Issue
I am writing selenium (seleno) scripts to test a c# MVC web application which requires users to log in. At the moment the username and password are hard-coded into the script but I need to make sure the password is protected before I can commit the scripts to our code repository.
The scripts will be run autonomously through CI (TeamCity) so the password must be available to the program without any human input.
In terms of security requirements, the password is common knowledge amongst devs but it is also bundled with the software that is deployed to clients (which obviously opens a back door to anyone in possession of the password - for better or for worse). So if someone gains access to our codebase we need to be sure that they cant get at the password. The password itself is stored (salted) in a sqlite database.
If I pass an encrypted value into the program and then decrypt it will that protect us? Im not too bothered about the password being in memory on the server where the test runs as that server should be securely locked down and will only exist for the duration of the tests.
The only other thing I can think of is to insert a temp password into the sqlite database once TeamCity has spun up the temp server instance and before the tests are run. Not sure how to achieve that though.
I would have thought this would be a really common problem with selenium but I havent as yet been able to find a definitive solution.
Solution
As SiKing suggests, the solution is to use a temporary, test specific password which wont make it into production code. Simples.
Answered By - beterthanlife
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.