0

I have NUnit test project which is testing gateway for some remote service.

And I have public/private keys to manage my account on that service.

Now I store those keys in code. But it's wrong way for user specific and secret data. I must hide it from version control system and other people.

So, where is better to store a such data?

My ideas:

  • environment variables
  • *.csproj.user (if it's possible?)
  • *.resx
  • .runsettings (if it's possible?)

I'd like to use *.csproj.user but is it possible to store and access custom data in this file?

Denis535
  • 3,407
  • 4
  • 25
  • 36
  • 2
    Possible duplicate of [Can a unit test project load the target application's app.config file?](https://stackoverflow.com/questions/344069/can-a-unit-test-project-load-the-target-applications-app-config-file) – gunr2171 Sep 22 '19 at 22:14
  • If you want to make it hard to break, but not necessarily secure, one alternative is to encrypt things using System.Security.Cryptography.ProtectedData. Encrypt it using the CurrentUser scope. However, realize that any program running with that user's credentials can decrypt the data. Then, write the results to IsolatedStorage. That will hide the data away from the casual user, but will be available to your program. This is not a secure solution, but it would be hard to break for all but the determined hacker (in which case, it would be pretty easy). – Flydog57 Sep 22 '19 at 22:54

2 Answers2

2

Unless it's for testing and the accounts are fake you should aim to never store user credentials and definitely not SSH keys unless it's a OEM security product.

You would be better off in your unit test SetUp to create random accounts and use those or mock the result of authentication calls.

Typically you store test data in a CSV / Xslx file and each row you execute the values through your method to be tested. You can also do this with a database. Here's an example: https://stackoverflow.com/a/6095773/495455

For methods needing sensitive access credential information you should test in isolation with known working and non-working values that cannot be used to compromise the system.

Jeremy Thompson
  • 61,933
  • 36
  • 195
  • 321
1
public static class ApiKeys {

    private static IConfiguration Config { get; set; }
    public static string PublicKey => Config.GetValue<string>( "service-public-key" );
    public static string SecretKey => Config.GetValue<string>( "service-secret-key" );


    static ApiKeys() {
        Config = new ConfigurationBuilder()
        .AddEnvironmentVariables()
        //.AddIniFile( "api-keys.ini", true ) // in this case you must add "api-keys.ini" to .gitignore file.
        .Build();
    }


}
Denis535
  • 3,407
  • 4
  • 25
  • 36