+        | StatusCode::PARTIAL_CONTENT
+        | StatusCode::MULTI_STATUS
+        | StatusCode::ALREADY_REPORTED => None,
+        StatusCode::UNAUTHORIZED | StatusCode::FORBIDDEN => {
+            Some("INVALID_AUTHORIZATION_CREDENTIAL")
+        }
+        _ => Some("INTERNAL_ERROR"),
+    };
+
+    let message = response
+        .text_with_charset("utf-8")
+        .await
+        .context("Failed to decode hass response")?;
+    let parsed_message: serde_json::Value =
+        serde_json::from_str(&message).context("Failed to parse response message")?;
+
+    if let Some(error_type) = error_type {
+        let err = json!({
+            "event": {
+                "payload": {
+                    "type": error_type,
+                    "message": message
+                }
+            }
+        });
+
+        return Ok(err);
+    }
+
+    log::info!("response from hass: {:?}", parsed_message);
+    Ok(parsed_message)
+}

src/lambda.rs

@@ -0,0 +1,131 @@
+mod lambda;
+mod wireguard;
+
+use std::{
+    future::Future,
+    net::{IpAddr, SocketAddr, ToSocketAddrs},
+    task::{Context as TaskContext, Poll},
+};
+
+use anyhow::{anyhow, Context, Result};
+use clap::Parser;
+use lambda::lambda_handler;
+use lambda_runtime::Service;
+use onetun::config::{X25519PublicKey, X25519SecretKey};
+use wireguard::start_wireguard;
+
+#[derive(Parser)]
+#[clap(version, author)]
+struct Args {
+    #[clap(flatten)]
+    wireguard: WireguardArgs,
+
+    /// IP address and port of the home assistant instance on the local network
+    #[clap(env, short, long, parse(try_from_str = to_socket_addrs))]
+    ha_host: SocketAddr,
+
+    /// The desired log level. Options are 'error', 'info', 'debug'
+    #[clap(env, short, long, default_value = "info")]
+    log_level: String,
+
+    /// an optional home assistant log lived access token for testing.
+    #[clap(env, short = 't', long)]
+    long_lived_access_token: Option<String>,
+}
+
+/// Wireguard specific arguments
+#[derive(clap::Args)]
+struct WireguardArgs {
+    /// The wireguard endpoint that consists of either domain name or ip + port
+    #[clap(env, short, long, parse(try_from_str = to_socket_addrs))]
+    endpoint: SocketAddr,
+    // Wireguard priavate key for this peer
+    #[clap(env, short, long)]
+    private_key: X25519SecretKey,
+    /// Wireguard public key
+    #[clap(env, short = 'k', long)]
+    public_key: X25519PublicKey,
+    /// The peer ip that has been choosen for this peer
+    #[clap(env, short, long)]
+    source_peer_ip: IpAddr,
+}
+
+fn init_logger(log_level: &str) -> anyhow::Result<()> {
+    let mut builder = pretty_env_logger::formatted_timed_builder();
+    builder.parse_filters(log_level);
+    builder
+        .try_init()
+        .with_context(|| "Failed to initialize logger")
+}
+
+struct LambdaService<T> {
+    f: T,
+    access_token: Option<String>,
+}
+
+impl<T> LambdaService<T> {
+    fn new(f: T) -> Self {
+        Self {
+            f,
+            access_token: None,
+        }
+    }
+
+    fn set_access_token(&mut self, token: String) {
+        self.access_token = Some(token);
+    }
+}
+
+impl<T, F, Request, R, E> Service<Request> for LambdaService<T>
+where
+    T: FnMut(Request, Option<String>) -> F,
+    F: Future<Output = Result<R, E>>,
+{
+    type Response = R;
+    type Error = E;
+    type Future = F;
+
+    fn poll_ready(&mut self, _: &mut TaskContext<'_>) -> Poll<Result<(), E>> {
+        Ok(()).into()
+    }
+
+    fn call(&mut self, req: Request) -> Self::Future {
+        (self.f)(req, self.access_token.as_ref().map(|t| t.to_owned()))
+    }
+}
+
+#[tokio::main(flavor = "current_thread")]
+async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    let args = Args::parse();
+
+    init_logger(&args.log_level)?;
+
+    start_wireguard(
+        args.wireguard.endpoint,
+        args.wireguard.private_key,
+        args.wireguard.public_key,
+        args.wireguard.source_peer_ip,
+        args.ha_host,
+        args.log_level,
+    )
+    .await?;
+
+    let mut handler = LambdaService::new(lambda_handler);
+
+    if let Some(token) = args.long_lived_access_token {
+        handler.set_access_token(token);
+    }
+
+    lambda_runtime::run(handler).await
+}
+
+fn to_socket_addrs<T>(value: T) -> Result<SocketAddr>
+where
+    T: ToSocketAddrs,
+{
+    value
+        .to_socket_addrs()
+        .context("Error during address resolution")?
+        .next()
+        .ok_or_else(|| anyhow!("Failed to resolve socket address!"))
+}

src/main.rs

@@ -0,0 +1,45 @@
+use std::{
+    net::{IpAddr, Ipv4Addr, SocketAddr},
+    sync::Arc,
+};
+
+use anyhow::{Context, Result};
+use onetun::{
+    config::{PortForwardConfig, PortProtocol, X25519PublicKey, X25519SecretKey},
+    events::Bus,
+};
+
+pub async fn start_wireguard(
+    endpoint: SocketAddr,
+    private_key: X25519SecretKey,
+    public_key: X25519PublicKey,
+    source_peer_ip: IpAddr,
+    ha_host: SocketAddr,
+    log_level: String,
+) -> Result<()> {
+    let config = onetun::config::Config {
+        private_key: Arc::new(private_key),
+        endpoint_public_key: Arc::new(public_key),
+        endpoint_addr: endpoint,
+        source_peer_ip,
+        keepalive_seconds: Some(5),
+        port_forwards: vec![PortForwardConfig {
+            source: SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 8080),
+            destination: ha_host,
+            protocol: PortProtocol::Tcp,
+            remote: false,
+        }],
+        remote_port_forwards: Vec::with_capacity(0),
+        endpoint_bind_addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)), 0),
+        max_transmission_unit: 1420,
+        log: log_level,
+        warnings: Vec::with_capacity(0),
+        pcap_file: None,
+    };
+
+    let bus = Bus::new();
+
+    onetun::start_tunnels(config, bus)
+        .await
+        .context("Failed to create wireguard tunnel")
+}