Support rotation of master key.

The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data.

(There are no intermeddiate keys yet)

IdentityShroud.Api.Tests/Apis/RealmApisTests.cs

@@ -114,7 +114,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
     {
         // act
         var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/bar/.well-known/openid-configuration",
+        var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
             TestContext.Current.CancellationToken);
         
         // verify
@@ -130,18 +130,20 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
         using var rsa = RSA.Create(2048);
         RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
 
-        RealmKey realmKey = new(
-            Guid.NewGuid(),
-            "RSA",
-            encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
-            DateTime.UtcNow);
+        RealmKey realmKey = new()
+        {
+            Id = Guid.NewGuid(),
+            KeyType = "RSA",
+            Key = encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
+            CreatedAt = DateTime.UtcNow,
+        };
 
         await ScopedContextAsync(async db =>
         {
             db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ realmKey ]});
             await db.SaveChangesAsync(TestContext.Current.CancellationToken);
         });
-        
+    
         // act
         var client = _factory.CreateClient();
         var response = await client.GetAsync("/auth/realms/foo/openid-connect/jwks",

IdentityShroud.Api.Tests/Fixtures/ApplicationFactory.cs

@@ -28,7 +28,10 @@ public class ApplicationFactory : WebApplicationFactory<Program>, IAsyncLifetime
                 new Dictionary<string, string?>
                 {
                     ["Db:ConnectionString"] = _postgresqlServer.GetConnectionString(),
-                    ["secrets:Master"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
+                    ["secrets:master:0:Id"] = "key1",
+                    ["secrets:master:0:Active"] = "true",
+                    ["secrets:master:0:Algorithm"] = "AES",
+                    ["secrets:master:0:Key"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
                 });
         });
         

IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs

@@ -21,12 +21,12 @@ public class KeyServiceTests
 
         RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
         
-        RealmKey realmKey = new(
-            new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
-            "RSA",
-            rsa.ExportPkcs8PrivateKey(),
-            DateTime.UtcNow)
+        RealmKey realmKey = new()
         {
+            Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
+            KeyType = "RSA",
+            Key = new("", rsa.ExportPkcs8PrivateKey()),
+            CreatedAt = DateTime.UtcNow,
             Priority = 10,
         };
         
@@ -34,10 +34,11 @@ public class KeyServiceTests
         KeyService sut = new(_encryptionService, new KeyProviderFactory(), new ClockService());
         var jwk = sut.CreateJsonWebKey(realmKey);
 
+        Assert.NotNull(jwk);
         Assert.Equal("RSA", jwk.KeyType);
         Assert.Equal(realmKey.Id.ToString(), jwk.KeyId);
         Assert.Equal("sig", jwk.Use);
         Assert.Equal(parameters.Exponent, Base64Url.DecodeFromChars(jwk.Exponent));
         Assert.Equal(parameters.Modulus, Base64Url.DecodeFromChars(jwk.Modulus));
     }
-}
+}