Sunday, February 11, 2024

Unit testing cheat sheet (xUnit, FakeItEasy, FluentAssertions)

Summary: Samples of C# code handling common unit testing tasks using xUnit, FakeItEasy, and FluentAssertions frameworks.

Here are some tips, samples, and suggestions for implementing common unit testing tasks.

Unit test without parameters:

[Fact]
void SampleClassName_MethodToBeTested_DescriptiveTestTitle()
{
    // ARRANGE
    // ACT
    // ASSERT
}

Unit test with parameters:

[Theory]
[InlineData("abc", 1, true)]
[InlineData("xyz", 2, false)]
void SampleClassName_MethodToBeTested_DescriptiveTestTitle
(
    string? param1,
    int? param2,
    bool? param3
)
{
    // ARRANGE
    // ACT
    // ASSERT
}

Unit tests with DateTime or DateTimeOffset parameters:

[Theory]
[InlineData("2024-06-05 23:45:10.456", "3/28/2007 12:13:50 PM -07:00")]
void SampleClassName_MethodToBeTested_DescriptiveTestTitle
(
    string? paramDateTime,
    string? paramDateTimeOffset
)
{
    DateTime dateTime = DateTime.Parse(paramDateTime);
    DateTime dateTimeOffset = DateTimeOffset.Parse(paramDateTimeOffset);
    ...
}

Unit tests with complex parameters:

[Theory]
[InlineData("{\"id\":123,\"email\":\"joe.doe@somemail.com\",\"enabled\":true}")]
void SampleClassName_MethodToBeTested_DescriptiveTestTitle
(
    string? paramUser
)
{
	// This example uses Newtonsoft.Json, but the same can be done
    // using the default framework's JSON serializer.
    User? user = JsonConvert.DeserializeObject<User?>(paramUser);
    
    // NOTE: Yes, I know about MemberData, but this seems more straightforward IMHO.
    ...
}

Fake object with the default constructor (can use an interface or a class):

ISample fakeISample = A.Fake<ISample>();
Sample fakeSample = A.Fake<Sample>();
ISample<AnotherSample> fakeGenericSample = A.Fake<ISample<AnotherSample>>();

Fake object with a parametrized constructor:

Sample fakeSample = A.Fake<Sample>(x => x.WithArgumentsForConstructor(new object[] { "param1", 2, true }));

Fake returns specific object properties:

User user = A.Fake<User>();

A.CallTo(() => user.Id).Returns(12345);
A.CallTo(() => user.Email).Returns("joe.doe@somemail.com");
A.CallTo(() => user.Enabled).Returns(true);

Fake returns a specific value from a method:

// Data service is used by user service to get user from database
// and we are faking it.
IDataService dataService = A.Fake<IDataService>();

// Define properties of the user object to be retuned.
int id = 12345;

// Let's assume that the method of the UserService class being tested 
// internally calls the GetUserById method of the IDataService object
// (we're using a fake here to simulate a valid return).
A.CallTo(() => dataService.GetUserById(id)).Returns(new User(id));

// UserService is the class we're testing (system under test or SUT).
UserService userService = new UserService(dataService);

// We are testing the Enable method and expect it to be successful.
userService.Enable(id);

Use wildcard to trigger a fake method result for any parametetr value:

// A.<T>_ is a shortcut for a wildcard.
A.CallTo(() => dataService.GetUserById(A<string>._)).Returns(existingUser);

Fake returns a specific value from an async method:

IDataService dataService = A.Fake<IDataService>();

// Define properties of the user object to be retuned.
int id = 12345;

// Assume that GetUserById is an async method returning Task<User>.
A.CallTo(() => dataService.GetUserById(A<string>._)).Returns(Task.FromResult(new User(id)));

Fake returns a specific value from a generic method:

// Data service is used by user service to get user from database
// and we are faking it.
IDataService dataService = A.Fake<IDataService>();

// Define properties of the user object to be retuned.
int id = 12345;

// Data service has a generic method GetUser that we want to fake.
A.CallTo(dataService).Where(call => call.Method.Name == "GetUser")
   .WithReturnType<User>()
   .Returns(new User(id));
   
// UserService is the class we're testing (system under test or SUT).
UserService userService = new UserService(dataService);

Tested method throws an exception of the exact type:

