grab UserSecrets from a NuGet package

Question

I've written a C# class library for my company to use internally, and it uses DotNet UserSecrets to allow each developer to have their own credentials set without needing to worry about accidentally committing them. It worked fine during testing, but after installing it as a NuGet package as opposed to a project dependency, it no longer seems to be able to read from the secrets.json file. I'm wondering if this is a security thing that C# prevents, or if I need to do something else to enable that functionality in an external package.

The package code looks like this:

using Microsoft.Extensions.Configuration;
using TechTalk.Specflow;

namespace Testing.Utilities
{
    [Binding]
    public class Context
    {
        private static IConfigurationRoot configuration { get; set; }
        private static FeatureContext feature_context;

        // SpecFlow attribute runs this before anything else executes
        [BeforeFeature(Order = 1)]
        private static void SetFeatureContext(FeatureContext context)
        {
            try
            {
                configuration = new ConfigurationBuilder()
                    .AddUserSecrets<Context>()
                    .Build();
            }
            catch { }

            feature_context = context;
            test_context = context.FeatureContainer.Resolve<TestContext>();
        }

        public static string GetSecretVariable(string name)
        {
            object v = null;

            // if the user secrets were found
            if (configuration != null)
            {
                v = configuration[name];
            }

            if (v == null)
            {
                Logger.Warning($"secret variable '{name}' not found");
                return null;
            }

            return v.ToString();
        }
    }
}

And in the calling code which always gets Null from the getter method:

using Testing.Utilities; // via NuGet package

namespace Testing
{
    public static void Main()
    {
       System.Console.WriteLine($"found {Context.GetSecretVariable("super_secret")}");
    }
}

Update: It works as expected when I drag my locally built .nupkg file into my NuGet package cache and replace the one pulled from the repo. I updated the version number and pushed the change so I know they are on the same version, and it still only worked when I manually inserted my build. Now I'm more confused...

.Net's user secrets are stored outside of the repository in a user directory by default. Maybe this will help. https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-6.0&tabs=windows — awright18, Apr 18 '22 at 20:27
Take a look at [this overload](https://learn.microsoft.com/en-us/dotnet/api/microsoft.extensions.configuration.usersecretsconfigurationextensions.addusersecrets?view=dotnet-plat-ext-6.0#microsoft-extensions-configuration-usersecretsconfigurationextensions-addusersecrets(microsoft-extensions-configuration-iconfigurationbuilder-system-reflection-assembly)). — madreflection, Apr 18 '22 at 20:34
@awright18 right, I've already got the `` in both the library and the project. I initially only had it in the project, so adding it to the library was my first guess, but it doesn't seem to have helped. — Jeremy Meadows, Apr 19 '22 at 12:07
@madreflection which assembly would I suggest I try? would I try to pass the library's own assembly? I'm not super familiar with .NET reflection stuff, but that kinda seems like the opposite issue: passing a current user secret to a library. — Jeremy Meadows, Apr 19 '22 at 12:22

Jeremy Meadows · Accepted Answer · 2022-04-22T19:44:06.267

0

I ported the project from .NET Framework 4.6.1 to .NET 6 and it seemed to fix it. Kinda drastic change, but easy enough refactor and 461 is EOL anyways.

edited Apr 22 '22 at 19:44

answered Apr 21 '22 at 14:30

Jeremy Meadows

2,314
1
6
22

grab UserSecrets from a NuGet package

1 Answers1