Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
For a pet project, I develop a desktop application which requires API keys from several different webservices.
I've been going through and preparing this application to become open-sourced and run across the problem of what to do with those keys.
The problem is this: My understanding is that these API keys should not be visible to anyone using the application or viewing/modifying the source code. From the webservice's end, these API keys are used to identify applications accessing their API, and allow/block usage as appropriate. In most of the TOS's for receiving these keys it's actually explicitly stated that the keys must not be shared with the world.
Currently all my keys are hard-coded, but at I'm at an impasse as to how to handle the situation of private keys in an open-source application:
-If the keys remain hardcoded, they'll be publicly visible as soon as my source code is.
-I can't really omit the source file with the keys from the code distribution, since then
it won't compile. This technically solves the problem, but introduces a new, unacceptable
one.
-If I push the keys off to a .ini or other config file, and simply not include that file
in my public code repository, it would still have to be distributed with the binary of my application in order for the app to function, so my keys would be visible in the application distribution instead of the source distribution. Not an improvement. Any encryption gymnastics I attempted to utilize on this INI file would be adding the complexity for anyone attempting to modify my code.
So, with regards to my codebase (currently under Mercurial for version control), what's the best way to manage everything so that the code can be public, but my keys stay private?
Don't know what language you are using, but for example in C/C++ you'd add a include file with the API keys, and then leave it out of source control, instead add a bogus file with explicitly fake API keys. Most languages have one or the other way to include files.
Your app should use a config file. This config file is loaded at runtime and shouldn't affect compiling. The allows users to download a binary and still use their own api key.
As Kornel says, you can include an example config file with a fake API Key, in your source control.
Another option, you could talk to the people running the webservices and ask for one of two things.
A temporary key, that only works for limited functionality. That would let users see basic functionality of your app, but some people would never update the key and just use the basic stuff.
Talk to the webservices to see if you they will give you a special API Key for your application. The open source version would require users to enter their own. But your binary could use a standard one.
The thought of using a config for api key's, isn't new or unheard of. Bit.ly services do it. And all the open source applications I see that provide use with Bit.ly ask for your username and api key before you can use it.
This is no different?
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 years ago.
Improve this question
The lead developer abruptly left my company last week. The APIs weren't documented. So I'm scrabbling to discover what each one API is, and then document them in JIRA. We use Golang for our backend. I tried using Charles Proxy, Fiddler, JMeter, and Chromes inspector/network, but the APIs aren't displaying. I have technical limitations and I'd like to find all our APIs as soon as possible. One of my developers told me to download and install Goland. And instructed me to perform the following
"byte.*(okay|StatusOK|Successful)
and mux. and nomapi. to get the end points and those that are using it, not sure if all of them use mux and nomapi though
With goland you can jump to definitions easily very useful with not familiar code
And find usages"
Not sure what he meant by all of that.
Can someone point me in the right direction?
This really depends on what your developer used to create the APIs. Your best bet is to parse the source code rather than poke with tools like Chrome inspector. What you want to find is the router for the API handlers. The router is basically a structure that maps API endpoints (like /api/v1/login/) to Go functions that handle the calls (appropriately called handlers). But, unfortunately, depending on what framework/library was used and how the code was structured, this could be in a lot of very different places. So, while I cannot give you one definite answer, I can give you a few suggestions.
You are going to have to read Go code. No way around it. It is not that hard, so don't get scared.
There is a good chance that there is a file or multiple files called route.go or routes.go or router.go or something similar. If you find anything like that, look there first.
If you cannot find any routes, use Chrome inspector's network tab to see what API calls your front end makes, then grep the code for the endpoints. Say, if your front end makes an API call to http://api.domain.com/api/v1/accounts/, search the code for /accounts/ and for /api/v1/ and if that doesn't work for /api/. With any luck the second or third search might get you to the root router for the application and you will be able to trace it from there.
If you find some routes (or route handlers), but not all of them, look for the package name at the top of the file. If it is not main, and especially if it is called something like routes look for any place where this package is imported (just grep for the package name in all the files and ignore the package declaration itself).
Probably the most popular router library is gorilla mux. Check the code for any references to github.com/gorilla/mux in case it was used. If it was used, look for any code that has HandleFunc in it. These are going to be the routers. The same is true if no router library is used at all.
Good luck.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
The task
We'd like to maintain some developer's documentation for our .NET projects with the following criteria:
"Documents", ideally written in Markdown for providing information that's not closely related to a piece of code (like overview, FAQ).
