Compare commits
No commits in common. "644b005f2a7faf5a094a99289232ead68cf87a23" and "cd2ec646fd98fe0fd1d27a5e2013fe3a36b52bc7" have entirely different histories.
644b005f2a
...
cd2ec646fd
52 changed files with 257 additions and 697 deletions
71
.github/workflows/ci.yml
vendored
71
.github/workflows/ci.yml
vendored
|
|
@ -1,71 +0,0 @@
|
|||
name: CI
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Setup .NET
|
||||
uses: actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
|
||||
- name: Cache NuGet packages
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-nuget-
|
||||
|
||||
- name: Cache Docker image (postgres)
|
||||
id: docker-cache
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: /tmp/docker-postgres.tar
|
||||
key: ${{ runner.os }}-docker-postgres-18.1
|
||||
|
||||
- name: Load cached postgres image or pull
|
||||
run: |
|
||||
if [ -f /tmp/docker-postgres.tar ]; then
|
||||
docker load -i /tmp/docker-postgres.tar
|
||||
else
|
||||
docker pull postgres:18.1
|
||||
docker save postgres:18.1 -o /tmp/docker-postgres.tar
|
||||
fi
|
||||
|
||||
- name: Restore dependencies
|
||||
run: dotnet restore
|
||||
|
||||
- name: Build
|
||||
run: dotnet build --no-restore --configuration Release
|
||||
|
||||
- name: Test with coverage
|
||||
run: |
|
||||
dotnet test --no-build --configuration Release \
|
||||
--collect:"XPlat Code Coverage" \
|
||||
--results-directory ./coverage \
|
||||
-- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=cobertura
|
||||
|
||||
- name: Code Coverage Report
|
||||
uses: irongut/CodeCoverageSummary@v1.3.0
|
||||
with:
|
||||
filename: coverage/**/coverage.cobertura.xml
|
||||
badge: true
|
||||
format: markdown
|
||||
output: both
|
||||
|
||||
- name: Upload coverage artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: coverage-report
|
||||
path: ./coverage/**/coverage.cobertura.xml
|
||||
retention-days: 7
|
||||
|
|
@ -1,179 +0,0 @@
|
|||
using System.Net;
|
||||
using System.Net.Http.Json;
|
||||
using IdentityShroud.Core;
|
||||
using IdentityShroud.Core.Model;
|
||||
using IdentityShroud.Core.Tests.Fixtures;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
|
||||
namespace IdentityShroud.Api.Tests.Apis;
|
||||
|
||||
public class ClientApiTests : IClassFixture<ApplicationFactory>
|
||||
{
|
||||
private readonly ApplicationFactory _factory;
|
||||
|
||||
public ClientApiTests(ApplicationFactory factory)
|
||||
{
|
||||
_factory = factory;
|
||||
|
||||
using var scope = _factory.Services.CreateScope();
|
||||
var db = scope.ServiceProvider.GetRequiredService<Db>();
|
||||
if (!db.Database.EnsureCreated())
|
||||
{
|
||||
db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
|
||||
}
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(null, false, "ClientId")]
|
||||
[InlineData("", false, "ClientId")]
|
||||
[InlineData("my-client", true, "")]
|
||||
public async Task Create_Validation(string? clientId, bool succeeds, string fieldName)
|
||||
{
|
||||
// setup
|
||||
Realm realm = await CreateRealmAsync("test-realm", "Test Realm");
|
||||
|
||||
var client = _factory.CreateClient();
|
||||
|
||||
// act
|
||||
var response = await client.PostAsync(
|
||||
$"/api/v1/realms/{realm.Id}/clients",
|
||||
JsonContent.Create(new { ClientId = clientId }),
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
#if DEBUG
|
||||
string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
|
||||
#endif
|
||||
|
||||
if (succeeds)
|
||||
{
|
||||
Assert.Equal(HttpStatusCode.Created, response.StatusCode);
|
||||
}
|
||||
else
|
||||
{
|
||||
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
|
||||
var problemDetails =
|
||||
await response.Content.ReadFromJsonAsync<ValidationProblemDetails>(
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
Assert.Contains(problemDetails!.Errors, e => e.Key == fieldName);
|
||||
}
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Create_Success_ReturnsCreatedWithLocation()
|
||||
{
|
||||
// setup
|
||||
Realm realm = await CreateRealmAsync("create-realm", "Create Realm");
|
||||
|
||||
var client = _factory.CreateClient();
|
||||
|
||||
// act
|
||||
var response = await client.PostAsync(
|
||||
$"/api/v1/realms/{realm.Id}/clients",
|
||||
JsonContent.Create(new { ClientId = "new-client", Name = "New Client" }),
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
#if DEBUG
|
||||
string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
|
||||
#endif
|
||||
|
||||
// verify
|
||||
Assert.Equal(HttpStatusCode.Created, response.StatusCode);
|
||||
|
||||
var body = await response.Content.ReadFromJsonAsync<ClientCreateReponse>(
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
Assert.NotNull(body);
|
||||
Assert.Equal("new-client", body.ClientId);
|
||||
Assert.True(body.Id > 0);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Create_UnknownRealm_ReturnsNotFound()
|
||||
{
|
||||
var client = _factory.CreateClient();
|
||||
|
||||
var response = await client.PostAsync(
|
||||
$"/api/v1/realms/{Guid.NewGuid()}/clients",
|
||||
JsonContent.Create(new { ClientId = "some-client" }),
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Get_Success()
|
||||
{
|
||||
// setup
|
||||
Realm realm = await CreateRealmAsync("get-realm", "Get Realm");
|
||||
Client dbClient = await CreateClientAsync(realm, "get-client", "Get Client");
|
||||
|
||||
var httpClient = _factory.CreateClient();
|
||||
|
||||
// act
|
||||
var response = await httpClient.GetAsync(
|
||||
$"/api/v1/realms/{realm.Id}/clients/{dbClient.Id}",
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
#if DEBUG
|
||||
string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
|
||||
#endif
|
||||
|
||||
// verify
|
||||
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
||||
|
||||
var body = await response.Content.ReadFromJsonAsync<ClientRepresentation>(
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
Assert.NotNull(body);
|
||||
Assert.Equal(dbClient.Id, body.Id);
|
||||
Assert.Equal("get-client", body.ClientId);
|
||||
Assert.Equal("Get Client", body.Name);
|
||||
Assert.Equal(realm.Id, body.RealmId);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Get_UnknownClient_ReturnsNotFound()
|
||||
{
|
||||
// setup
|
||||
Realm realm = await CreateRealmAsync("notfound-realm", "NotFound Realm");
|
||||
|
||||
var httpClient = _factory.CreateClient();
|
||||
|
||||
// act
|
||||
