2

I am trying to find the safest and best way to save and read a password or sensitive data for use in a Selenium test automation written in C#.

Requirements :

  • Password is not allowed to be visible in the code or any file by only opening it.
  • Co workers should be able to use it without putting too much work into making it run (KeePass would work, as the users need 2 files (key and key-database) to read the password).
  • We use Bitbucket to upload the solutions or branches. Bitbucket runs all the code, even the tests without the need of Visual Studio (SonarQube and so on). We can upload the .key files (for example from KeePass) to decrypt the passwords.

Methods I found :

  • Encryption and Decryption: Id say it's the most common method. This isn't something the company wants to use, as it's too easy to decrypt a ciphertext when encryption method is known.

  • Environment Variables: Seems to be safe. The sensitive data is stored in the Windows environment variables and you can use it only locally. The problem is co-workers need to add the variables in Windows and we use Bitbucket to upload our solutions onto the server in which we can start the automation tests without using Visual Studio. Not sure if this would be possible.

  • KeePass: Seems to be the safest way. The user needs 2 files (Database.key and Database.kdbx) to access the passwords. But there's only one question which could help me to set up KeePass in C#. But there are Nuget packages in Visual Studio for KeePass.

  • Cryptography (symmetric algorithms): A Microsoft video about different kinds of cryptography in .NET core mentioned the symmetric algorithm which seems to work similar to KeePass. To decrypt ciphertext the users need a secret key. Not sure if I can use this.

user4157124
  • 2,809
  • 13
  • 27
  • 42
Beardy
  • 163
  • 1
  • 15
  • 3
    Rule#1 never store a password, either encrypted or otherwise. Passwords should be hashed (basically convert the password string into a very large number). When you want to verify a password, take new user input and hash it, and compare the hashed value with the one stored. – Neil Jul 27 '21 at 11:15
  • For a selenium test automation I would also try to use test (not production) data - it won't matter then if the credentials are exposed! – phuzi Jul 27 '21 at 11:47
  • Yeah im aware of this @phuzi. In our case its: After writing a selenium test, its merged to the master branch and uploaded on bitbucket. There the programmers can start the test with just one click, without using visual studio to check, if the website still works when they fixed something or added new features. – Beardy Jul 27 '21 at 11:53
  • Its is our requirements from our Head of – Beardy Jul 27 '21 at 12:03

2 Answers2

0

Im using KeePass which works great for my Selenium tests. The Nuget package to read data from KeePass in .NET6 is: Nuget KPCLib.

This was the easiest and fastest way how to store and read sensitive data without a cloud service.

user4157124
  • 2,809
  • 13
  • 27
  • 42
Beardy
  • 163
  • 1
  • 15
-1

Take a look at ProtectedData class, which is a wrapper around Windows DPAPI (Data Protection API). It can be used to encrypt data per Windows user1, so other users can't decrypt it.

Obviously, if somebody can log-in as the same Windows user (who encrypted the data through DPAPI), they can decrypt the data by just asking DPAPI to do it for them. But if you trust the Windows user and he/she is not breached (at which point you probably have bigger problems), this should be a decent solution for testing.

EDIT: I'm not sure how this would work under bitbucket. I'll leave the answer here in case somebody finds it helpful...

1 DataProtectionScope.CurrentUser

Branko Dimitrijevic
  • 50,809
  • 10
  • 93
  • 167
  • Thanks. Yeah it might help someone else. But in my case, my co-worker have their own personal user in windows. My goal is to find a way, in which they simply just pull a branch from my implementation and directly press on "Run" to start the automated test which automatically gets the hidden password. It would work with KeePass if mycoworker have the same 2 files to access the KeePass database – Beardy Jul 27 '21 at 11:43
  • Yes, each user would need to set the password via DPAPI independently. – Branko Dimitrijevic Jul 27 '21 at 11:46
  • is it possible to give access to multiple windows users? Or does only one person have access to the sensitive datas? Can you define 2-3 different windows users? – Beardy Jul 27 '21 at 15:39
  • You can't define arbitrary subset of users, but you can allow all users on the same machine via `DataProtectionScope.LocalMachine`. – Branko Dimitrijevic Jul 28 '21 at 08:35