Standard inline comments for code and API documentation. We do thus in form of standard inline (XML) comments on the classes/interfaces (primarily for IntelliSense support, secondarily for being able to generate an API reference) and would like to continue to do like that.
The documentation is contained in what it documents; e.g. if it's an overview of a solution then in the solution, if it's for a project then among the project's files, version controlled in the same way as the code (this is so the docs are close to what they document, so they are less prone for going out of date, and also this was docs are always "at hand").
Ability to auto-generate (from the CI server) a readable, compiled documentation for a whole project, including "documents" and inline comments for APIs.
An example
We've a project that's a component usable within a 3rd party system. For this project we have the following type of documentation:
Overview (what the project does, what are the aims)
Installation instructions
API documentation
Version history
We'd like to enable our developers and other developers to
- read this documentation from the project's source package and
- from a website.
Solutions we've looked at
Using a wiki (we tried Confluence): this is good for "document"-type of documentation (like overview or installation notes), but it lives independently from the project itself. It's another system to maintain and because it's not before one's eyes when doing development it can quickly go out of date. Also it's one more task to somehow integrate auto-generated API documentation into it.
Using Markdown files and storing them along the code: this is simple and documentation is always at hand and close to what it documents; however we somehow need to generate a publishable web package from these files and the source files' inline documentation.
So far doxygen looks like the solution capable of providing all these. Do you agree?
See "How to include custom files in doxygen".
Broadly speaking this is exactly what I am currently doing, and I'm using Doxygen.
However, I'm afraid I know nothing about .NET. The project I'm working on is a Java package, but includes API documentation extracted from the source, user guides, release records and things like deprecations.
The only thing out of our scope and in yours is Installation Guide, but that's really only because the developer only gets to read it after installation.
We have Jenkins CI building the document on every change.
The 'descriptive' text is all written in Markdown which Doxygen handles reasonably well.
Downsides: If you are familiar with the way Doxygen handles grouping of text for source code you may be confused that these commands don't work to group the blocks of text in Markdown. There are a few other specific oddities but you'll probably find most of them if you scan my own questions on the subject (here, here and here)
Upsides: (Things we've found useful that you've not mentioned)
We can also parse the 'doxygen' markup in the Java API to create a javadoc that IDE's such as Eclipse can use. This does mean we have to limit ourselves to javadoc-style command in the API docs but that's not a big limit.
We've included, under doxygen 'build switch', a manual for your developers on how to write the documentation for the manual (OK, this is slightly recursive!). This provides the recommended command subset to use, and whether (according to taste) you want people to use doxygen #subsection or Markdown ## for headings etc.
Hope that helps.
I'd suggest you try it; trialling a sample of each type of document section you need, to see if it will do the whole set of functions you need. Nothing more annoying documenting 90% then finding it won't do the last 10%.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
How can I use Go to call and manage Ldap protocol directly? are there any packages? or must I use udp and tcp?
There is no LDAP library in the Go standard libraries, but a quick Google search reveals several you could try:
https://github.com/mmitton/ldap
https://github.com/tonnerre/go-ldap
This second one is actually a fork of the first one. On github you can always view the open issues, last update and forking network (https://github.com/mmitton/ldap/network) to get a pretty good sense of which library you should use when there is a lot of forking.
If you need a library for something omitted in the Go standard libraries there are several good places to look:
Always start with a quick Google search
Checkout: http://go-lang.cat-v.org/pure-go-libs / http://go-lang.cat-v.org/library-bindings
And: http://godoc.org/
And: http://code.google.com/p/go-wiki/wiki/Projects
If all of those fail you and you don't feel up to creating your own implementation, keep in mind you can always use cgo to call C code (such as one of the many C LDAP libraries for example) from Go.
Thought I should add my ten cents here. It is an old post, but here it is nonetheless
I used the https://github.com/mavricknz/ldap library after using the mmitton/ldap one as mentioned by voidlogic above. The problem with the mmitton lib is that it does not handle escape characters very well in the filter.
The test filter: (&(objectClass=user)(cn=wickd(bracketTest )))
Escaped Filter: (&(objectClass=user)(cn=wickd\28bracketTest \29))
The MMitton library just came back with a filter compile error even with the escaped filter. Loaded the Mavricknz lib and it worked. Even comes with EscapeFilter function! brilliance!