var response = await httpClient.GetAsync(
|
||||
$"/api/v1/realms/{realm.Id}/clients/99999",
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
// verify
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
private async Task<Realm> CreateRealmAsync(string slug, string name)
|
||||
{
|
||||
using var scope = _factory.Services.CreateScope();
|
||||
var db = scope.ServiceProvider.GetRequiredService<Db>();
|
||||
var realm = new Realm { Slug = slug, Name = name };
|
||||
db.Realms.Add(realm);
|
||||
await db.SaveChangesAsync(TestContext.Current.CancellationToken);
|
||||
return realm;
|
||||
}
|
||||
|
||||
private async Task<Client> CreateClientAsync(Realm realm, string clientId, string? name = null)
|
||||
{
|
||||
using var scope = _factory.Services.CreateScope();
|
||||
var db = scope.ServiceProvider.GetRequiredService<Db>();
|
||||
var client = new Client
|
||||
{
|
||||
RealmId = realm.Id,
|
||||
ClientId = clientId,
|
||||
Name = name,
|
||||
CreatedAt = DateTime.UtcNow,
|
||||
};
|
||||
db.Clients.Add(client);
|
||||
await db.SaveChangesAsync(TestContext.Current.CancellationToken);
|
||||
return client;
|
||||
}
|
||||
}
|
||||
|
|
@ -114,7 +114,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
|
|||
{
|
||||
// act
|
||||
var client = _factory.CreateClient();
|
||||
var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
|
||||
var response = await client.GetAsync("/realms/bar/.well-known/openid-configuration",
|
||||
TestContext.Current.CancellationToken);
|
||||
|
||||
// verify
|
||||
|
|
@ -130,20 +130,18 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
|
|||
using var rsa = RSA.Create(2048);
|
||||
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
|
||||
|
||||
RealmKey realmKey = new()
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
KeyType = "RSA",
|
||||
Key = encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
|
||||
CreatedAt = DateTime.UtcNow,
|
||||
};
|
||||
RealmKey realmKey = new(
|
||||
Guid.NewGuid(),
|
||||
"RSA",
|
||||
encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
|
||||
DateTime.UtcNow);
|
||||
|
||||
await ScopedContextAsync(async db =>
|
||||
{
|
||||
db.Realms.Add(new Realm() { Slug = "foo", Name = "Foo", Keys = [ realmKey ]});
|
||||
await db.SaveChangesAsync(TestContext.Current.CancellationToken);
|
||||
});
|
||||
|
||||
|
||||
// act
|
||||
var client = _factory.CreateClient();
|
||||
var response = await client.GetAsync("/auth/realms/foo/openid-connect/jwks",
|
||||
|
|
|
|||
|
|
@ -1,6 +1,11 @@
|
|||
using IdentityShroud.Core.Services;
|
||||
using Microsoft.AspNetCore.Hosting;
|
||||
using Microsoft.AspNetCore.Mvc.Testing;
|
||||
using Microsoft.EntityFrameworkCore.Infrastructure;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.VisualStudio.TestPlatform.TestHost;
|
||||
using Npgsql;
|
||||
using Testcontainers.PostgreSql;
|
||||
|
||||
namespace IdentityShroud.Core.Tests.Fixtures;
|
||||
|
|
@ -28,10 +33,7 @@ public class ApplicationFactory : WebApplicationFactory<Program>, IAsyncLifetime
|
|||
new Dictionary<string, string?>
|
||||
{
|
||||
["Db:ConnectionString"] = _postgresqlServer.GetConnectionString(),
|
||||
["secrets:master:0:Id"] = "key1",
|
||||
["secrets:master:0:Active"] = "true",
|
||||
["secrets:master:0:Algorithm"] = "AES",
|
||||
["secrets:master:0:Key"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
|
||||
["Encryption:Master"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
|
||||
});
|
||||
});
|
||||
|
||||
|
|
|
|||
17
IdentityShroud.Api.Tests/Mappers/KeyMapperTests.cs
Normal file
17
IdentityShroud.Api.Tests/Mappers/KeyMapperTests.cs
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
using IdentityShroud.Api.Mappers;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Messages;
|
||||
using IdentityShroud.TestUtils.Substitutes;
|
||||
using Microsoft.AspNetCore.WebUtilities;
|
||||
|
||||
namespace IdentityShroud.Api.Tests.Mappers;
|
||||
|
||||
// public class KeyMapperTests
|
||||
// {
|
||||
// private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
|
||||
//
|
||||
// [Fact]
|
||||
// public void Test()
|
||||
// {
|
||||
// }
|
||||
// }
|
||||
|
|
@ -21,12 +21,12 @@ public class KeyServiceTests
|
|||
|
||||
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
|
||||
|
||||
RealmKey realmKey = new()
|
||||
RealmKey realmKey = new(
|
||||
new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
|
||||
"RSA",
|
||||
rsa.ExportPkcs8PrivateKey(),
|
||||
DateTime.UtcNow)
|
||||
{
|
||||
Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
|
||||
KeyType = "RSA",
|
||||
Key = new("", rsa.ExportPkcs8PrivateKey()),
|
||||
CreatedAt = DateTime.UtcNow,
|
||||
Priority = 10,
|
||||
};
|
||||
|
||||
|
|
@ -34,11 +34,10 @@ public class KeyServiceTests
|
|||
KeyService sut = new(_encryptionService, new KeyProviderFactory(), new ClockService());
|
||||
var jwk = sut.CreateJsonWebKey(realmKey);
|
||||
|
||||
Assert.NotNull(jwk);
|
||||
Assert.Equal("RSA", jwk.KeyType);
|
||||
Assert.Equal(realmKey.Id.ToString(), jwk.KeyId);
|
||||
Assert.Equal("sig", jwk.Use);
|
||||
Assert.Equal(parameters.Exponent, Base64Url.DecodeFromChars(jwk.Exponent));
|
||||
Assert.Equal(parameters.Modulus, Base64Url.DecodeFromChars(jwk.Modulus));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,14 +1,14 @@
|
|||
using FluentResults;
|
||||
using IdentityShroud.Api.Mappers;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Messages.Realm;
|
||||
using IdentityShroud.Core.Model;
|
||||
using IdentityShroud.Core.Services;
|
||||
using Microsoft.AspNetCore.Http.HttpResults;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
|
||||
namespace IdentityShroud.Api;
|
||||
|
||||
|
||||
|
||||
public record ClientCreateReponse(int Id, string ClientId);
|
||||
|
||||
/// <summary>
|
||||
|
|
@ -34,18 +34,13 @@ public static class ClientApi
|
|||
.WithName(ClientGetRouteName);
|
||||
}
|
||||
|
||||
private static Ok<ClientRepresentation> ClientGet(
|
||||
Guid realmId,
|
||||
int clientId,
|
||||
HttpContext context)
|
||||
private static Task ClientGet(HttpContext context)
|
||||
{
|
||||
Client client = (Client)context.Items["ClientEntity"]!;
|
||||
return TypedResults.Ok(new ClientMapper().ToDto(client));
|
||||
throw new NotImplementedException();
|
||||
}
|
||||
|
||||
private static async Task<Results<CreatedAtRoute<ClientCreateReponse>, InternalServerError>>
|
||||
ClientCreate(
|
||||
