eelke/IdentityShroud
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
IdentityShroud/IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs

63 lines
2.1 KiB
C#
Raw Permalink Normal View History

Support rotation of master key. The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00
using System.Text;
using IdentityShroud.Core.Security;
using Microsoft.Extensions.Configuration;
namespace IdentityShroud.Core.Tests.Security;
public class ConfigurationSecretProviderTests
{
private static IConfiguration BuildConfigFromJson(string json)
{
// Convert the JSON string into a stream that the config builder can read.
var jsonBytes = Encoding.UTF8.GetBytes(json);
using var stream = new MemoryStream(jsonBytes);
// Build the configuration just like the real app does, but from the stream.
var config = new ConfigurationBuilder()
.AddJsonStream(stream) // <-- reads from the inmemory JSON
.Build();
return config;
}
[Fact]
public void Test()
{
string jsonConfig = """
{
"secrets": {
"master": [
{
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.
2026-02-26 16:53:02 +01:00
"Id": "5676d159-5495-4945-aa84-59ee694aa8a2",
Support rotation of master key. The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00
"Active": true,
"Algorithm": "AES",
"Key": "yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="
},
{
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.
2026-02-26 16:53:02 +01:00
"Id": "b82489e7-a05a-4d64-b9a5-58d2f2c0dc39",
Support rotation of master key. The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00
"Active": false,
"Algorithm": "AES",
"Key": "YSWK6vTJXCJOGLpCo+TtZ6anKNzvA1VT2xXLHbmq4M0="
}
]
}
}
""";
ConfigurationSecretProvider sut = new(BuildConfigFromJson(jsonConfig));
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.
2026-02-26 16:53:02 +01:00
// act
Support rotation of master key. The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00
var keys = sut.GetKeys("master");
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.
2026-02-26 16:53:02 +01:00
// verify
Support rotation of master key. The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00
Assert.Equal(2, keys.Length);
var active = keys.Single(k => k.Active);
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.
2026-02-26 16:53:02 +01:00
Assert.Equal(new Guid("5676d159-5495-4945-aa84-59ee694aa8a2"), active.Id.Id);
Support rotation of master key. The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00
Assert.Equal("AES", active.Algorithm);
Assert.Equal(Convert.FromBase64String("yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="), active.Key);
var inactive = keys.Single(k => !k.Active);
Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.
2026-02-26 16:53:02 +01:00
Assert.Equal(new Guid("b82489e7-a05a-4d64-b9a5-58d2f2c0dc39"), inactive.Id.Id);
Support rotation of master key. The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00
}
}
Reference in a new issue Copy permalink