We're trying to migrate our ReadyAPI suites into github and I'm getting a little stuck with ReadyAPI's documentation on how to encrypt passwords we use to test our application, I'm hoping someone has a simple answer they can share. Our application passwords are stored in auth manager or request properties, when this project is converted to a composite project and pushed into github those values are visible so I have followed documentation to try and mask them without success.1. Encrypt the project - this stops the project being a composite project so we're back to single use for upgrades and preventing people from making changes and keeping them in a branch. Doesn't seem like this fits.2. Password protect the project - doesn't obsfucate the passwords anywhere.3. Move the passwords to encrypted properties - Feels very hacky and clunky, makes the auth manager redundant and isn't very user friedly.I haven't been able to find any other in application solutions other than the above, I was looking at keystores/ truststores but neither seem to fit the requirement.This has left us with the only option we can see which is to write a groovyscript to pull the passwords out of an encrypted keepass kdbx file to use at runtime. This is not my preferred approach as I would rather use in built features with ReadyAPI support documentation... If anyone knows of other things to attempt or can share how they managed it in their project that would be appreciated.

barto, in the case of encrypted properties, you can set up a project-level property (e.g., MyAppSecret) and then use it in the Auth manager as well: ${#Project#MyAppSecret} The property is used in Auth manager requests and masked in the logs, at least in the logs I tried. Moreover, you can override the propery value from the command line, e.g., when you execute the test from the pipeline. So, for some environments you can include the secret and inject in the pipeline for others. Though, if the secret fields from Auth manager would be treated as sensitive and encrypted by default we wouldn't need this. You can raise a feature request for this.

Forum Discussion

barto

New Contributor

2 years ago

How are you securing secrets for storing your projects in github?

We're trying to migrate our ReadyAPI suites into github and I'm getting a little stuck with ReadyAPI's documentation on how to encrypt passwords we use to test our application, I'm hoping someone has a simple answer they can share.

Our application passwords are stored in auth manager or request properties, when this project is converted to a composite project and pushed into github those values are visible so I have followed documentation to try and mask them without success.

1. Encrypt the project - this stops the project being a composite project so we're back to single use for upgrades and preventing people from making changes and keeping them in a branch. Doesn't seem like this fits.
2. Password protect the project - doesn't obsfucate the passwords anywhere.
3. Move the passwords to encrypted properties - Feels very hacky and clunky, makes the auth manager redundant and isn't very user friedly.

I haven't been able to find any other in application solutions other than the above, I was looking at keystores/ truststores but neither seem to fit the requirement.

This has left us with the only option we can see which is to write a groovyscript to pull the passwords out of an encrypted keepass kdbx file to use at runtime. This is not my preferred approach as I would rather use in built features with ReadyAPI support documentation... If anyone knows of other things to attempt or can share how they managed it in their project that would be appreciated.

KarelHusa
2 years ago
barto,

in the case of encrypted properties, you can set up a project-level property (e.g., MyAppSecret) and then use it in the Auth manager as well:

${#Project#MyAppSecret}

The property is used in Auth manager requests and masked in the logs, at least in the logs I tried.

Moreover, you can override the propery value from the command line, e.g., when you execute the test from the pipeline. So, for some environments you can include the secret and inject in the pipeline for others.

Though, if the secret fields from Auth manager would be treated as sensitive and encrypted by default we wouldn't need this. You can raise a feature request for this.

KarelHusa
Champion Level 1
2 years ago
barto,

in the case of encrypted properties, you can set up a project-level property (e.g., MyAppSecret) and then use it in the Auth manager as well:

${#Project#MyAppSecret}

The property is used in Auth manager requests and masked in the logs, at least in the logs I tried.

Moreover, you can override the propery value from the command line, e.g., when you execute the test from the pipeline. So, for some environments you can include the secret and inject in the pipeline for others.

Though, if the secret fields from Auth manager would be treated as sensitive and encrypted by default we wouldn't need this. You can raise a feature request for this.
nmrao
Champion Level 3
2 years ago
You can use the project level property, as KarelHusa suggests, to hold the data, but the value of the sensitive data should be emptied (irrespective of value being encrypted or not) before pushing the project to repository or sharing with other people.

One can provide the property value either by command line as KarelHusa said, or using the property file without modifying the project.

This way, each engineer can use their credentials when executed on their machine.

However, if the execution is on common machine such as CI/CD, it may not work because the commands are logged.

Otherway is to use public key if supported or to have a common special(non-human) user for build pipeline purpose so that it does not affect even if every one knows the credentials.
- KarelHusa
  Champion Level 1
  2 years ago
  nmrao, good points.
  
  In CI/CD pipeline you can also use secrets that will be masked in pipeline logs.
  
  Sensitive information must be treated as secret at all levels: CI/CD execution, inside ReadyAPI, server logs, etc.
barto
New Contributor
2 years ago
Thanks both, gone with KarelHusa's solution, it allows me to get this into our companies GIT and get more hands on it. I'll have to explore if ADO is showing the credentials at a later date so may come back to your recommendation in the future nmrao

Recent Discussions

more screen real estate by moving the Testcase progress bar
2 days ago
Awesome
JSON Schema Compliance URL
5 days ago
jrziggy
Facing Issues with Converged Networking and ReadyAPI 3.45 by SmartBear – Need Some Advice!
5 days ago
jonathanjone
ReadyAPI external certification
5 days ago
Harisuresh
Ready Api Tests hitting 'NoClassDefFoundError' while running in docker
6 days ago
Tarun_Kumbnani

Forum Discussion

How are you securing secrets for storing your projects in github?

Related Content

Read aws secrets from ReadyAPI

The Secrets of Successful Collaboration - BDD

SoapUI project keystore password security?

log4j security vulnerability

[Solved] SSL Handshake exception calling a secure webservice

Recent Discussions

more screen real estate by moving the Testcase progress bar

JSON Schema Compliance URL

Facing Issues with Converged Networking and ReadyAPI 3.45 by SmartBear – Need Some Advice!

ReadyAPI external certification

Ready Api Tests hitting 'NoClassDefFoundError' while running in docker