Happy flow for creating realms works

But needs more validating...

IdentityShroud.Core/Contracts/IEncryptionService.cs

@@ -0,0 +1,7 @@
+namespace IdentityShroud.Core.Contracts;
+
+public interface IEncryptionService
+{
+    byte[] Encrypt(byte[] plain);
+    byte[] Decrypt(byte[] cipher);
+}

IdentityShroud.Core/Contracts/ISecretProvider.cs

@@ -2,5 +2,5 @@ namespace IdentityShroud.Core.Contracts;
 
 public interface ISecretProvider
 {
-    Task<string> GetSecretAsync(string name);
+    string GetSecretAsync(string name);
 }

IdentityShroud.Core/DTO/Realm/RealmCreateRequest.cs

@@ -0,0 +1,3 @@
+namespace IdentityShroud.Core.Messages.Realm;
+
+public record RealmCreateRequest(Guid? Id, string Slug, string Description);

IdentityShroud.Core/IdentityShroud.Core.csproj

@@ -8,9 +8,16 @@
 
     <ItemGroup>
       <PackageReference Include="EFCore.NamingConventions" Version="10.0.1" />
+      <PackageReference Include="FluentResults" Version="4.0.0" />
+      <PackageReference Include="FluentValidation" Version="12.1.1" />
       <PackageReference Include="jose-jwt" Version="5.2.0" />
+      <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
       <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
     </ItemGroup>
+    
+    <ItemGroup>
+        <Using Include="FluentResults" />
+    </ItemGroup>
 
     <ItemGroup>
       <Reference Include="Microsoft.AspNetCore.WebUtilities">

IdentityShroud.Core/Model/Realm.cs

@@ -1,10 +1,45 @@
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+using IdentityShroud.Core.Contracts;
+
 namespace IdentityShroud.Core.Model;
 
+[Table("realm")]
 public class Realm
 {
+    private byte[] _privateKeyDecrypted = [];
+    
     public Guid Id { get; set; }
+    /// <summary>
+    /// Note this is part of the url we should encourage users to keep it short but we do not want to limit them too much
+    /// </summary>
+    [MaxLength(40)]
     public string Slug { get; set; } = "";
-    public string Description { get; set; } = "";
-    public List<Client> Clients { get; set; } = [];
-    public byte[] PrivateKey { get; set; } 
+    
+    [MaxLength(128)]
+    public string Name { get; set; } = "";
+    public List<Client> Clients { get; init; } = [];
+
+    public byte[] PrivateKeyEncrypted
+    {
+        get;
+        set
+        {
+            field = value;
+            _privateKeyDecrypted = [];
+        }
+    } = [];
+
+    public byte[] GetPrivateKey(IEncryptionService encryptionService)
+    {
+        if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
+            _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
+        return _privateKeyDecrypted;
+    }
+
+    public void SetPrivateKey(IEncryptionService encryptionService, byte[] privateKey)
+    {
+        PrivateKeyEncrypted = encryptionService.Encrypt(privateKey);
+        _privateKeyDecrypted = privateKey;
+    }
 }

IdentityShroud.Core/Security/ConfigurationSecretProvider.cs

@@ -0,0 +1,17 @@
+using IdentityShroud.Core.Contracts;
+using Microsoft.Extensions.Configuration;
+
+namespace IdentityShroud.Core.Security;
+
+/// <summary>
+/// Secret provider that retrieves secrets from configuration.
+/// </summary>
+public class ConfigurationSecretProvider(IConfiguration configuration) : ISecretProvider
+{
+    private readonly IConfigurationSection secrets = configuration.GetSection("secrets"); 
+    
+    public string GetSecretAsync(string name)
+    {
+        return secrets.GetValue<string>(name) ?? "";
+    }
+}

IdentityShroud.Core/Security/RsaHelper.cs

@@ -0,0 +1,7 @@
+using System.Security.Cryptography;
+
+namespace IdentityShroud.Core.Security;
+
+public static class RsaHelper
+{
+}

IdentityShroud.Core/Services/MasterEncryptionService.cs

@@ -0,0 +1,23 @@
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Security;
+
+namespace IdentityShroud.Core.Services;
+
+/// <summary>
+/// 
+/// </summary>
+/// <param name="encryptionKey">Encryption key as base64, must be 32 bytes</param>
+public class EncryptionService(string keyBase64) : IEncryptionService
+{
+    private readonly byte[] encryptionKey = Convert.FromBase64String(keyBase64);
+
+    public byte[] Encrypt(byte[] plain)
+    {
+        return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
+    }
+
+    public byte[] Decrypt(byte[] cipher)
+    {
+        return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
+    }
+}

IdentityShroud.Core/Services/RealmService.cs

@@ -0,0 +1,31 @@
+using System.Security.Cryptography;
+using IdentityShroud.Core.Contracts;
+using IdentityShroud.Core.Messages.Realm;
+using IdentityShroud.Core.Model;
+
+namespace IdentityShroud.Core.Services;
+
+public record RealmCreateResponse(Realm Realm);
+
+public class RealmService(
+    Db db,
+    IEncryptionService encryptionService)
+{
+    public async Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default)
+    {
+        Realm realm = new()
+        {
+            Id = request.Id ?? Guid.CreateVersion7(),
+            Slug = request.Slug,
+            Name = request.Description,
+        };
+        
+        using RSA rsa = RSA.Create(2048);
+        realm.SetPrivateKey(encryptionService, rsa.ExportPkcs8PrivateKey());
+
+        db.Add(realm);
+        await db.SaveChangesAsync(ct);
+        
+        return new RealmCreateResponse(realm);
+    }
+}