0

I'm A GitHub newbie. I created a library that accesses an external service (OpenWeather API). The project also has a test project. Tests, to work, need a valid API key. The key is stored in an external file.

To keep my key secret, I only committed the template of this file:

{
  "OpenWeatherApiKey": "YOUR_API_KEY_HERE"
}

I also created a dotnet.yml action that build the project and run the tests

name: .NET
...
jobs:
  build:
     ...
    - name: Test
      run: dotnet test --no-build --verbosity normal

The problem is that on my PC tests works, while on Github they fail because in the cfg. file stored there there's no the right key.

Is there a possibility to commit the file in GitHub with the right key without it being accessible to everyone and leave the template file public? This way everything would work on GitHub as well.

Gianpiero
  • 3,349
  • 1
  • 29
  • 42
  • Requiring an API key in your tests is a pretty major code smell. If a test fails you want it to indicate a problem with your code, not that the API might be unreachable for some reason, that you've hit some rate limit, that your machine is offline, or anything else. Abstract your tests away from the API with mocks or something like [`vcr`](https://github.com/vcr/vcr) (I have no idea what language your code is written in). There are _exceedingly few_ cases where I'd want any tests making real HTTP requests. – ChrisGPT was on strike Jan 21 '21 at 22:47
  • @Chris, my code is C#. It executes some http gets to get weather forecast using DarkSky and OpenWeather services. Do I have to mock the http get? – Gianpiero Jan 21 '21 at 22:57
  • You don't _have to_, but it's a very good idea to avoid real HTTP requests in your tests. – ChrisGPT was on strike Jan 21 '21 at 23:04
  • This is now clear to me. I googled around and the answers to https://stackoverflow.com/q/36425008/752004 made me understand what you mean. Thank you – Gianpiero Jan 22 '21 at 04:30

1 Answers1

3

There is no way to add a file that is more protected than the repo as a whole.

While you might be able to rig something up using multiple repos, I think instead you should consider the fundamental security flaw in this test design.

You're saying the API key is worth protecting - so it gives some kind of access you wouldn't want others to have - yet you're willing to give it to untested code so you can find out what that code does?

So, as an attacker, all I have to do is make a push to your repo that, while blatantly incorret code, will do whatever malicious thing it is your API key prevents me from just doing?

(Even setting the problem of a malicious git contributor aside, untested code should be treated as equally dangerous to a malicious attacker, simply because of the potential for errors - which is why we test code in the first place.)

Mark Adelsberger
  • 42,148
  • 4
  • 35
  • 52
  • I don't understand you comment at all! The key is only used to access the remote REST api from OpenWeather. If you use you key (ask it to openweathermap.org), you can use it to run the tests. – Gianpiero Jan 21 '21 at 15:08
  • And yet, even though it "only" is used to access the remote REST api from OpenWeather, you're concerned about protecting it. Think about why that is, and then think about the fact that if you use it with untested code, you don't know how it will be used. If that isn't a concern, then netiehr is committing it where others could see it. – Mark Adelsberger Jan 21 '21 at 16:59
  • This is now clear to me. I have to revisit the test code and perhaps the library itself. The answers to https://stackoverflow.com/q/36425008/752004 made me understand what you mean. Thank you – Gianpiero Jan 22 '21 at 04:32
  • By the way, to close it, the short answer to the question is: *There is no way to add a file that is more protected than the repo as a whole*. – Gianpiero Jan 22 '21 at 04:34