Assert.Throws<InvalidInputException>(
    () => userService.UpdateUser(AzureServiceType.B2C, _id, user, _caller));

Tested method throws any exception derived from the specified type:

Assert.ThrowsAny<InvalidInputException>(
    () => userService.UpdateUser(AzureServiceType.B2C, _id, user, _caller));

Assign expected exception to a variable:

Exception ex = Assert.Throws<InvalidInputException>(
    () => userService.UpdateUser(AzureServiceType.B2C, _id, user, _caller));

Set up a fake SendGrid call:

ISendGridClient _sendGridClient = A.Fake<ISendGridClient>();

System.Net.Http.HttpResponseMessage httpResponse = new();
System.Net.Http.HttpContent         httpContent  = httpResponse.Content;
System.Net.Http.HttpResponseHeaders httpHeaders  = httpResponse.Headers;

httpHeaders.Add("X-Message-Id", "12345");

SendGrid.Response sendGridResponse = 
    A.Fake<SendGrid.Response>(x => x
        .WithArgumentsForConstructor(new object[] { httpStatusCode, httpContent, httpHeaders }));

A.CallTo(() =< _sendGridClient
    .SendEmailAsync(A<SendGridMessage>._, A<CancellationToken>._))
    .Returns(Task.FromResult(sendGridResponse));

Mock HttpContext for a controller class under test:

System.Net.Http.HttpRequest httpRequest = A.Fake<HttpRequest>();
System.Net.Http.HttpContext httpContext= A.Fake<HttpContext>();

A.CallTo(() => httpContext.Request).Returns(httpRequest);

// Set up the request properies that you need.
A.CallTo(() => httpRequest.Scheme).Returns("https");
A.CallTo(() => httpRequest.Host).Returns(new HostString("localhost:8888"));
A.CallTo(() => httpRequest.PathBase).Returns(new PathString("/api/v1"));
A.CallTo(() => httpRequest.Path).Returns(new PathString("sample"));

// SampleController is derived from the ControllerBase class.
SampleController controller = new(...);

controller.ControllerContext =  new ControllerContext()
{
	HttpContext = httpContext
};

Controller method POST returns HTTP status code 201 Created:

// Assume that all dependencies have been set.
ActionResult<User> actionResult = controller.CreateUser(user);

// First, test action result.
actionResult.Should().NotBeNull();
actionResult.Result.Should().NotBeNull();
actionResult.Result.Should().BeOfType<CreatedResult>();

// Next, test response specific result.
CreatedResult? result = actionResult.Result as CreatedResult;

result.Should().NotBeNull();

// Successful POST must return the URL of the GET method 
// ending with the ID of the newly created object in the
// Location header.
result?.Location.Should().NotBeNull();
result?.Location.Should().EndWith(id);

// Finally, check the created object to be returned to consumer.
result?.Value?.Should().NotBeNull();
result?.Value?.Should().BeOfType<User>();

Controller method POST returns HTTP status code 400 Bad Request:

// Assume that all dependencies have been set.
ActionResult<h;User> actionResult = controller.CreateUser(user);

// First, test action result.
actionResult.Should().NotBeNull();
actionResult.Result.Should().NotBeNull();
actionResult.Result.Should().BeOfType<BadRequestObjectResult>();

// Next, test response specific result.
BadRequestObjectResult? result = actionResult.Result as BadRequestObjectResult;

result.Should().NotBeNull();

// Finally, check the error object to be returned to consumer.
// This example shows a custom problem details object ErroDetails,
// which may be different in your case.
result?.Value.Should().NotBeNull();
result?.Value.Should().BeOfType<ErrorDetails>();

if (result?.Value is ErrorDetails errorDetails)
{
    // ServiceCodeType is a custom enum value returned via the error object's 
    // ServiceCode property (this check may be different in your case).
    errorDetails.ServiceCode.Should().NotBeNull();  
    errorDetails.ServiceCode.Should().Be(ServiceCodeType.BadRequest.ToString());
}

Controller method POST returns HTTP status code 401 Unauthorized:

// Assume that all dependencies have been set.
ActionResult<h;User> actionResult = controller.CreateUser(user);

// First, test action result.
actionResult.Should().NotBeNull();
actionResult.Result.Should().NotBeNull();
actionResult.Result.Should().BeOfType<UnauthorizedObjectResult>();