Guid realmId,
|
||||
ClientCreateRequest request,
|
||||
[FromServices] IClientService service,
|
||||
HttpContext context,
|
||||
|
|
@ -69,5 +64,6 @@ public static class ClientApi
|
|||
["realmId"] = realm.Id,
|
||||
["clientId"] = client.Id,
|
||||
});
|
||||
throw new NotImplementedException();
|
||||
}
|
||||
}
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
namespace IdentityShroud.Api;
|
||||
|
||||
public record ClientRepresentation
|
||||
{
|
||||
public int Id { get; set; }
|
||||
public Guid RealmId { get; set; }
|
||||
public required string ClientId { get; set; }
|
||||
public string? Name { get; set; }
|
||||
public string? Description { get; set; }
|
||||
|
||||
public string? SignatureAlgorithm { get; set; }
|
||||
|
||||
public bool AllowClientCredentialsFlow { get; set; } = false;
|
||||
|
||||
public required DateTime CreatedAt { get; set; }
|
||||
}
|
||||
|
|
@ -7,9 +7,8 @@ public class ClientIdValidationFilter(IClientService clientService) : IEndpointF
|
|||
{
|
||||
public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
|
||||
{
|
||||
Guid realmId = context.Arguments.OfType<Guid>().First();
|
||||
int id = context.Arguments.OfType<int>().First();
|
||||
Client? client = await clientService.FindById(realmId, id, context.HttpContext.RequestAborted);
|
||||
Client? client = await clientService.FindById(id, context.HttpContext.RequestAborted);
|
||||
if (client is null)
|
||||
{
|
||||
return Results.NotFound();
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Model;
|
||||
using IdentityShroud.Core.Services;
|
||||
|
||||
namespace IdentityShroud.Api;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
using IdentityShroud.Core.Model;
|
||||
using Riok.Mapperly.Abstractions;
|
||||
|
||||
namespace IdentityShroud.Api.Mappers;
|
||||
|
||||
[Mapper]
|
||||
public partial class ClientMapper
|
||||
{
|
||||
[MapperIgnoreSource(nameof(Client.Secrets))]
|
||||
public partial ClientRepresentation ToDto(Client client);
|
||||
}
|
||||
|
|
@ -1,6 +1,9 @@
|
|||
using System.Security.Cryptography;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Messages;
|
||||
using IdentityShroud.Core.Model;
|
||||
using IdentityShroud.Core.Security;
|
||||
using Microsoft.AspNetCore.WebUtilities;
|
||||
|
||||
namespace IdentityShroud.Api.Mappers;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,22 +0,0 @@
|
|||
using FluentValidation;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
|
||||
namespace IdentityShroud.Api;
|
||||
|
||||
public class ClientCreateRequestValidator : AbstractValidator<ClientCreateRequest>
|
||||
{
|
||||
// most of standard ascii minus the control characters and space
|
||||
private const string ClientIdPattern = "^[\x21-\x7E]+";
|
||||
|
||||
private string[] AllowedAlgorithms = [ "RS256", "ES256" ];
|
||||
|
||||
public ClientCreateRequestValidator()
|
||||
{
|
||||
RuleFor(e => e.ClientId).NotEmpty().MaximumLength(40).Matches(ClientIdPattern);
|
||||
RuleFor(e => e.Name).MaximumLength(80);
|
||||
RuleFor(e => e.Description).MaximumLength(2048);
|
||||
RuleFor(e => e.SignatureAlgorithm)
|
||||
.Must(v => v is null || AllowedAlgorithms.Contains(v))
|
||||
.WithMessage($"SignatureAlgorithm must be one of {string.Join(", ", AllowedAlgorithms)} or null");
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
using System.Text.Json.Serialization;
|
||||
using IdentityShroud.Core.Messages;
|
||||
using IdentityShroud.Core.Messages.Realm;
|
||||
using Microsoft.Extensions.Diagnostics.HealthChecks;
|
||||
|
||||
[JsonSerializable(typeof(OpenIdConfiguration))]
|
||||
[JsonSerializable(typeof(RealmCreateRequest))]
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
<ItemGroup>
|
||||
<PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.1.1" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0"/>
|
||||
<PackageReference Include="Riok.Mapperly" Version="4.3.1" />
|
||||
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
|
||||
<PackageReference Include="Serilog" Version="4.3.0" />
|
||||
<PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
|
||||
<PackageReference Include="Serilog.Expressions" Version="5.0.0" />
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
using DotNet.Testcontainers.Containers;
|
||||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Npgsql;
|
||||
using Testcontainers.PostgreSql;
|
||||
|
|
|
|||
|
|
@ -30,4 +30,8 @@
|
|||
<ProjectReference Include="..\IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<Folder Include="Model\" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
|
@ -72,8 +72,8 @@ public class JwtSignatureGeneratorTests
|
|||
var rsa = RSA.Create();
|
||||
var parameters = new RSAParameters
|
||||
{
|
||||
Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus!),
|
||||
Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent!)
|
||||
Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus),
|
||||
Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent)
|
||||
};
|
||||
|
||||
rsa.ImportParameters(parameters);
|
||||
|
|
|
|||
21
IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs
Normal file
21
IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using IdentityShroud.Core.Security;
|
||||
|
||||
namespace IdentityShroud.Core.Tests.Security;
|
||||
|
||||
public class AesGcmHelperTests
|
||||
{
|
||||
[Fact]
|
||||
public void EncryptDecryptCycleWorks()
|
||||
{
|
||||
string input = "Hello, world!";
|
||||
|
||||
var encryptionKey = RandomNumberGenerator.GetBytes(32);
|
||||
|
||||
var cypher = AesGcmHelper.EncryptAesGcm(Encoding.UTF8.GetBytes(input), encryptionKey);
|
||||
var output = AesGcmHelper.DecryptAesGcm(cypher, encryptionKey);
|
||||
|
||||
Assert.Equal(input, Encoding.UTF8.GetString(output));
|
||||
}
|
||||
}
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
using System.Text;
|
||||
using IdentityShroud.Core.Security;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
|
||||
namespace IdentityShroud.Core.Tests.Security;
|
||||
|
||||
public class ConfigurationSecretProviderTests
|
||||
{
|
||||
private static IConfiguration BuildConfigFromJson(string json)
|
||||
{
|
||||
// Convert the JSON string into a stream that the config builder can read.
|
||||
var jsonBytes = Encoding.UTF8.GetBytes(json);
|
||||
using var stream = new MemoryStream(jsonBytes);
|
||||
|
||||
// Build the configuration just like the real app does, but from the stream.
