security - Strategies for safely storing and using user credentials testing environments -


problem

i setting set of e2e tests on existing web-app. requires automated login on login-page (mail & password). far, still developing tests, have been putting test account credentials in cleartext in test scripts. have been removing credentials manually before each commit, not hold proper automated testing on server somewhere, nor if developers should able run tests comfort of own computers. furthermore, tests need able run several different sets of user credentials, , credential safety critical. since need test access rights, seems cannot avoid having @ least 1 test account access confidential data.

question

so question is: strategies know of, or use, safely storing , using test credentials in testing environments on developer machines, separate servers, or both?

prior research

i have spent few days looking around web (mostly stackoverflow, , many attempts @ using google-fu) asking colleagues, without finding known , used strategies handling , storing credentials in tests. reckon many skilled programmers must have solved problem in numerous ways.

stackoverflow kindly suggested these similar questions, offer interesting strategies:

  • safely storing credentials when need retrieve password use, accepted answer recommends encrypting configuration file. seems interesting idea, unclear me how distributes across servers , individual developer computers, , how logistics of handled.
  • storing credentials automated use, asker responds themself stating put credentials cleartext in file on password-protected server. might work single server, think problematic if number of local developer machines or separate test servers used testing.

case specifics

i think question of general interest regardless of implementation details, might of interest provided here anyway.

i using protractor testing angularjs apps, , considering grunt further test automation. plan on hooking tests on our git server, , have run tests @ each commit master branch, know never breaking. or, not breaking during our tests, @ least :)

i'm not sure mean when 'strategies safely storing , using user credentials testing environments'. state tests need run different sets of credentials. if test able credentials in clear text, other application/user running under same account.

sure, can encrypt file storing passwords, you'd need store encryption key somewhere in application or on machine application able decrypt it.

you use asymmetric encryption encrypt credentials public key , give access private key account running tests. still, being able log on under account runs tests able decrypt credentials file , passwords.

the best option not use confidential data in testing. work company doing medical software, , have test domain in set our software well-known accounts , use fake data test it.

or if want other developers able run tests under own credentials, consider switching kerberos , avoid passwords together.


Comments

Popular posts from this blog

matlab - "Contour not rendered for non-finite ZData" -

delphi - Indy UDP Read Contents of Adata -

javascript - Any ideas when Firefox is likely to implement lengthAdjust and textLength? -