yopass 1.0.0

data/lib/views/get_secret.erb

@@ -0,0 +1,11 @@
+<%= erb :header %>
+<form role="form" method="GET">
+  <div class="form-group">
+    <label>Password</label>
+    <input type="password" class="form-control" name="p" placeholder="Password to decrypt secret">
+    <input type="hidden" class="form-control" name="k" value="<%=key%>" hidden="true">
+  </div>
+  <button type="submit" class="btn btn-default">Submit</button>
+</form>
+<br/>
+<%= erb :footer %>

data/lib/views/header.erb

@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta name="description" content="">
+    <meta name="author" content="Johan Haals">
+
+    <title>YoPass Share Secrets</title>
+
+    <!-- Bootstrap core CSS -->
+    <link href="/css/bootstrap.min.css" rel="stylesheet">
+
+    <!-- Custom styles for this template -->
+    <link href="/css/jumbotron.css" rel="stylesheet">
+
+    <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
+    <!--[if lt IE 9]>
+      <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
+      <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
+    <![endif]-->
+  </head>
+
+  <body>
+
+    <div class="container">
+      <div class="header">
+          <h3 class="text-muted"><a href="/">YoPass</a> Share Secrets Securely</h3>
+      </div>
+

data/lib/views/index.erb

@@ -0,0 +1,56 @@
+<%= erb :header %>
+      <form role="form" method="post">
+          <div class="form-group">
+              <label>Secret</label>
+              <textarea placeholder="Your secret" class="form-control" rows="6" name="secret"></textarea>
+          </div>
+          <label>Self destruct after</label>
+          <div class="radio">
+              <label>
+                  <input type="radio" name="lifetime" value="1w" checked>1 Week
+              </label>
+          </div>
+          <div class="radio">
+              <label>
+                  <input type="radio" name="lifetime" value="1d">1 Day
+              </label>
+          </div>
+          <div class="radio">
+              <label>
+                  <input type="radio" name="lifetime" value="1h">1 Hour
+              </label>
+          </div>
+          <% if send_sms %>
+              <div class="form-group">
+                <label>Send decryption key over SMS</label>
+                <i>Remember country code</i>
+                <input type="input" class="form-control" name="mobile_number" placeholder="eg 46702224990">
+              </div>
+          <% end %>
+          <button type="submit" class="btn btn-primary">Store Secret</button>
+      </form>
+       <br/>
+      <div class="row marketing">
+        <div class="col-lg-6">
+            <h4><span class="glyphicon glyphicon-lock"></span> AES-256 Encryption</h4>
+          <p>Your secret is encrypted and no records of the decryption key is stored anywhere</p>
+
+          <h4><span class="glyphicon glyphicon-floppy-remove"></span> Never stored on disk</h4>
+          <p>Your secret is stored in memory to incease security</p>
+
+          <h4><span class="glyphicon glyphicon-eye-open"></span> Visible Once</h4>
+          <p>Your secret is only visible once to make sure it's never been seen by anyone except the receiver</p>
+        </div>
+
+        <div class="col-lg-6">
+            <h4><span class="glyphicon glyphicon-time"></span> Self Destruction</h4>
+          <p>All secrets will self destruct after X hours</p>
+
+          <h4><span class="glyphicon glyphicon-bullhorn"></span> Open Source</h4>
+          <p>This website is open source meaning you can submit feedback and patches to improve the project</p>
+
+          <h4><span class="glyphicon glyphicon-minus-sign"></span> No Caching</h4>
+          <p>Caching headers are disabled</p>
+        </div>
+      </div>
+<%= erb :footer %>

data/lib/views/secret_url.erb

@@ -0,0 +1,8 @@
+<%= erb :header %>
+<h2>URL for your secret</h2>
+<p><b><%=url%></b></p>
+<p>Your secret can only be viewed ONCE, do not open the URL yourself</p>
+<% if key_sent_to_mobile %>
+<p>The decryption key is sent to the receiver via sms, dont forget to provide the URL via another channel</p>
+<% end %>
+<%= erb :footer %>