// Next, test response specific result.
UnauthorizedObjectResult? result = actionResult.Result as UnauthorizedObjectResult;

result.Should().NotBeNull();

// Finally, check the error object to be returned to consumer.
// This example shows a custom problem details object ErroDetails,
// which may be different in your case.
result?.Value.Should().NotBeNull();
result?.Value.Should().BeOfType<ErrorDetails>();

if (result?.Value is ErrorDetails errorDetails)
{
    // ServiceCodeType is a custom enum value returned via the error object's 
    // ServiceCode property (this check may be different in your case).
    errorDetails.ServiceCode.Should().NotBeNull();  
    errorDetails.ServiceCode.Should().Be(ServiceCodeType.Unauthorized.ToString());
}

Controller method POST returns HTTP status code 409 Conflict:

// Assume that all dependencies have been set.
ActionResult<h;User> actionResult = controller.CreateUser(user);

// First, test action result.
actionResult.Should().NotBeNull();
actionResult.Result.Should().NotBeNull();
actionResult.Result.Should().BeOfType<ConflictObjectResult>();

// Next, test response specific result.
ConflictObjectResult? result = actionResult.Result as ConflictObjectResult;

result.Should().NotBeNull();

// Finally, check the error object to be returned to consumer.
// This example shows a custom problem details object ErroDetails,
// which may be different in your case.
result?.Value.Should().NotBeNull();
result?.Value.Should().BeOfType<ErrorDetails>();

if (result?.Value is ErrorDetails errorDetails)
{
    // ServiceCodeType is a custom enum value returned via the error object's 
    // ServiceCode property (this check may be different in your case).
    errorDetails.ServiceCode.Should().NotBeNull();  
    errorDetails.ServiceCode.Should().Be(ServiceCodeType.Conflict.ToString());
}

Mock AppSettings:

// The following dictionary mimics appsettings.json file.
// Notice how array values must be defined using indexes.
Dictionary<string,string?> configSettings = new()
{
    {"ServiceA:ValueSettingX", "ValueX"},
    {"ServiceA:ValueSettingY", "ValueY"},
    {"ServiceA:ValueSettingZ", "ValueZ"},
    {"ServiceA:ArraySetting1:0", "Value0"},
    {"ServiceA:ArraySetting1:1", "Value1"},
    {"ServiceA:ArraySetting1:2", "Value2"},
}

IConfiguration config = new ConfigurationBuilder()
    .AddInMemoryCollectionconfigSettings)
    .Build();

Common FluentAssertions:

// Value should not be null.
value.Should().NotBeNull();

// Value should be of specific type.
value.Should().BeOfType<User>();

// Value should be equal to.
value.Should().Be(1);
value.Should().Be(true);
value.Should().Be("expected value");

// Value should contain (comparison is case sensitive).
value.Should().Contain("value");

// Value should contain any one of the specified values (comparison is case sensitive):
value.Should().ContainAny("value1", "value2");

// Value should contain all of the specified values (comparison is case sensitive):
value.Should().ContainAll("value1", "value2");

// String value should be equal to (comparison is case insensitive).
value.Should().BeEquivalentTo("Value");

Wednesday, February 1, 2023

How to edit a web page layout in the browser

Summary: How to edit a web page in a browser.

Here is something my 10-year-old showed me that I used at work today. Since I do not do this often, it's mostly a note to self (in case I forget). If you need to play with a web page layout in a browser (I, for example, needed to add some new lines to a few messages on the page to see what makes them easier to read). It is very simple (the instructions assume you are using Google Chrome, but I suspect you can do the same in other browsers).

  1. Right click anywehere on the web page and select the Inspect option from the context menu.
  2. In the Developer Tools' window, switch to the Console tab.
  3. At the prompt, type in document.body.contentEditable=true and press Enter.
  4. Make your changes on the page (you can cadd, change and delete text, and do other things).
  5. When done with your changes, at the prompt, type in document.body.contentEditable=false and press Enter
Happy programming.

Monday, June 27, 2022

Tell Git to bypass proxy for internal addresses

Summary: How to make Git bypass proxy settings when connecting to internal repositories.

A common question enterprise application developers ask that generally gets unsatisfactory answers is: how do you configure Git to use the corporate proxy settings to connect to the external repositories (such as Github) while bypassing the proxy when connecting to internal repositories (such as corporate Gitlab instances)? A typical answer would recommend configuring proxy settings on each repo. The problem with this approach is that it assumes that you already have a local repo, but how do you access a repo if you want to perform the initial clone other than changing global proxy settings?

