Support rotation of master key.

The EncryptionService now loads a set of keys and uses the active one to encrypt and selects key based on keyid during decryption. Introduced EncryptedValue to hold keyId and encrypted data. (There are no intermeddiate keys yet)
2026-02-24 06:32:58 +01:00 · 2026-02-24 06:32:58 +01:00 · 644b005f2a
commit 644b005f2a
parent 4201d0240d
19 changed files with 259 additions and 72 deletions
--- a/IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
+++ b/IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
@ -114,7 +114,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
    {
        // act
        var client = _factory.CreateClient();
-        var response = await client.GetAsync("/realms/bar/.well-known/openid-configuration",
+        var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
            TestContext.Current.CancellationToken);
        
        // verify
@ -130,18 +130,20 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
        using var rsa = RSA.Create(2048);
        RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);

-        RealmKey realmKey = new(
-            Guid.NewGuid(),
-            "RSA",
-            encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
-            DateTime.UtcNow);
+        RealmKey realmKey = new()
+        {
+            Id = Guid.NewGuid(),
+            KeyType = "RSA",
+            Key = encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
+            CreatedAt = DateTime.UtcNow,
+        };

        await ScopedContextAsync(async db =>
        {
            db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ realmKey ]});
            await db.SaveChangesAsync(TestContext.Current.CancellationToken);
        });
-        
+    
        // act
        var client = _factory.CreateClient();
        var response = await client.GetAsync("/auth/realms/foo/openid-connect/jwks",