5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation.

Co-authored-by: eelke <eelke@eelkeklein.nl>
Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com>
Reviewed-on: #6

IdentityShroud.Api/Apis/RealmApi.cs

@@ -1,7 +1,4 @@
-using FluentResults;
-using IdentityShroud.Api.Mappers;
-using IdentityShroud.Api.Validation;
-using IdentityShroud.Core.Messages;
+using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Messages.Realm;
 using IdentityShroud.Core.Model;
 using IdentityShroud.Core.Services;
@@ -15,26 +12,28 @@ public static class HttpContextExtensions
     public static Realm GetValidatedRealm(this HttpContext context) => (Realm)context.Items["RealmEntity"]!;    
 }
 
+// api: api/v1/realms/{realmId}/....
+// api: api/v1/realms/{realmId}/clients/{clientId}
+
 
 
 public static class RealmApi
 {
-    public static void MapRealmEndpoints(this IEndpointRouteBuilder app)
+    public static void MapRealmEndpoints(IEndpointRouteBuilder erp)
     {
-        var realmsGroup = app.MapGroup("/realms");
+        var realmsGroup = erp.MapGroup("/api/v1/realms");
         realmsGroup.MapPost("", RealmCreate)
             .Validate<RealmCreateRequest>() 
             .WithName("Create Realm")
             .Produces(StatusCodes.Status201Created);
         
-        var realmSlugGroup = realmsGroup.MapGroup("{slug}")
-            .AddEndpointFilter<SlugValidationFilter>();
-        realmSlugGroup.MapGet(".well-known/openid-configuration", GetOpenIdConfiguration);
+        var realmIdGroup = realmsGroup.MapGroup("{realmId}")
+            .AddEndpointFilter<RealmIdValidationFilter>();
+
+        ClientApi.MapEndpoints(realmIdGroup);
+        
+            
 
-        var openidConnect = realmSlugGroup.MapGroup("openid-connect");
-        openidConnect.MapPost("auth", OpenIdConnectAuth);
-        openidConnect.MapPost("token", OpenIdConnectToken);
-        openidConnect.MapGet("jwks", OpenIdConnectJwks);
     }
     
     private static async Task<Results<Created<RealmCreateResponse>, InternalServerError>> 
@@ -47,46 +46,4 @@ public static class RealmApi
         // TODO make helper to convert failure response to a proper HTTP result.
         return TypedResults.InternalServerError();
     }
-
-    private static async Task<Results<Ok<JsonWebKeySet>, BadRequest>> OpenIdConnectJwks(
-        string slug,
-        [FromServices]IRealmService realmService,
-        [FromServices]KeyMapper keyMapper,
-        HttpContext context)
-    {
-        Realm realm = context.GetValidatedRealm();
-        await realmService.LoadActiveKeys(realm);
-        return TypedResults.Ok(keyMapper.KeyListToJsonWebKeySet(realm.Keys));
-    }
-
-    private static Task OpenIdConnectToken(HttpContext context)
-    {
-        throw new NotImplementedException();
-    }
-
-    private static Task OpenIdConnectAuth(HttpContext context)
-    {
-        throw new NotImplementedException();
-    }
-
-    private static async Task<JsonHttpResult<OpenIdConfiguration>> GetOpenIdConfiguration(
-        string slug,
-        [FromServices]IRealmService realmService,
-        HttpContext context)
-    {
-        Realm realm = context.GetValidatedRealm();
-        
-        var s = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}";
-        var searchString = $"realms/{slug}";
-        int index = s.IndexOf(searchString, StringComparison.OrdinalIgnoreCase);
-        string baseUri = s.Substring(0, index + searchString.Length);
-
-        return TypedResults.Json(new OpenIdConfiguration()
-        {
-            AuthorizationEndpoint = baseUri + "/openid-connect/auth",
-            TokenEndpoint = baseUri + "/openid-connect/token",
-            Issuer =  baseUri,
-            JwksUri =  baseUri + "/openid-connect/jwks",
-        }, AppJsonSerializerContext.Default.OpenIdConfiguration);
-    }
 }