One option would be to specify proxy in the git clone command. For example, to bypass the global proxy settings, run it like this:

git -c http.proxy= clone https://internalgithub.com/foo/bar.git

But there is an even better solution: you can specify proxy settings on a per-domain basis. The following instructions assume that you are using a Windows system (I suspect that Mac or Linux instructions would be slightly different, but the idea must be the same). Simply, open the .gitconfig file located in the root of your user profile folder (such as c:\Windows\Users\yourusername), and add lines similar to the following:

[http]
	proxy = http://your.corp.proxy.server.com:XXX
	sslBackend = schannel
[https]
	proxy = http://your.corp.proxy.server.com:YYY
[http "https://your.company.repo.host1.com/"]
	proxy = ""
	sslVerify = false
[http "https://your.company.repo.host2.com/"]
	proxy = ""
	sslVerify = false
[credential "https://your.company.repo.host1.com/"]
	provider = generic
[credential "https://your.company.repo.host2.com/"]
	provider = generic

Once you save the .gitconfig file, you will need to log off and log on to the system for the changes to take effect.

Notice that your global proxy settings are defined under both the http and https sections, while domain-specific sections only use http (when I added the https sections for domain-specific URLs, it stopped working). Also, the global proxy definition assumes that the proxy server does not require authentication (if it does, adjust the proxy definition appropriately).

Thursday, May 5, 2022

How to stop and start tracking file changes for Git

Summary: Git commands that let you stop and start tracking project file chages.

During application development, there may be situations when you want to make a change in a file (e.g. modify an application setting) without accidentally committing this change to source control. There may be better ways to do this, but one option is to tell Git to stop tracking the file before you make the the change that you do not commit to the repo. Say, there is an appsettings.Developement.json file that you want to stop and start tracking. This is how I do it.

Create two files stop-tracking-appsettings.bat and start-tracking-appsettings.bat files in the solution folder (PROJECT_FOLDER must be replace by the name of the project directory under the solution folder).

stop-tracking-appsettings.bat

@echo off
git update-index --skip-worktree PROJECT_FOLDER\appsettings.Development.json

start-tracking-appsettings.bat

@echo off
git update-index --no-skip-worktree PROJECT_FOLDER\appsettings.Development.json

Now you can either run these files from a console whenever you want to stop and start tracking file changes. Even better, in Visual Studio, you can create a custom tool menu option (e.g. Run batch file) that you can invoke by right clicking the file in the Solution Explorer and selectin the context menu option (see this Stack Overflow answer explaining how to set it up).

Thursday, October 21, 2021

Resources that helped me pass the CISSP exam

Summary: List of helpful resources for CISSP exam.

After four months of intense study (and about a year since I started) I passed the CISSP exam. Here is the list of resources I found useful (and some that weren't).

BOOTCAMPS

Feedback from my colleagues who went to bootcamps varies but the general consensus is that with some exceptions they are not really worth the cost. There is only a handful of trainers who are exceptional and you can find them online for cheaper than $2K+. Yes, most bootcamps can give you a voucher to repeat an exam if you do not pass, but it's still cheaper to pay for two exams than for one bootcamp.

The digital versions of the bootcamps I used and found helpful include:

  • Thor's CISSP Udemy course. I have a Udemy subscription through work, so I watched this course 3 times: first, in the very beginning of my studies (and did not really like it), then after the 2021 update, and finally on the week of the exam at 2x speed (now, after watching it three times, I can say, it's excellent).
  • I lost the link but there was an old audio version of Kelly Handerhan's Cybrary course posted on Reddit. I watched a couple of video episodes when they were free at Cybrary, but mostly listened to the audio while driving. Overall, I think I listened to the whole series 2-3 times (at x1.7 speed). Kelly is one of (if not) the best instructors out there. The audio version is a bit outdated, but the fundamentals are still there. Highly recommend. Also, make sure you watch Kelly's Why You Will Pass the CISSP [exam] video. (UPDATE: Found links to the audios here.)
  • Destination Certification's Mind Map series. Excellent coverage. I would recommend also watching the supplemental videos, like the one that explains how Kerberos works and there are others.

