Store secrets with keystore

Tradefed includes the concept of a keystore, where secrets can be stored in a keystore service and requested at test run time for use during the test.

Use a keystore

To use a keystore, you need to first define the source for the keystore in your global configuration.

Once done, you can then use the stored keys via: USE_KEYSTORE@{key}

JSONFileKeyStore

The sample implementation in Tradefed core uses a JSON keystore, JSONFileKeyStoreClient. To use this keystore, you would define a JSON key file that has key to value mappings.

For example, you could define a /path/to/keystore.json file as

{
  "test_account": "foo@gmail.com",
  "test_account_pwd": "helloworld",
  "wifi_lab_ssid": "Google_private_AP",
  "wifi_lab_pwd": "secret123",
}

Then you would add the following lines in your TF global configuration file:

<key_store class="com.android.tradefed.util.keystore.JSONFileKeyStoreFactory">
<option name="json-key-store-file" value="/path/to/keystore.json" />
</key_store>

When executing related tests, you can now pass in values as USE_KEYSTORE@test_account, which TF will then query the keystore for and use its value as part of the test.

Host-based keystore file

To define host-based key-value pairs, you may define a /path/to/keystore_ssid.json file as

{
  "host_a.*\\.corp\\.com": {
    "wifi_lab_ssid": "ssid_a",
    "wifi_lab_pwd": "secret_a"
  },
  "host_b.*\\.corp\\.com": {
    "wifi_lab_ssid": "ssid_b",
    "wifi_lab_pwd": "secret_b"
  }
}

The key of an entry in the file is a regular expression (regex) pattern for the hostname and the value is the set of key-value pairs for any host with a matching hostname.

Then update your TF global configuration file to include the host-based keystore file:

<key_store class="com.android.tradefed.util.keystore.JSONFileKeyStoreFactory">
<option name="json-key-store-file" value="/path/to/keystore.json" />
<option name="host-based-key-store-file" value="/path/to/keystore-ssid.json" />
</key_store>

The value of a key defined in a host-based keystore file overrides that defined in the keystore file specified with json-key-store-file.

When multiple host-based keystore files are present in the keystore, the order matters. If the value for a key is defined in multiple files, the value in the last such file overrides the rest.