|
||||
var config = new ConfigurationBuilder()
|
||||
.AddJsonStream(stream) // <-- reads from the in‑memory JSON
|
||||
.Build();
|
||||
|
||||
return config;
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Test()
|
||||
{
|
||||
string jsonConfig = """
|
||||
{
|
||||
"secrets": {
|
||||
"master": [
|
||||
{
|
||||
"Id": "first",
|
||||
"Active": true,
|
||||
"Algorithm": "AES",
|
||||
"Key": "yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="
|
||||
},
|
||||
{
|
||||
"Id": "second",
|
||||
"Active": false,
|
||||
"Algorithm": "AES",
|
||||
"Key": "YSWK6vTJXCJOGLpCo+TtZ6anKNzvA1VT2xXLHbmq4M0="
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
""";
|
||||
|
||||
|
||||
ConfigurationSecretProvider sut = new(BuildConfigFromJson(jsonConfig));
|
||||
|
||||
var keys = sut.GetKeys("master");
|
||||
|
||||
Assert.Equal(2, keys.Length);
|
||||
var active = keys.Single(k => k.Active);
|
||||
Assert.Equal("first", active.Id);
|
||||
Assert.Equal("AES", active.Algorithm);
|
||||
Assert.Equal(Convert.FromBase64String("yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="), active.Key);
|
||||
|
||||
var inactive = keys.Single(k => !k.Active);
|
||||
Assert.Equal("second", inactive.Id);
|
||||
}
|
||||
}
|
||||
|
|
@ -108,7 +108,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>
|
|||
await using var actContext = _dbFixture.CreateDbContext();
|
||||
// Act
|
||||
ClientService sut = new(actContext, _encryptionService, _clock);
|
||||
Client? result = await sut.GetByClientId(_realmId, clientId, TestContext.Current.CancellationToken);
|
||||
Client? result = await sut.GetByClientId(clientId, TestContext.Current.CancellationToken);
|
||||
|
||||
// Verify
|
||||
if (shouldFind)
|
||||
|
|
@ -143,7 +143,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>
|
|||
await using var actContext = _dbFixture.CreateDbContext();
|
||||
// Act
|
||||
ClientService sut = new(actContext, _encryptionService, _clock);
|
||||
Client? result = await sut.FindById(_realmId, searchId, TestContext.Current.CancellationToken);
|
||||
Client? result = await sut.FindById(searchId, TestContext.Current.CancellationToken);
|
||||
|
||||
// Verify
|
||||
if (shouldFind)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
using System.Security.Cryptography;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Services;
|
||||
|
||||
|
|
@ -8,139 +9,18 @@ public class EncryptionServiceTests
|
|||
[Fact]
|
||||
public void RoundtripWorks()
|
||||
{
|
||||
// Note this code will tend to only test the latest verion.
|
||||
|
||||
// setup
|
||||
byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
|
||||
string key = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
|
||||
var secretProvider = Substitute.For<ISecretProvider>();
|
||||
EncryptionKey[] keys =
|
||||
[
|
||||
new EncryptionKey("1", true, "AES", keyValue)
|
||||
];
|
||||
secretProvider.GetKeys("master").Returns(keys);
|
||||
|
||||
secretProvider.GetSecret("Master").Returns(key);
|
||||
|
||||
ReadOnlySpan<byte> input = "Hello, World!"u8;
|
||||
EncryptionService sut = new(secretProvider);
|
||||
byte[] input = RandomNumberGenerator.GetBytes(16);
|
||||
|
||||
// act
|
||||
EncryptionService sut = new(secretProvider);
|
||||
EncryptedValue cipher = sut.Encrypt(input.ToArray());
|
||||
byte[] result = sut.Decrypt(cipher);
|
||||
var cipher = sut.Encrypt(input);
|
||||
var result = sut.Decrypt(cipher);
|
||||
|
||||
// verify
|
||||
Assert.Equal(input, result);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void DecodeV1_Success()
|
||||
{
|
||||
// When introducing a new version we need version specific tests to
|
||||
// make sure decoding of legacy data still works.
|
||||
|
||||
// setup
|
||||
byte[] cipher =
|
||||
[
|
||||
1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
|
||||
193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
|
||||
];
|
||||
EncryptedValue secret = new("kid", cipher);
|
||||
|
||||
byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
|
||||
var secretProvider = Substitute.For<ISecretProvider>();
|
||||
EncryptionKey[] keys =
|
||||
[
|
||||
new EncryptionKey("kid", true, "AES", keyValue)
|
||||
];
|
||||
secretProvider.GetKeys("master").Returns(keys);
|
||||
|
||||
// act
|
||||
EncryptionService sut = new(secretProvider);
|
||||
byte[] result = sut.Decrypt(secret);
|
||||
|
||||
// verify
|
||||
Assert.Equal("Hello, World!"u8, result);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void DetectsCorruptInput()
|
||||
{
|
||||
// When introducing a new version we need version specific tests to
|
||||
// make sure decoding of legacy data still works.