BOOKS

I first planned to use O'Reilly Digital Subscription (through work), but the digital versions did not work for me, so I switched to paperbacks (for casual reading, I prefer digital).

PRACTICE TESTS

When practicing tests, the point is not to remember, but to try to understand why an answer is right or wrong. Yes you need to memorize a few things, but generally, memorization will not take you too far.

  • Boson Practice Exams. Must be used on a desktop (Windows, not sure it the environment works on a Mac). Very good overall. Explains why the correct answer is correct and why each wrong answer is wrong. I think it expires after 6 months once you start using it, so keep it in mind. I also tried a couple of practical labs (not the tests), but did not find them particularly useful. If you have no practical experience with the concepts (like hashing, etc), they may offer some value, though.

I'm using Android, but assume Apple store has the same apps:

  • (ISC)² Official CISSP Tests. Good app with some limitations. A few questions had wrong answers. There is no way to mark a question when you are taking a practice test. Once you are done with the practice test and exit the app, your results are gone.
  • CISSP Practice Tests. Use the free version. Found a few errors, but overall good.

I used a number of other free apps but as I'm checking now, they are either discontinued, or were not very good.

UTILITIES

  • Chegg Prep. Used it for building flashcards for the topics I needed to review. Terrible app, but it's the one I started to use and it was too late to switch. It can get you by.

VIDEOS

For every topic that I struggled with, I just searched the Internet for the best resource (in most cases, video) to cover it. There are too many to list, but I want to mention this one because it helped me a lot to learn about networking (one of my weak areas):

COMMUNITIES

Spent a lot of time here:

SEE ALSO

How I passed the CISSP exam

Best of luck to all learners. You can do it!

How I passed the CISSP exam

Summary: How I studied and passed the CISSP exam.

On April 17, 2021, I passed the CISSP exam. The exam seemed easier than I had expected it to be, but the road to it was long and hard. I studied intensively for almost a year and practically had no life for four months before the exam. After passing the exam, I shared some insights on the CISSP Exam Preparation - Study Notes and Theory group's Facebook page. This is a slightly redacted copy of that post in case something happens to Facebook. If you are planning to take the exam, check it out along with my other post summirizing the list of resources that I found helpful.

INTRO

I took the exam today [April 17, 2021] for the first time and was done after 100 questions. Having not taken any exams since my college days (20 years ago) and understanding that there are still many areas where I was not fluent, I was about 50% certain I would not pass (actually, considered rescheduling a few times), so it was short of a miracle. Many thanks to Luke [Ahmed] and this [Facebook] group for helping me get ready. It was invaluable. Best of luck to everyone who is going to try it again. Here are some thoughts that may help others.

THE EXAM

Frankly, it was not as hard as I had expected it to be after hearing horror stories. Maybe I got lucky and should just praise God. Or maybe after all the training I had done I was finally in the right mindset. Or maybe both. Anyway, as people say, the questions were indeed not like the questions in the prep tests, but not necessarily in a worse way. I have seen a lot more difficult questions when using Boson and prep apps. I think I had five or so questions that I did not get at all and just picked the answers by gut feeling. I was not sure about a dozen or so questions were, but mostly I felt pretty good. Since they don't give you the answers, it's hard to say what I did right and what I did wrong, but for a few, the answers seemed more revealing than the questions. I was surprised that all abbreviations were spelled out (I thought only ambiguous abbreviations would be spelled out, so could've saved time not learning them and not freaking out about not being able to remember them all). Didn't have any questions that would require calculations or using the pen and paper. Yes, there were questions about some basic laws, regulations, and frameworks but they were all in the context of a described scenario. Did not have to do crypto much, but a few questions required understanding of the basic concepts and algorithm names (but nothing like "how many rounds and block sizes RC6 supports"). Overall, with a couple of exceptions, questions made sense.

THE DAY OF THE EXAM

Took a day off work. I scheduled the exam at 3:30 PM, but should've scheduled it earlier to get it over sooner. Watched Kelly Handerhan's "Why you WILL pass the CISSP" video to set me in the right mood.

THE WEEK OF THE EXAM

Took Monday and Tuesday off to re-watch Thor Pedersen's UDEMY videos (for the third time) at 2x speed (we have the Udemy subscription at work). Reviewed my notes on Wednesday after work. Watched a couple of videos on Thursday and glanced over a few notes covering areas that I still did not get. Came to peace understanding that there were still some topics that I did not know very well.