Anyhow... Thought I should post this for anyone that had the same struggle as I did :)
I started to write a helper library for building server software capable of speaking the LDAP protocol.
There are some usage samples included.
https://github.com/vjeantet/ldapserver
Additionally, for the server end of it, I wrote this package (in Go) a while ago:
https://github.com/bradleypeabody/godap
It's not a full LDAP server but works well for implementing authentication on top of another data source (something I have been unable to find any other project that addresses).
It does a lot of "manage Ldap protocol directly" :)
For a simple high-level ldap client, see go-ldap-client, go docs.
Most of the options on https://godoc.org/?q=ldap
are just forks of another one, most of them are too low level or too limited (e.g. do not return errors
which make it hard to troubleshoot issues).
If you want to provide LDAP based authentication on your web page, you may like the solution I created: go-ldapc is a LDAP Authentication Client Module, with only one API.
It's on github - sona-tar/go-ldapc.
I know how to make a .pkpass file using tools on my Mac and then zipping them up and signing them (using the signpass tool), but how could I edit the file during runtime in an iOS app?
I realize that in the Apple documentation, they want you to use a server for any pass updates / edits, but this is not what I am aiming to do (I realize the security issues there, and that is not the focus of this question).
How can I do this (I'm not asking for code)? In the documentation, this is the only mention (that I've seen) of actually manipulating the passes at runtime:
In a production environment, the signing and compressing would be part of the system that generates passes.
Any ideas on how this can be done? Are there any third party APIs that allow for this (I've checked out Passdock and Passsource, but Passdock doesn't have an Obj-C API and Passource isn't too clear).
As you already have said, Apple does not want you to create your own .pkpass files in an ios App. It is certainly possible to do so, Apple can't NOT allow you to include or fetch certificates although they can certainly reject your app if they want to.
You can adapt code from any number of articles/tutorials to build the various files, create the signature (probably the most arcane and difficult part), and create a .pkpass file in your app. Some of the code in the signpass app is probably reusable as is, if the frameworks it relies on are in the iPhone SDK.
Perhaps you could look at some the services that are already out there that offer pass generation with a high-level API that could be consumed from the phone.
This one, for example, which I present with no warranty or endorsement.
You won't be able to edit the .pkpass file, as it has been signed. If you change it, the signature will be invalid.
The only editing you can do is pre-pkpass generation. If you can create .pkpass files at runtime, you can edit them before signing. Otherwise, the only other option to edit them post generation using push notifications, but that only allows editing of particular fields.
I have a VB.NET 2010 solution, that contains 2 projects, a class library and a Windows Forms Application.
The class library basically is a model, used for doing database integration.
I currently have the connection string placed in the class library project settings, but they do not seem to be listed anywhere in the config file of the application. What's the best practice for retrieving the connection string in the class library? I don't want to use a singleton. Should it be stored in the application or class library?
It seems the Class Library would make more sense since that is project interacting with the database. It would probably be beneficial to encrypt the connection string and store it in a file or registry key so that way if the system is compromised, the intruder will still have to crack the key to view the connection string, yet still offers you the ability to change it without recompiling your app.
I still go with what I said in your earlier question - leave the settings/configurations out of the class library. Put them in the config file for the application(s) that use the class library.
What happens if the connection string changes? Since class library's don't use config files, you'll most likely have to update the code, recompile, and redeploy it. Not a big deal if it's one program on one machine, but what if it's multiple programs and/or multiple machines?
Granted, you'd still have to make a lot of changes in a multi-program/multi-system environment via the config file, but that's a lot simpler, IMO, than recompiling (and regression testing) a class library.
Another factor to consider is what if different applications want to use this same class library? What if you have different environments that have different connection strings? And so on.
In a nutshell, I would opt to leave configuration items for the application, not the supporting class libraries. From a resusability and scalability perspective I feel that gives you the most bang for your buck.
If you only have one application and its only ever going to use this one class library, and no one else will, you can probably leave the configuration settings in it - but using the phrase "We'll never change" or "It will always be like this" is a good way to get a lot of headaches down the road.
All of the above is, of course, in my opinion, and should not be taken as me speaking officially for any other programmer or corporation :)
Edited to add
You'll have to manually move the settings you need from the class library's config to the application's config. VS won't do it for you.
And why do you keep bringing up the singleton design pattern? What potential benefit do you see from it? Or have other people been suggesting it to you?