|
||||
|
||||
// setup
|
||||
byte[] cipher = // NOTE INCORRECT CIPHER DO NOT USE IN OTHER TESTS
|
||||
[
|
||||
1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
|
||||
193, 75, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
|
||||
];
|
||||
EncryptedValue secret = new("kid", cipher);
|
||||
|
||||
byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
|
||||
var secretProvider = Substitute.For<ISecretProvider>();
|
||||
EncryptionKey[] keys =
|
||||
[
|
||||
new EncryptionKey("kid", true, "AES", keyValue)
|
||||
];
|
||||
secretProvider.GetKeys("master").Returns(keys);
|
||||
|
||||
// act
|
||||
EncryptionService sut = new(secretProvider);
|
||||
Assert.Throws<InvalidOperationException>(
|
||||
() => sut.Decrypt(secret),
|
||||
ex => ex.Message.Contains("Decryption failed") ? null : "Expected Decryption failed in message");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void DecodeSelectsRightKey()
|
||||
{
|
||||
// The key is marked inactive also it is the second key
|
||||
|
||||
// setup
|
||||
byte[] cipher =
|
||||
[
|
||||
1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
|
||||
193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
|
||||
];
|
||||
EncryptedValue secret = new("1", cipher);
|
||||
|
||||
byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
|
||||
byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
|
||||
var secretProvider = Substitute.For<ISecretProvider>();
|
||||
EncryptionKey[] keys =
|
||||
[
|
||||
new EncryptionKey("2", true, "AES", keyValue2),
|
||||
new EncryptionKey("1", false, "AES", keyValue1),
|
||||
];
|
||||
secretProvider.GetKeys("master").Returns(keys);
|
||||
|
||||
// act
|
||||
EncryptionService sut = new(secretProvider);
|
||||
byte[] result = sut.Decrypt(secret);
|
||||
|
||||
// verify
|
||||
Assert.Equal("Hello, World!"u8, result);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void EncryptionUsesActiveKey()
|
||||
{
|
||||
// setup
|
||||
byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
|
||||
byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
|
||||
var secretProvider = Substitute.For<ISecretProvider>();
|
||||
EncryptionKey[] keys =
|
||||
[
|
||||
new EncryptionKey("1", false, "AES", keyValue1),
|
||||
new EncryptionKey("2", true, "AES", keyValue2),
|
||||
];
|
||||
secretProvider.GetKeys("master").Returns(keys);
|
||||
|
||||
ReadOnlySpan<byte> input = "Hello, World!"u8;
|
||||
// act
|
||||
EncryptionService sut = new(secretProvider);
|
||||
EncryptedValue cipher = sut.Encrypt(input.ToArray());
|
||||
|
||||
// Verify
|
||||
Assert.Equal("2", cipher.KeyId);
|
||||
}
|
||||
}
|
||||
|
|
@ -3,6 +3,7 @@ using IdentityShroud.Core.Model;
|
|||
using IdentityShroud.Core.Security.Keys;
|
||||
using IdentityShroud.Core.Services;
|
||||
using IdentityShroud.Core.Tests.Fixtures;
|
||||
using IdentityShroud.TestUtils.Substitutes;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace IdentityShroud.Core.Tests.Services;
|
||||
|
|
@ -39,13 +40,7 @@ public class RealmServiceTests : IClassFixture<DbFixture>
|
|||
await using (var db = _dbFixture.CreateDbContext())
|
||||
{
|
||||
_keyService.CreateKey(Arg.Any<KeyPolicy>())
|
||||
.Returns(new RealmKey()
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
KeyType = "TST",
|
||||
Key = new("kid", [21]),
|
||||
CreatedAt = DateTime.UtcNow
|
||||
});
|
||||
.Returns(new RealmKey(Guid.NewGuid(), "TST", [21], DateTime.UtcNow));
|
||||
// Act
|
||||
RealmService sut = new(db, _keyService);
|
||||
var response = await sut.Create(
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using IdentityShroud.Core.DTO;
|
||||
using IdentityShroud.Core.Messages;
|
||||
using Microsoft.AspNetCore.WebUtilities;
|
||||
|
||||
namespace IdentityShroud.Core.Tests;
|
||||
|
|
@ -66,9 +67,9 @@ public static class JwtReader
|
|||
return new JsonWebToken()
|
||||
{
|
||||
Header = JsonSerializer.Deserialize<JsonWebTokenHeader>(
|
||||
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot)))!,
|
||||
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot))),
|
||||
Payload = JsonSerializer.Deserialize<JsonWebTokenPayload>(
|
||||
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1))))!,
|
||||
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1)))),
|
||||
Signature = WebEncoders.Base64UrlDecode(jwt, secondDot + 1, jwt.Length - (secondDot + 1))
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,18 @@ using IdentityShroud.Core.Model;
|
|||
|
||||
namespace IdentityShroud.Core.Contracts;
|
||||
|
||||
//public record CreateClientRequest(Guid RealmId, string ClientId, string? Description);
|
||||
|
||||
public class ClientCreateRequest
|
||||
{
|
||||
public required string ClientId { get; set; }
|
||||
public string? Name { get; set; }
|
||||
public string? Description { get; set; }
|
||||
public string? SignatureAlgorithm { get; set; }
|
||||
public bool? AllowClientCredentialsFlow { get; set; }
|
||||
}
|
||||
|
||||
|
||||
public interface IClientService
|
||||
{
|
||||
Task<Result<Client>> Create(
|
||||
|
|
@ -9,6 +21,6 @@ public interface IClientService
|
|||
ClientCreateRequest request,
|
||||
CancellationToken ct = default);
|
||||
|
||||
Task<Client?> GetByClientId(Guid realmId, string clientId, CancellationToken ct = default);
|
||||
Task<Client?> FindById(Guid realmId, int id, CancellationToken ct = default);
|
||||
Task<Client?> GetByClientId(string clientId, CancellationToken ct = default);
|
||||
Task<Client?> FindById(int id, CancellationToken ct = default);
|
||||
}
|
||||
|
|
@ -2,6 +2,6 @@ namespace IdentityShroud.Core.Contracts;
|
|||
|
||||
public interface IEncryptionService
|
||||
{
|
||||
EncryptedValue Encrypt(ReadOnlyMemory<byte> plain);
|
||||
byte[] Decrypt(EncryptedValue input);
|
||||
byte[] Encrypt(byte[] plain);
|
||||
byte[] Decrypt(ReadOnlyMemory<byte> cipher);
|
||||
}
|
||||
|
|
@ -3,10 +3,4 @@ namespace IdentityShroud.Core.Contracts;
|
|||
public interface ISecretProvider
|
||||
{
|
||||
string GetSecret(string name);
|
||||
|
||||
/// <summary>
|
||||
/// Should return one active key, might return inactive keys.
