5-improve-encrypted-storage (#6)

Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
2026-02-27 17:57:42 +00:00 · 2026-02-27 17:57:42 +00:00 · 07393f57fc
commit 07393f57fc
parent 138f335af0
87 changed files with 1903 additions and 533 deletions
--- a/IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
+++ b/IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
@ -44,7 +44,9 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
        var client = _factory.CreateClient();

        Guid? inputId = id is null ? (Guid?)null : new Guid(id);
-        var response = await client.PostAsync("/realms", JsonContent.Create(new
+        
+        // act
+        var response = await client.PostAsync("/api/v1/realms", JsonContent.Create(new
            {
                Id = inputId,
                Slug = slug,
@ -88,16 +90,21 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>

        // act
        var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/foo/.well-known/openid-configuration",
+        var response = await client.GetAsync("auth/realms/foo/.well-known/openid-configuration",
            TestContext.Current.CancellationToken);

        // verify
+#if DEBUG
+        string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
+#endif
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);        
+        
        var result = await response.Content.ReadFromJsonAsync<JsonObject>(TestContext.Current.CancellationToken);
        Assert.NotNull(result);
-        JsonObjectAssert.Equal("http://localhost/realms/foo/openid-connect/auth", result, "authorization_endpoint");
-        JsonObjectAssert.Equal("http://localhost/realms/foo", result, "issuer");
-        JsonObjectAssert.Equal("http://localhost/realms/foo/openid-connect/token", result, "token_endpoint");
-        JsonObjectAssert.Equal("http://localhost/realms/foo/openid-connect/jwks", result, "jwks_uri");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/auth", result, "authorization_endpoint");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo", result, "issuer");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/token", result, "token_endpoint");
+        JsonObjectAssert.Equal("http://localhost/auth/realms/foo/openid-connect/jwks", result, "jwks_uri");
    }

    [Theory]
@ -107,7 +114,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
    {
        // act
        var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/bar/.well-known/openid-configuration",
+        var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
            TestContext.Current.CancellationToken);
        
        // verify
@ -118,34 +125,35 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
    public async Task GetJwks()
    {
        // setup
-        IEncryptionService encryptionService = _factory.Services.GetRequiredService<IEncryptionService>();
+        IDekEncryptionService dekEncryptionService = _factory.Services.GetRequiredService<IDekEncryptionService>();

        using var rsa = RSA.Create(2048);
        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
-        
-        Key key = new()
+
+        RealmKey realmKey = new()
        {
            Id = Guid.NewGuid(),
+            KeyType = "RSA",
+            Key = dekEncryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
            CreatedAt = DateTime.UtcNow,
        };
-        key.SetPrivateKey(encryptionService, rsa.ExportPkcs8PrivateKey());

        await ScopedContextAsync(async db =>
        {
-            db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ key ]});
+            db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ realmKey ]});
            await db.SaveChangesAsync(TestContext.Current.CancellationToken);
        });
-        
+    
        // act
        var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/foo/openid-connect/jwks",
+        var response = await client.GetAsync("/auth/realms/foo/openid-connect/jwks",
            TestContext.Current.CancellationToken);
        
        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
        JsonObject? payload = await response.Content.ReadFromJsonAsync<JsonObject>(TestContext.Current.CancellationToken);

        Assert.NotNull(payload);
-        JsonObjectAssert.Equal(key.Id.ToString(), payload, "keys[0].kid"); 
+        JsonObjectAssert.Equal(realmKey.Id.ToString(), payload, "keys[0].kid"); 
        JsonObjectAssert.Equal(WebEncoders.Base64UrlEncode(parameters.Modulus!), payload, "keys[0].n"); 
        JsonObjectAssert.Equal(WebEncoders.Base64UrlEncode(parameters.Exponent!), payload, "keys[0].e"); 
    }