Objective
Some sensitive data such as Appsecret or database connection strings, whether hard-coded or written in a configuration file, are often used in development to push to SVN or git. There's no privacy for these sensitive data on open source projects. For private projects once the source control server is hacked, these sensitive data will be exposed. So the best practice is not to write sensitive data into the source code.
In the past, we used to write database connection strings in Web. config. NET The core is written in the Appsettings.json development environment if a developer modifies the connection string in order not to affect the other developers each time they commit the code should ignore the configuration file if you have added other configurations must be committed, either undo the connection string modification before committing or direct commit will affect other developers. Most of the time we just submit a big deal. Other developers pull down the code and modify it. But the best practice is not to write in the configuration file.
Note that the issues mentioned above are in the development environment.
Secret Manager
The. NET core provides us with a tool called Secret Manager that enables the best practices described above to emphasize once again that Secret Manager is only available in the development environment.
Let's talk about Secret manager. It helps us abstract some of the details such as where the data is stored and how it is stored. In short, it helps us to have the data in plaintext in the form of a local JSON file. Different storage locations for the system are not the same.
Windows
%appdata%\microsoft\usersecrets\<usersecretsid>\secrets.json
Linux
~/.microsoft/usersecrets/<usersecretsid>/secrets.json
Mac
~/.microsoft/usersecrets/<usersecretsid>/secrets.json
USERSECRETSID is specified in the. csproj file, as described below.
installation, use
Configure user secrets and access requires two packages for each
Microsoft.Extensions.SecretManager.Tools
Microsoft.Extensions.Configuration.UserSecrets
Let's just say the two. The first is that the toolkit can use the dotnet user-secrets command to store data in a JSON file the second package accesses the data stored in the JSON file through the. NET core configuration system.
Dotnet User-secrets-h
This command allows you to view the usage of the secret manager.
It has 4 commands.
Command |
Description |
Grammar |
Clear |
Remove all secrets in the program |
dotnet User-secrets Clear |
List |
Enumerate all the secrets in the program |
dotnet user-secrets List |
Remove |
Deletes the specified secret |
dotnet user-secrets Remove Nameofsecret |
Set |
Set Secret |
dotnet User-secrets Set Nameofsecret Valueofsecret |
On the Mac example above the command is Operation ~/.microsoft/usersecrets/\/secrets.json This file USERSECRETSID specifies which project is secrets.
USERSECRETSID is specified in the. csproj file.
Value of <PropertyGroup> <usersecretsid>usersecretsid </UserSecretsId></PropertyGroup>
The value of Usersecretsid on Mac or Linux can be generated by Uuidgen.
The Microsoft.Extensions.Configuration.UserSecrets package expands the Configurationbuilder contains an extension method for a addusersecrets. If you want to access user secrets through the configuration, you only need to call Build.addusersecrets ().
if (env. Isdevelopment ()) {//Search for assemblies containing type startup Add User Secrets Configuration source startup can also be replaced by other type builder in other assemblies. Addusersecrets<startup> ();}
Or simply specify USERSECRETSID directly
if (env. Isdevelopment ()) {Builder. Addusersecrets ("Usersecretsid");}
You can then access the user secret by configuration["Nameofsecret").
Project Practice
The following is demonstrated by a console program.
mkdir user-secrets && CD user-secrets # Create a new directory
dotnet New Console # Create a console app
dotnet Restore # Recovery Package
dotnet Add package microsoft.extensions.configuration.usersecrets-v 1.1.2 # installation Packages
Code. # Open with Visual Studio code
Add Usersecretsid to User-secrets.csproj
<propertygroup><usersecretsid>3bf2d901-89b9-437d-8856-cca63d4606f7</usersecretsid></ Propertygroup>
and Secretmanager Toolkit
<itemgroup><dotnetclitoolreference include= "Microsoft.Extensions.SecretManager.Tools" version= "1.0.1"/ ></ItemGroup>
dotnet User-secrets Set AppKey 12345 # add secret named AppKey
To determine that an environment variable needs to be added in the development environment, you need to install one more package
dotnet Add Package Microsoft.extensions.configuration.environmentvariables-v 1.1.2
Open Program.cs Add the following code
class program{ public static iconfigurationroot configuration { get; set; } static void main (String[] args) { var builder = new Configurationbuilder () . Addenvironmentvariables (); var environment = Environment.getenvironmentvariable ("Aspnetcore_environment"); if (environment == "development") { builder. Addusersecrets<program> (); } configuration = builder. Build (); &nbsP; console.writeline (configuration["AppKey"]); }}
Run
Aspnetcore_environment=development dotnet Run
Or
Export Aspnetcore_environment=development
Dotnet Run
The ASP. NET core is similar here to no longer demonstrate.
Using user secrets to store sensitive data in. NET Core Programs