|
||||
/// </summary>
|
||||
/// <returns></returns>
|
||||
EncryptionKey[] GetKeys(string name);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +0,0 @@
|
|||
namespace IdentityShroud.Core.Contracts;
|
||||
|
||||
public class ClientCreateRequest
|
||||
{
|
||||
public required string ClientId { get; set; }
|
||||
public string? Name { get; set; }
|
||||
public string? Description { get; set; }
|
||||
public string? SignatureAlgorithm { get; set; }
|
||||
public bool? AllowClientCredentialsFlow { get; set; }
|
||||
}
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
using System;
|
||||
using System.Globalization;
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@
|
|||
<PackageReference Include="jose-jwt" Version="5.2.0" />
|
||||
<PackageReference Include="LanguageExt.Core" Version="4.4.9" />
|
||||
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.WebUtilities" Version="10.0.2" />
|
||||
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
|
||||
</ItemGroup>
|
||||
|
||||
|
|
@ -21,4 +20,10 @@
|
|||
<Using Include="FluentResults" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<Reference Include="Microsoft.AspNetCore.WebUtilities">
|
||||
<HintPath>..\..\..\.nuget\packages\microsoft.aspnetcore.webutilities\10.0.2\lib\net10.0\Microsoft.AspNetCore.WebUtilities.dll</HintPath>
|
||||
</Reference>
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
using System.ComponentModel.DataAnnotations;
|
||||
using System.ComponentModel.DataAnnotations.Schema;
|
||||
using IdentityShroud.Core.Security;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace IdentityShroud.Core.Model;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
using System.ComponentModel.DataAnnotations;
|
||||
using System.ComponentModel.DataAnnotations.Schema;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
|
||||
namespace IdentityShroud.Core.Model;
|
||||
|
||||
|
|
@ -12,5 +11,5 @@ public class ClientSecret
|
|||
public Guid ClientId { get; set; }
|
||||
public DateTime CreatedAt { get; set; }
|
||||
public DateTime? RevokedAt { get; set; }
|
||||
public required EncryptedValue Secret { get; set; }
|
||||
public required byte[] SecretEncrypted { get; set; }
|
||||
}
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
using System.ComponentModel.DataAnnotations;
|
||||
using System.ComponentModel.DataAnnotations.Schema;
|
||||
using IdentityShroud.Core.Security;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace IdentityShroud.Core.Model;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,19 +1,15 @@
|
|||
using System.ComponentModel.DataAnnotations.Schema;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace IdentityShroud.Core.Model;
|
||||
|
||||
|
||||
[Table("realm_key")]
|
||||
public record RealmKey
|
||||
public record RealmKey(Guid Id, string KeyType, byte[] KeyDataEncrypted, DateTime CreatedAt)
|
||||
{
|
||||
public required Guid Id { get; init; }
|
||||
public required string KeyType { get; init; }
|
||||
|
||||
|
||||
public required EncryptedValue Key { get; init; }
|
||||
public required DateTime CreatedAt { get; init; }
|
||||
public Guid Id { get; private set; } = Id;
|
||||
public string KeyType { get; private set; } = KeyType;
|
||||
public byte[] KeyDataEncrypted { get; private set; } = KeyDataEncrypted;
|
||||
public DateTime CreatedAt { get; private set; } = CreatedAt;
|
||||
public DateTime? RevokedAt { get; set; }
|
||||
|
||||
/// <summary>
|
||||
|
|
|
|||
70
IdentityShroud.Core/Security/AesGcmHelper.cs
Normal file
70
IdentityShroud.Core/Security/AesGcmHelper.cs
Normal file
|
|
@ -0,0 +1,70 @@
|
|||
using System.Security.Cryptography;
|
||||
|
||||
namespace IdentityShroud.Core.Security;
|
||||
|
||||
public static class AesGcmHelper
|
||||
{
|
||||
|
||||
public static byte[] EncryptAesGcm(byte[] plaintext, byte[] key)
|
||||
{
|
||||
int tagSize = AesGcm.TagByteSizes.MaxSize;
|
||||
using var aes = new AesGcm(key, tagSize);
|
||||
|
||||
Span<byte> nonce = stackalloc byte[AesGcm.NonceByteSizes.MaxSize];
|
||||
RandomNumberGenerator.Fill(nonce);
|
||||
Span<byte> ciphertext = stackalloc byte[plaintext.Length];
|
||||
Span<byte> tag = stackalloc byte[tagSize];
|
||||
|
||||
aes.Encrypt(nonce, plaintext, ciphertext, tag);
|
||||
|
||||
// Return concatenated nonce|ciphertext|tag
|
||||
var result = new byte[nonce.Length + ciphertext.Length + tag.Length];
|
||||
nonce.CopyTo(result.AsSpan(0, nonce.Length));
|
||||
ciphertext.CopyTo(result.AsSpan(nonce.Length, ciphertext.Length));
|
||||
tag.CopyTo(result.AsSpan(nonce.Length + ciphertext.Length, tag.Length));
|
||||
return result;
|
||||
}
|
||||
|
||||
// --------------------------------------------------------------------
|
||||
// DecryptAesGcm
|
||||
// • key – 32‑byte (256‑bit) secret key (same key used for encryption)
|
||||
// • payload – byte[] containing nonce‖ciphertext‖tag
|
||||
// • returns – the original plaintext bytes
|
||||
// --------------------------------------------------------------------
|
||||
public static byte[] DecryptAesGcm(ReadOnlyMemory<byte> payload, byte[] key)
|
||||
{
|
||||
if (key == null) throw new ArgumentNullException(nameof(key));
|
||||
if (key.Length != 32) // 256‑bit key
|
||||
throw new ArgumentException("Key must be 256 bits (32 bytes) for AES‑256‑GCM.", nameof(key));
|
||||
|
||||
// ----------------------------------------------------------------
|
||||
// 1️⃣ Extract the three components.
|
||||
// ----------------------------------------------------------------
|
||||
// AesGcm.NonceByteSizes.MaxSize = 12 bytes (standard GCM nonce length)
|
||||
// AesGcm.TagByteSizes.MaxSize = 16 bytes (128‑bit authentication tag)
|
||||
int nonceSize = AesGcm.NonceByteSizes.MaxSize; // 12
|
||||
int tagSize = AesGcm.TagByteSizes.MaxSize; // 16
|
||||
|
||||
if (payload.Length < nonceSize + tagSize)
|
||||
throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
|
||||
|
||||
ReadOnlySpan<byte> nonce = payload.Span[..nonceSize];
|
||||
ReadOnlySpan<byte> ciphertext = payload.Span.Slice(nonceSize, payload.Length - nonceSize - tagSize);
|
||||
ReadOnlySpan<byte> tag = payload.Span.Slice(payload.Length - tagSize, tagSize);
|
||||
|
||||
byte[] plaintext = new byte[ciphertext.Length];
|
||||
|
||||
using var aes = new AesGcm(key, tagSize);
|
||||
try
|
||||
{
|
||||
aes.Decrypt(nonce, ciphertext, tag, plaintext);
|
||||
}
|
||||
catch (CryptographicException ex)
|
||||
{
|
||||
// Tag verification failed → tampering or wrong key/nonce.
