Is it possible to encrypt passwords?

[Vero93]

Is it possible to encrypt passwords?

[adrianth]

If you want to avoid storing passwords in the test repo in clear text, you can:

1. Encrypt the password using the command line:

   opentest encrypt --password my_secret_password the_text_to_encrypt
   

2. Store the encryped password in a data file:

   password: hvrOgOOjOarssey+4XhEAg==
   

3. Store the encryption password (the one that you used in the command line) in your actor.yaml file, using the encryptionPassword configuration parameter:

   # ...
   encryptionPassword: my_secret_password
   # ...
   

4. Use the $decrypt JavaScript API to decrypt the password dynamically at runtime:

   - description: Log in
   action: org.getopentest.selenium.SendKeys
   args:
       locator: { name: password }
       text: $decrypt($data("config").password)
   

Of course, everybody else in your team will have to set the encryptionPassword parameter correctly in their test actors, if they want to be able to run the test successfully.

[Vero93]

Please explain below code

opentest encrypt --password my_secret_password the_text_to_encrypt

my_secret_password - ?

the_text_to_encrypt - ?

Do i need to enter my own password here

encryptionPassword: my_secret_password

---

For now this code is not working for me

• description: Log in
  action: org.getopentest.selenium.SendKeys
  args:
  locator: { name: password }
  text: $decrypt($data("config").password)

[adrianth]

So let's say you have a log in test, and the password used for authentication is red22beetle.
You don't want to store the password in the test repo in clear text, so you must store it in encrypted form. To figure out the encrypted version, you have to run the opentest encrypt command. Of course, you also need to provide the encryption password - the one that you're going to need to decrypt the log in password when you run your test. So let's say the encryption password is 5h2o8dF9. In this case, the command to figure out the encrypted password is:

opentest encrypt --password 5h2o8dF9 red22beetle

If you run this command, you'll get PamhjNlJ2N9QN3PV+B94FQ== as your encrypted password. You can store this password in your test repo and decrypt it at runtime when your test executes, as explained in my previous reply. Let me know if that makes sense.

[Vero93]

Step 1 :
C:\Users\ksood>opentest encrypt --password Acs@0906 red22beetle
sgqSx2arYogUSoKONZD8zg==

STEP 2 : Adding this code in login file

• name: ksood
  password: sgqSx2arYogUSoKONZD8zg==

Step 3 : Adding code in Actor file
encryptionPassword: red22beetle

• description: Type in password field
  action: org.getopentest.selenium.SendKeys
  args:
  locator: { xpath: "//input[@Placeholder='Password']" }

          text: $decrypt($data("login")[0].password)
  

But, it is not working

[adrianth]

Did you put the encryptionPassword in your actor.yaml?

# ...
encryptionPassword: Acs@0906
# ...

Could you log the encryption password, encrypted data and unencrypted data, to verify what it looks like?

- script: |
    $log("Password =" + $config("encryptionPassword"))
    $log("Encrypted = " + $data("login")[0].password)
    $log("Unencrypted = " + $decrypt($data("login")[0].password))

[ariesranjan]

Hi Adrian,

I am able to encrypt and decrypt the password. Please let me know how we can avoid decrypted password to be logged in logs available in running actor and server

Thanks,
Ankit Ranjan

[adrianth]

@ariesranjan There is currently no way to prevent passwords and other secrets to appear in log files. Your question made me think of a possible implementation for this, though. OpenTest could take note of all values returned from the $decrypt() function (which presumably contain sensitive data) and mask those values whenever it finds them in data that is being written in log files. If this sounds like a feature that would get the job done, could you please create a GitHub issue specifically for this, so we can track it better?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ewmartinez]

@ariesranjan There is currently no way to prevent passwords and other secrets to appear in log files. Your question made me think of a possible implementation for this, though. OpenTest could take note of all values returned from the $decrypt() function (which presumably contain sensitive data) and mask those values whenever it finds them in data that is being written in log files. If this sounds like a feature that would get the job done, could you please create a GitHub issue specifically for this, so we can track it better?

Hi @adrianth ,
Has this been implemented? or is neede the request ticket? As I see this will be very usefull.

[adrianth]

@ewmartinez Yes, this is implemented. Please see the $maskSecret function.