This is a security risk
"Can I store my profile somewhere else and still be able to access my projects and test cases?**
This is the question that we at Katalon Product Support team received from one of our enterprise users, who cares a lot about security and expect to have a security solutions from Katalon for their use case.
In the past, Katalon supported only a secured solution for users working with the Katalon Runtime Engine (KRE) by overriding the value of arguments in the execution command.
USERNAME_VAR =“John Doe”
PASSWORD_VAR =“ThisIsNotAPassword”
./katalonc -noSplash -runMode=console -projectPath=“/Users/linh.nguyen/git/katalon-premium-reavealed/Secured Profiles/Secure Profiles.prj” -retry=0 -testSuitePath=“Test Suites/KRE_Override_Arguments_TS” -browserType=“Chrome” -executionProfile=“default” -apiKey=“2658c724-2d3e-4f92-9dbe-f2645610****” -orgID=84*** --config -webui.autoUpdateDrivers=true -g_username=“${USERNAME_VAR }” -g_password=“${PASSWORD_VAR }”
For Katalon Studio, we will be discussing the available solutions that you might be applying and clarify the risks of them. Afterwards, we will provide you with a thoughtful solution.
1. The Unsecured Approaches
1.1. The first unsecured approach: Set the raw text
This approach refers to this test case Unsecured Set Text
The downside with this approach is that the password could be exposed if you push it to an online repository such as GitHub.
1.2. The second unsecured approach: Set raw text in the Execution Profiles (Global Variables)
The downside with this approach is that, once again, the password could be exposed if you push it to an online repository such as GitHub.
1.3. The third unsecured approach: Use the encrypted text with the keyword WebUI.setEncryptedText
The downside with this approach is that the password could still be decrypted easily.
1.4. The fourth unsecured approach: Set the Encrypted Text in the Execution Profiles (Global Variables)
The downside with this approach is that, similar to the third approach, the password could still be decrypted easily.
2. Are there any better solutions that we can apply to this case?
There are two custom keywords in advance for two different approaches, which may suit different needs.
2.1 The first secured approach - The "defineSecuredProfiles” keyword
How it works?
-
Load variables from the execution profile file to the execution environment.
-
Remove the execution profile file from the Git Repo (The file is still available in the local machine) (* )
-
Add the execution profile to the Git Ignore file to prevent committing that file next time. (**)
2.2. The second secured approach - The “loadProfile” keyword
When you want to keep the execution profile files in the Git repository, use this keyword.
Also, this keyword is flexible to support different path formats, such as relative path, absolute path, and with/without file extension.
CustomKeywords.‘SecuredProfile.loadProfile’('secured_production_profile.glbl ')
→ If the selected profile exists in the Katalon Projects’ Profiles folder, the “Profiles” folder path can be omitted.
CustomKeywords.‘SecuredProfile.loadProfile’('Custom Folder/secured_production_profile ')
→ The keyword is helpful automatically append the file extension to your file name.
CustomKeywords.‘SecuredProfile.loadProfile’(‘C:/Users/me/Desktop/secured_production_profile’)
An example for the absolute file path.
Our sample project here.
The Product Support team is happy to listen to you with more ideas, feedback and suggestion that you may have after this article.