|
||||
throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
|
||||
}
|
||||
|
||||
return plaintext;
|
||||
}
|
||||
}
|
||||
|
|
@ -14,9 +14,4 @@ public class ConfigurationSecretProvider(IConfiguration configuration) : ISecret
|
|||
{
|
||||
return secrets.GetValue<string>(name) ?? "";
|
||||
}
|
||||
|
||||
public EncryptionKey[] GetKeys(string name)
|
||||
{
|
||||
return secrets.GetSection(name).Get<EncryptionKey[]>() ?? [];
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace IdentityShroud.Core.Contracts;
|
||||
|
||||
[Owned]
|
||||
public record EncryptedValue(string KeyId, byte[] Value);
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
namespace IdentityShroud.Core.Contracts;
|
||||
|
||||
// Contains an encryption key and associated relevant data
|
||||
public record EncryptionKey(string Id, bool Active, string Algorithm, byte[] Key);
|
||||
|
|
@ -1,3 +1,5 @@
|
|||
using System.Security.Cryptography;
|
||||
|
||||
namespace IdentityShroud.Core.Security;
|
||||
|
||||
public static class JsonWebAlgorithm
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
using IdentityShroud.Core.Messages;
|
||||
using IdentityShroud.Core.Model;
|
||||
|
||||
namespace IdentityShroud.Core.Security.Keys;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
using System.Buffers.Text;
|
||||
using System.Security.Cryptography;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Messages;
|
||||
using IdentityShroud.Core.Model;
|
||||
|
||||
namespace IdentityShroud.Core.Security.Keys.Rsa;
|
||||
|
||||
|
|
|
|||
16
IdentityShroud.Core/Security/RsaHelper.cs
Normal file
16
IdentityShroud.Core/Security/RsaHelper.cs
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
using System.Security.Cryptography;
|
||||
|
||||
namespace IdentityShroud.Core.Security;
|
||||
|
||||
public static class RsaHelper
|
||||
{
|
||||
/// <summary>
|
||||
/// Load RSA private key from PKCS#8 format
|
||||
/// </summary>
|
||||
public static RSA LoadFromPkcs8(byte[] pkcs8Key)
|
||||
{
|
||||
var rsa = RSA.Create();
|
||||
rsa.ImportPkcs8PrivateKey(pkcs8Key, out _);
|
||||
return rsa;
|
||||
}
|
||||
}
|
||||
|
|
@ -34,20 +34,14 @@ public class ClientService(
|
|||
return client;
|
||||
}
|
||||
|
||||
public async Task<Client?> GetByClientId(
|
||||
Guid realmId,
|
||||
string clientId,
|
||||
CancellationToken ct = default)
|
||||
public async Task<Client?> GetByClientId(string clientId, CancellationToken ct = default)
|
||||
{
|
||||
return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);
|
||||
return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId, ct);
|
||||
}
|
||||
|
||||
public async Task<Client?> FindById(
|
||||
Guid realmId,
|
||||
int id,
|
||||
CancellationToken ct = default)
|
||||
public async Task<Client?> FindById(int id, CancellationToken ct = default)
|
||||
{
|
||||
return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);
|
||||
return await db.Clients.FirstOrDefaultAsync(c => c.Id == id, ct);
|
||||
}
|
||||
|
||||
private ClientSecret CreateSecret()
|
||||
|
|
@ -57,7 +51,7 @@ public class ClientService(
|
|||
return new ClientSecret()
|
||||
{
|
||||
CreatedAt = clock.UtcNow(),
|
||||
Secret = cryptor.Encrypt(secret),
|
||||
SecretEncrypted = cryptor.Encrypt(secret),
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
using System.Security.Cryptography;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Security;
|
||||
|
||||
namespace IdentityShroud.Core.Services;
|
||||
|
||||
|
|
@ -8,85 +8,20 @@ namespace IdentityShroud.Core.Services;
|
|||
/// </summary>
|
||||
public class EncryptionService : IEncryptionService
|
||||
{
|
||||
private record struct AlgVersion(int NonceSize, int TagSize);
|
||||
|
||||
private AlgVersion[] _versions =
|
||||
[
|
||||
new(0, 0), // version 0 does not realy exist
|
||||
new (12, 16), // version 1
|
||||
];
|
||||
|
||||
// Note this array is expected to have one item in it most of the during key rotation it will have two
|
||||
// until it is ensured the old key can safely be removed. More then two will work but is not really expected.
|
||||
private readonly EncryptionKey[] _encryptionKeys;
|
||||
|
||||
private EncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
|
||||
private EncryptionKey GetKey(string keyId) => _encryptionKeys.Single(k => k.Id == keyId);
|
||||
private readonly byte[] encryptionKey;
|
||||
|
||||
public EncryptionService(ISecretProvider secretProvider)
|
||||
{
|
||||
_encryptionKeys = secretProvider.GetKeys("master");
|
||||
// if (_encryptionKey.Length != 32) // 256‑bit key
|
||||
// throw new Exception("Key must be 256 bits (32 bytes) for AES‑256‑GCM.");
|
||||
encryptionKey = Convert.FromBase64String(secretProvider.GetSecret("Master"));
|
||||
}
|
||||
|
||||
public EncryptedValue Encrypt(ReadOnlyMemory<byte> plaintext)
|
||||
public byte[] Encrypt(byte[] plain)
|
||||
{
|
||||
const int versionNumber = 1;
|
||||
AlgVersion versionParams = _versions[versionNumber];
|
||||
|
||||
int resultSize = 1 + versionParams.NonceSize + versionParams.TagSize + plaintext.Length;
|
||||
// allocate buffer for complete response
|
||||
var result = new byte[resultSize];
|
||||
|
||||
result[0] = (byte)versionNumber;
|
||||
|
||||
// make the spans that point to the parts of the result where their data is located
|
||||
var nonce = result.AsSpan(1, versionParams.NonceSize);
|
||||
var tag = result.AsSpan(1 + versionParams.NonceSize, versionParams.TagSize);
|
||||
var cipher = result.AsSpan(1 + versionParams.NonceSize + versionParams.TagSize);
|
||||
|
||||
// use the spans to place the data directly in its place
|
||||
RandomNumberGenerator.Fill(nonce);
|
||||
var encryptionKey = ActiveKey;
|
||||
using var aes = new AesGcm(encryptionKey.Key, versionParams.TagSize);
|
||||
aes.Encrypt(nonce, plaintext.Span, cipher, tag);
|
||||
|
||||
return new (encryptionKey.Id, result);
|
||||
return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
|
||||
}
|
||||
|
||||
public byte[] Decrypt(EncryptedValue input)
|
||||
public byte[] Decrypt(ReadOnlyMemory<byte> cipher)
|
||||
{
|
||||
var encryptionKey = GetKey(input.KeyId);
|
||||
|
||||
var payload = input.Value.AsSpan();
|
||||
int versionNumber = (int)payload[0];
|
||||
if (versionNumber != 1)
|
||||
throw new ArgumentException("Invalid payload");
|
||||
|
||||
AlgVersion versionParams = _versions[versionNumber];
|
||||
|
||||
|
||||
if (payload.Length < 1 + versionParams.NonceSize + versionParams.TagSize)
|
||||
throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
|
||||
|
||||
ReadOnlySpan<byte> nonce = payload.Slice(1, versionParams.NonceSize);
|
||||
ReadOnlySpan<byte> tag = payload.Slice(1 + versionParams.NonceSize, versionParams.TagSize);
|
||||
ReadOnlySpan<byte> cipher = payload.Slice(1 + versionParams.NonceSize + versionParams.TagSize);
|
||||
|
||||
byte[] plaintext = new byte[cipher.Length];
|
||||
|
||||
using var aes = new AesGcm(encryptionKey.Key, versionParams.TagSize);
|
||||
try
|
||||
{
|
||||
aes.Decrypt(nonce, cipher, tag, plaintext);
|
||||
}
|
||||
catch (CryptographicException ex)
|
||||
{
|
||||
// Tag verification failed → tampering or wrong key/nonce.
