Encrypt realm data with dek which is encrypted with kek. The signing keys are also encrypted with the kek.

2026-02-26 16:53:02 +01:00 · 2026-02-26 16:53:02 +01:00 · 650fe99990
commit 650fe99990
parent 644b005f2a
36 changed files with 399 additions and 129 deletions
--- a/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
+++ b/IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
@ -1,5 +1,6 @@
 using IdentityShroud.Core.Contracts;
 using IdentityShroud.Core.Model;
+using IdentityShroud.Core.Security;
 using IdentityShroud.Core.Services;
 using IdentityShroud.Core.Tests.Fixtures;
 using IdentityShroud.TestUtils.Substitutes;
@ -10,12 +11,17 @@ namespace IdentityShroud.Core.Tests.Services;
 public class ClientServiceTests : IClassFixture<DbFixture>
 {
    private readonly DbFixture _dbFixture;
-    private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
+    //private readonly IDekEncryptionService _dekEncryptionService = EncryptionServiceSubstitute.CreatePassthrough();
+    private readonly IDataEncryptionService _dataEncryptionService = Substitute.For<IDataEncryptionService>();
+    
    private readonly IClock _clock = Substitute.For<IClock>();
    private readonly Guid _realmId = new("a1b2c3d4-0000-0000-0000-000000000001");

    public ClientServiceTests(DbFixture dbFixture)
    {
+        _dataEncryptionService.Encrypt(Arg.Any<ReadOnlyMemory<byte>>())
+            .Returns(x => new EncryptedValue(DekId.NewId(), x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray()));
+        
        _dbFixture = dbFixture;
        using Db db = dbFixture.CreateDbContext();
        if (!db.Database.EnsureCreated())
@ -51,7 +57,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>
        await using (var db = _dbFixture.CreateDbContext())
        {
            // Act
-            ClientService sut = new(db, _encryptionService, _clock);
+            ClientService sut = new(db, _dataEncryptionService, _clock);
            var response = await sut.Create(
                _realmId,
                new ClientCreateRequest
@ -107,7 +113,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>

        await using var actContext = _dbFixture.CreateDbContext();
        // Act
-        ClientService sut = new(actContext, _encryptionService, _clock);
+        ClientService sut = new(actContext, _dataEncryptionService, _clock);
        Client? result = await sut.GetByClientId(_realmId, clientId, TestContext.Current.CancellationToken);

        // Verify
@ -142,7 +148,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>

        await using var actContext = _dbFixture.CreateDbContext();
        // Act
-        ClientService sut = new(actContext, _encryptionService, _clock);
+        ClientService sut = new(actContext, _dataEncryptionService, _clock);
        Client? result = await sut.FindById(_realmId, searchId, TestContext.Current.CancellationToken);

        // Verify