FOUR MONTHS BEFORE THE EXAM

Practically, had no personal life. Spent most evenings and weekends studying. Read Luke Ahmed's "How to Think Like a Manager" book. Read the "11th Hour CISSP" book. Started following CISSP Exam Preparation - Study Notes and Theory group's Facebook page and a couple of other groups. Bought "Official Study Guide, 8th Edition" and "Official Practice Tests, 2nd Edition". Read a couple of chapters of the official study guide and realize that I couldn't hold all this info in my head, so only used it as reference. Have not used the practice tests book at all because I bought the Official Practice Tests app for Android and it was pretty much the same (UPDATE: Looks like there is a new and better free version available now: CISSP - (ISC)² Official App). Used a number of free test prep apps (pretty much everything I was able to find at the Google play store, some of them were quite useful). Practiced Boson tests (highly recommend). Also tried to do a couple of Boson labs and realized they were mostly a waste of time. I think I practiced something between 1,500 and 3,000 questions. I stopped using each practice app once I realized that the questions started to recycle. A side note about apps: none of them are perfect (some have wrong answers, some have other issues), but I would still recommend everything I used: Boson, official study test prep app, and other apps. By the end, I was getting about 75%-85% on tests on average, depending on the platform. When doing tests, I used Chegg Prep to keep notes of everything I struggled with. I mostly did tests in prep mode and tried to analyze the wrong answers. Did timed exercises, as well, just to get an idea.

ONE YEAR BEFORE THE EXAM

Gave up resisting my manager who insisted on me getting the CISSP certification. Watched Thor Pedersen's Udemy course (a couple of times). Started listening to the old Kelly Handerhan's audio version of the CISSP prep course (pretty much listened to it at 1.5x speed all the time I was in a car driving alone; I think I listened to them 2-3 times). Bought the Boson prep app and then realized that it was only a practice app (no training materials other than labs) and it would expire 6 months after starting to use it, so I held off until I was more or less ready.

BACKGROUND

A software guy. 20+ years of IT (mostly, InfoSec) development experience. Didn't know much about infrastructure, networks, firewalls, etc (before I started studying for the CISSP exam).

SEE ALSO

Resources that helped me pass the CISSP exam

Wednesday, September 8, 2021

How to read a secret from command line

Summary: A sample of C# code illustrating how to read a masked secret value entered via a console.
The following function can be used to read a secret value, such as a password from a command line:
/// 
/// Reads a secret from command line masking the characters entered by the user.
/// 
/// 
/// Prompt to be displayed for the user (e.g. "Enter password: "). If not specified, the prompt will not be displayed.
/// 
/// 
/// The masking character.
/// 
/// 
/// The string entered by the user.
/// 
private static string GetSecret
(
    string prompt = null,
    char mask = '*'
)
{
    // Input codes requiring special handling.
    const int ENTER         = 13;
    const int BACKSPACE     = 8;
    const int CTRLBACKSPACE = 127;
    const int ESC           = 27;

    // Character codes that must be ignored.
    int[] FILTERED = { 0, 9, 10 /*, 32 space, if you care */ };

    var secret = new System.Collections.Generic.Stack();
    char chr = (char)0;

    // If the prompt was specified, show it to the user.
    if (!String.IsNullOrEmpty(prompt))
      Console.Write(prompt);
    
    // Continue reading entered keys until user presses ENTER or ESC.
    while (((chr = System.Console.ReadKey(true).KeyChar) != ENTER) && (chr != ESC))
    {
        if (chr == BACKSPACE)
        {
            if (secret.Count > 0)
            {
                System.Console.Write("\b \b");
                secret.Pop();
            }
        }
        else if (chr == CTRLBACKSPACE)
        {
            while (secret.Count > 0)
            {
                System.Console.Write("\b \b");
                secret.Pop();
            }
        }
        else if (chr == ESC)
        {
            while (secret.Count > 0)
            {
                System.Console.Write("\b \b");
                secret.Pop();
            }
        }
        else if (FILTERED.Count(x => chr == x) > 0)
        {
        }
        else
        {
            secret.Push((char)chr);
            System.Console.Write(mask);
        }
    }

    System.Console.WriteLine();

    return new string(secret.Reverse().ToArray());
}