|
||||
throw new InvalidOperationException("Decryption failed – authentication tag mismatch.", ex);
|
||||
}
|
||||
|
||||
return plaintext;
|
||||
return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
|
||||
}
|
||||
}
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
using System.Security.Cryptography;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Messages;
|
||||
using IdentityShroud.Core.Model;
|
||||
|
|
@ -29,18 +30,23 @@ public class KeyService(
|
|||
|
||||
IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
|
||||
provider.SetJwkParameters(
|
||||
cryptor.Decrypt(realmKey.Key),
|
||||
cryptor.Decrypt(realmKey.KeyDataEncrypted),
|
||||
jwk);
|
||||
|
||||
return jwk;
|
||||
}
|
||||
|
||||
private RealmKey CreateKey(string keyType, byte[] plainKey) =>
|
||||
new RealmKey()
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
KeyType = keyType,
|
||||
Key = cryptor.Encrypt(plainKey),
|
||||
CreatedAt = clock.UtcNow(),
|
||||
};
|
||||
new RealmKey(
|
||||
Guid.NewGuid(),
|
||||
keyType,
|
||||
cryptor.Encrypt(plainKey),
|
||||
clock.UtcNow());
|
||||
|
||||
// public byte[] GetPrivateKey(IEncryptionService encryptionService)
|
||||
// {
|
||||
// if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
|
||||
// _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
|
||||
// return _privateKeyDecrypted;
|
||||
// }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
using System.Security.Cryptography;
|
||||
using IdentityShroud.Core.Contracts;
|
||||
using IdentityShroud.Core.Helpers;
|
||||
using IdentityShroud.Core.Messages.Realm;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
using System.Text.Json.Nodes;
|
||||
using System.Text.RegularExpressions;
|
||||
using Xunit;
|
||||
|
||||
namespace IdentityShroud.TestUtils.Asserts;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
using FluentResults;
|
||||
using Xunit;
|
||||
|
||||
namespace IdentityShroud.Core.Tests;
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@
|
|||
<ItemGroup>
|
||||
<PackageReference Include="FluentResults" Version="4.0.0" />
|
||||
<PackageReference Include="xunit.v3.assert" Version="3.2.2" />
|
||||
<PackageReference Include="NSubstitute" Version="5.3.0" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
|
|
@ -22,4 +21,10 @@
|
|||
<Using Include="NSubstitute"/>
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<Reference Include="NSubstitute">
|
||||
<HintPath>..\..\..\.nuget\packages\nsubstitute\5.3.0\lib\net6.0\NSubstitute.dll</HintPath>
|
||||
</Reference>
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
|
|
|||
|
|
@ -8,11 +8,11 @@ public static class EncryptionServiceSubstitute
|
|||
{
|
||||
var encryptionService = Substitute.For<IEncryptionService>();
|
||||
encryptionService
|
||||
.Encrypt(Arg.Any<ReadOnlyMemory<byte>>())
|
||||
.Returns(x => new EncryptedValue("kid", x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray()));
|
||||
.Encrypt(Arg.Any<byte[]>())
|
||||
.Returns(x => x.ArgAt<byte[]>(0));
|
||||
encryptionService
|
||||
.Decrypt(Arg.Any<EncryptedValue>())
|
||||
.Returns(x => x.ArgAt<EncryptedValue>(0).Value);
|
||||
.Decrypt(Arg.Any<ReadOnlyMemory<byte>>())
|
||||
.Returns(x => x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray());
|
||||
return encryptionService;
|
||||
}
|
||||
}
|
||||
|
|
@ -14,18 +14,20 @@
|
|||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AOkOfT_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fe2a19de442f561af862af2dcad0852b7e62707a5cf194d266d1656f92bbb6d2_003FOkOfT_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcdd0beaf7beaf8366c0862f34fe40da30911084d957625ab31577851ee8cae7_003FPostgreSqlBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlContainer_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc82112acf224de1d157da0309437b227be6c1ef877865c23872f49eaf9d73c_003FPostgreSqlContainer_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AReadOnlyMemory_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc19b2538fdfabf70658aed8979dd83e9ca11e27f5b3df68950e8ecb4d879e_003FReadOnlyMemory_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AResultsOfT_002EGenerated_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fff2e2c5ca93c7786ef8425ca6caf751702328924211687ce72e74fd1265e8_003FResultsOfT_002EGenerated_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ARouteGroupBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fd42b8f8feda3bfb3dc17f133a52ce45931ed5066c46a4d834c8ed46e0a6_003FRouteGroupBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AThrowHelper_002ESerialization_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F8433b9271c0f176fb5ceb7b1c3d62e1318fe8e62b4e5d7e882952dc543fec_003FThrowHelper_002ESerialization_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATypedResults_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcea118513a410f660e578fe32bed95cf86457dd135e4b4632ca91eb4f7b_003FTypedResults_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AWebEncoders_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fce6b69dd397f614758bc5821136ec8af3fa22563dd657769e231f51be1fbbc_003FWebEncoders_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
|
||||
|
||||
<s:String x:Key="/Default/dotCover/Editor/HighlightingSourceSnapshotLocation/@EntryValue">/home/eelke/.cache/JetBrains/Rider2025.3/resharper-host/temp/Rider/vAny/CoverageData/_IdentityShroud.-1277985570/Snapshot/snapshot.utdcvr</s:String>
|
||||
<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/DotNetCliExePath/@EntryValue">/home/eelke/.dotnet/dotnet</s:String>
|
||||
<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/CustomBuildToolPath/@EntryValue">/home/eelke/.dotnet/sdk/10.0.102/MSBuild.dll</s:String>
|
||||
<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=b20a3316_002Db435_002D49e2_002Dbeaf_002De4cd62c44994/@EntryIndexedValue"><SessionState ContinuousTestingMode="0" IsActive="True" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session">
|
||||
<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=4bf578c0_002Dc8f9_002D46e4_002D9bdc_002D38da0a3f253a/@EntryIndexedValue"><SessionState ContinuousTestingMode="0" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session">
|
||||
<Solution />
|
||||
</SessionState></s:String>
|
||||
<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=7ce84f90_002D6ae2_002D4e9e_002D860e_002Deb90f45871f3/@EntryIndexedValue"><SessionState ContinuousTestingMode="0" IsActive="True" Name="Junie Session" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session">
|
||||
<ProjectFile>DC887623-8680-4D3B-B23A-D54F7DA91891/d:Services/f:ClientServiceTests.cs</ProjectFile>
|
||||
</SessionState></s:String>
|
||||
|
||||
|
||||
|
||||
|
|
@ -34,7 +36,4 @@
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</wpf:ResourceDictionary>
|
||||
15
README.md
15
README.md
|
|
@ -1,15 +0,0 @@
|
|||
# IdentityShroud
|
||||
|
||||
IdentityShroud is a .NET project for identity management and protection.
|
||||
|
||||
## Build and Test
|
||||
|
||||
```bash
|
||||
dotnet restore
|
||||
dotnet build
|
||||
dotnet test
|
||||
```
|
||||
|
||||
## Coverage
|
||||
|
||||
Coverage reports are generated automatically in CI and displayed in pull request comments.
|
||||
Loading…
Add table
Add a link
Reference in a new issue