Test-suite for a password protected website

Joshua Goodall joshua at roughtrade.net
Thu Dec 25 04:21:18 CST 2003

On Thu, Dec 25, 2003 at 07:00:24PM +1100, David Dick wrote:
> 1) embed a valid username / password into the test script.
> This seems just awful, more so if i want to package something up and 
> release it
> 2) store my passwords in a decryptable format and decrypt a suitable one 
> when the time comes
> This seems a bit better but where do i store the decryption keys, and 
> how secure is a system that you can decrypt passwords anyway?
> 3) prompt for the username / password when the script runs
> This of course makes it impossible to run without human intervention (or 
> Expect, in which case we have returned to 1.)
> 4) disable username / password requirements during testing
> Fine, except for a live environment

You can't test a shared secret without sharing the secret.

2) and 3) are your practical choices.

There's no answer to "where shall I store the decryption keys",
because you haven't disclosed your network topology or the type
of encryption available to you.  If PGP, then the answer of course
is "in a keyring", and the private key must be available to the
testing agent.

(3) is only practical if your operational model is hands-on, and
you trust the human enough.

If you're really concerned about having to store that shared secret,
you could always restrict its validity to the source address of the
testing agent.  Ultimately, you're going to have to share the secret
with the test agent somehow, or sidestep that with some other
authentication method (e.g. X509).

- J

Joshua Goodall                                      "tea makes itself"
joshua at roughtrade.net                                       - Ana Susanj

More information about the Melbourne-pm mailing list