5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00 · 2026-02-27 17:57:42 +00:00 · 07393f57fc
commit 07393f57fc
parent 138f335af0
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Api/Apis/Validation/ClientCreateRequestValidator.cs
+++ b/IdentityShroud.Api/Apis/Validation/ClientCreateRequestValidator.cs
@ -0,0 +1,22 @@
+using FluentValidation;
+using IdentityShroud.Core.Contracts;
+
+namespace IdentityShroud.Api;
+
+public class ClientCreateRequestValidator : AbstractValidator<ClientCreateRequest>
+{
+    // most of standard ascii minus the control characters and space 
+    private const string ClientIdPattern = "^[\x21-\x7E]+";
+
+    private string[] AllowedAlgorithms = [ "RS256", "ES256" ];
+    
+    public ClientCreateRequestValidator()
+    {
+        RuleFor(e => e.ClientId).NotEmpty().MaximumLength(40).Matches(ClientIdPattern);
+        RuleFor(e => e.Name).MaximumLength(80);
+        RuleFor(e => e.Description).MaximumLength(2048);
+        RuleFor(e => e.SignatureAlgorithm)
+            .Must(v => v is null || AllowedAlgorithms.Contains(v))
+            .WithMessage($"SignatureAlgorithm must be one of {string.Join(", ", AllowedAlgorithms)} or null");
+    }
+}
--- a/IdentityShroud.Api/Apis/Validation/RealmCreateRequestValidator.cs
+++ b/IdentityShroud.Api/Apis/Validation/RealmCreateRequestValidator.cs
@ -0,0 +1,19 @@
+using FluentValidation;
+using IdentityShroud.Core.Messages.Realm;
+
+namespace IdentityShroud.Api;
+
+public class RealmCreateRequestValidator : AbstractValidator<RealmCreateRequest>
+{
+    private const string SlugPattern = @"^(?=.{1,40}$)[a-z0-9]+(?:-[a-z0-9]+)*$";
+    
+    public RealmCreateRequestValidator()
+    {
+        RuleFor(x => x.Id)
+            .NotEqual(Guid.Empty).When(x => x.Id.HasValue);
+        RuleFor(x => x.Slug)
+            .Matches(SlugPattern).Unless(x => x.Slug is null);
+        RuleFor(x => x.Name)
+            .NotNull().Length(1, 255);
+    }
+}
--- a/IdentityShroud.Api/Apis/Validation/ValidateFilter.cs
+++ b/IdentityShroud.Api/Apis/Validation/ValidateFilter.cs
@ -0,0 +1,33 @@
+using FluentValidation;
+
+namespace IdentityShroud.Api;
+
+public class ValidateFilter<T> : IEndpointFilter where T : class
+{
+    public async ValueTask<object?> InvokeAsync(
+        EndpointFilterInvocationContext context,
+        EndpointFilterDelegate next)
+    {
+        // Grab the deserialized argument (the DTO) from the context.
+        // The order of arguments matches the order of parameters in the endpoint delegate.
+        var dto = context.Arguments
+            .FirstOrDefault(arg => arg is T) as T;
+
+        if (dto == null)
+            return Results.BadRequest("Unable to read request body.");
+
+        // Resolve the matching validator from DI.
+        var validator = context.HttpContext.RequestServices
+            .GetService<IValidator<T>>();
+
+        if (validator != null)
+        {
+            var validationResult = await validator.ValidateAsync(dto);
+            if (!validationResult.IsValid)
+                return Results.ValidationProblem(validationResult.ToDictionary());
+        }
+
+        // Validation passed – continue to the actual handler.
+        return await next(context);
+    }
+}