Introduction
In this article, I will review the ability to hide secrets which can be, for example, important passwords or any other sensitive data, and store it as a system environment variable. The technological stack used to implement the solution is:
Programing languages: Java, PowerShell
Testing Framework:TestNG
The problem
In case we are testing production systems, we have sensitive data stored in our repository that should not be there. If unauthorized access to this repository happens, this data can be used to attack our organization.
This is the code implementation of a test method that contains sensitive data:
@Test(description = "seccesfully login to the system")
public void login() {
// some test code
driver.findElement(By.cssSelector("#user")).sendKeys("userName");
// the password is visable to all users in this repository
driver.findElement(By.cssSelector("#password")).sendKeys("superSecretPassword");
}We need a solution that will hide sensitive data from our test code.
The solution – hiding secrets using system environment variables
What are system environment variables
from Wikipedia:
Anenvironment variableis a dynamic-namedvaluethat can affect the way running processeswill behave on a computer.
They are part of the environment in which a process runs. For example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files, or the HOME or USERPROFILE variable to find the directory structure owned by the user running the process.
CRUD operations with system environment variables using PowerShell
Create
For creation, use the following command in administrator mode:
[System.Environment]::SetEnvironmentVariable('secretPassword', 'superSecretPassword', [System.EnvironmentVariableTarget]::Machine)The first parameter is the name of the variable and the second is the value.
Read
[System.Environment]::GetEnvironmentVariable('secretPassword', 'machine')The first parameter is the name of the variable, and the second is the environment variable target (determines if this variable is related to a certain user or to the machine).
Delete
This is done by using the create method and passing a null value:
[Environment]::SetEnvironmentVariable('secretPassword', $null, [System.EnvironmentVariableTarget]::Machine)Update
We can use the create method to update an existing variable.
List all environment variables
Get-ChildItem env:Implementing the solution
First, we need to create a system environment variable to store our sensitive data.
Then we can read the data in our test method and remove this data from our source control.
driver.findElement(By.cssSelector("#password"))
.sendKeys(System.getenv("secretPassword"));This is a simple solution that has several disadvantages:
- We need to add the variable in every computer that is running our automation.
- The stored password is not encrypted.
- We cannot enforce a strong password policy this way.
For a more robust and sophisticated centralized secret management solution, you can try Vault by HashiCorp.
In conclusion
In this article, we reviewed the ability to hide secrets using system environment variables its advantages and disadvantages. Securing our code is an important topic and we should pay close attention to it while coding our automation framework.
Further reading on secret management can be found in this link.
Happy testing!