data/lib/yopass.rb

@@ -0,0 +1,97 @@
+require 'memcached'
+require 'sinatra/base'
+require 'securerandom'
+require 'encryptor'
+require 'yaml'
+require 'uri'
+require 'yopass/sms_provider'
+
+class Yopass < Sinatra::Base
+  configure :development do
+    require 'sinatra/reloader'
+    register Sinatra::Reloader
+    set :config, YAML.load_file('conf/yopass.yaml')
+  end
+  configure :production do
+    set :config, YAML.load_file('/etc/yopass.yaml')
+  end
+  configure do
+    set :cache, Memcached.new(settings.config['memcached_url'])
+    set :public_folder, File.dirname(__FILE__) + '/static'
+  end
+
+  get '/' do
+    # display mobile number field if send_sms is true
+    erb :index, :locals => {:send_sms => settings.config['send_sms']}
+  end
+
+  post '/' do
+    headers 'Cache-Control' => 'no-cache, no-store, must-revalidate'
+    headers 'Pragma' => 'no-cache'
+    headers 'Expires' => '0'
+
+    lifetime = params[:lifetime]
+    # calculate lifetime in secounds
+    lifetime_options = { '1w' => 3600*24*7,
+                         '1d' => 3600*24,
+                         '1h' => 3600,
+    }
+    # Verify that user has posted a valid lifetime
+    return 'Invalid lifetime' unless lifetime_options.include? lifetime
+    return 'No secret submitted' if params[:secret].empty?
+    return 'This site is meant to store secrets not novels' if params[:secret].length >= 10000
+
+    # goes in URL
+    key = SecureRandom.urlsafe_base64 8
+    # password goes in URL or via SMS if provider is configured
+    password = SecureRandom.urlsafe_base64 8
+    # encrypt secret with generated password
+    data = Encryptor.encrypt(params[:secret], :key => password)
+    # store secret in memcached
+    settings.cache.set key, data, lifetime_options[lifetime]
+
+    if settings.config['send_sms'] == true and !params[:mobile_number].nil?
+      # strip everything except digits
+      mobile_number = params[:mobile_number].gsub(/[^0-9]/, "")
+      # load specified sms provider
+      sms = SmsProvider.create(settings.config['sms::provider'],
+                               settings.config['sms::settings'])
+
+      unless params[:mobile_number].empty?
+        # TODO verification
+        sms.send(mobile_number, password)
+        return erb :secret_url, :locals => {
+          :url => URI.join(settings.config['http_base_url'], "get?k=#{key}"),
+          :key_sent_to_mobile => true }
+      end
+    end
+
+    erb :secret_url, :locals => {:url => URI.join(settings.config['http_base_url'], "get?k=#{key}&p=#{password}")}
+  end
+
+  get '/get' do
+    # No password added
+    return erb :get_secret, :locals => {:key => params[:k]} if params[:p].nil? or params[:p].empty?
+
+    # Disable all caching
+    headers 'Cache-Control' => 'no-cache, no-store, must-revalidate'
+    headers 'Pragma' => 'no-cache'
+    headers 'Expires' => '0'
+    begin
+    result = settings.cache.get params[:k]
+    rescue Memcached::NotFound
+      return erb :'404'
+    end
+    content_type 'text/plain'
+
+    begin
+    result = Encryptor.decrypt(:value => result, :key => params[:p])
+    rescue OpenSSL::Cipher::CipherError
+      return 'Invalid decryption key'
+    end
+    settings.cache.delete params[:k]
+    result
+  end
+
+  run! if app_file == $0
+end

data/lib/yopass/sms_provider.rb

@@ -0,0 +1,11 @@
+class SmsProvider
+  def self.create(provider, settings)
+    begin
+      require "yopass/sms_provider/#{provider.downcase}"
+    rescue LoadError => e
+      raise "Unsupported provider #{provider}: #{e}"
+    end
+    class_name = provider.split("_").map {|v| v.capitalize }.join
+    const_get(class_name).new settings
+  end
+end

data/lib/yopass/sms_provider/bulksms.rb

@@ -0,0 +1,18 @@
+require 'open-uri'
+
+class Bulksms
+  def initialize(settings)
+    @api_url = 'http://bulksms.vsms.net:5567/eapi/submission/send_sms/2/2.0'
+    @username = settings['username']
+    @password = settings['password']
+    @sender = settings['sender']
+  end
+
+  def send(to, message)
+    url = URI.join(@api_url, "?username=#{@username}&password=#{@password}" \
+                   "&message=#{message}&msisdn=#{to}&sender=#{@sender}")
+    result = open(url).read
+    return true if result.include? "IN_PROGRESS"
+    false
+  end
+end

metadata

@@ -0,0 +1,109 @@
+--- !ruby/object:Gem::Specification
+name: yopass
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Johan Haals
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-01-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: encryptor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: memcached
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Web service for sharing secrets more securely
+email:
+- jhaals@spotify.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- conf/config.ru
+- conf/yopass.yaml
+- lib/static/css/bootstrap-theme.min.css
+- lib/static/css/bootstrap.min.css
+- lib/static/css/jumbotron.css
+- lib/static/fonts/glyphicons-halflings-regular.eot
+- lib/static/fonts/glyphicons-halflings-regular.svg
+- lib/static/fonts/glyphicons-halflings-regular.ttf
+- lib/static/fonts/glyphicons-halflings-regular.woff
+- lib/static/foo.css
+- lib/static/js/bootstrap.min.js
+- lib/views/404.erb
+- lib/views/footer.erb
+- lib/views/get_secret.erb
+- lib/views/header.erb
+- lib/views/index.erb
+- lib/views/secret_url.erb
+- lib/yopass.rb
+- lib/yopass/sms_provider.rb
+- lib/yopass/sms_provider/bulksms.rb
+homepage: https://github.com/jhaals/yopass
+licenses:
+- Apache 2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+- conf
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.3
+signing_key: 
+specification_version: 4
+summary: Secure sharing for secrets and passwords
+test_files: []