eelke/IdentityShroud
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: eelke:client-service-and-api
Branches Tags
eelke:main
eelke:5-improve-encrypted-storage
eelke:client-service-and-api
eelke:validation
..
compare: eelke:main
Branches Tags
eelke:main
eelke:5-improve-encrypted-storage
eelke:client-service-and-api
eelke:validation

1 commit
client-ser ... main

Author SHA1 Message Date
eelke
07393f57fc 5-improve-encrypted-storage (#6) 
Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation.

Co-authored-by: eelke <eelke@eelkeklein.nl>
Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com>
Reviewed-on: #6
 2026-02-27 17:57:42 +00:00
72 changed files with 1095 additions and 356 deletions
Download patch file Download diff file Expand all files Collapse all files

179
IdentityShroud.Api.Tests/Apis/ClientApiTests.cs Normal file
View file

@ -0,0 +1,179 @@
using System.Net;
using System.Net.Http.Json;
using IdentityShroud.Core;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Tests.Fixtures;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
namespace IdentityShroud.Api.Tests.Apis;
public class ClientApiTests : IClassFixture<ApplicationFactory>
{
private readonly ApplicationFactory _factory;
public ClientApiTests(ApplicationFactory factory)
{
_factory = factory;
using var scope = _factory.Services.CreateScope();
var db = scope.ServiceProvider.GetRequiredService<Db>();
if (!db.Database.EnsureCreated())
{
db.Database.ExecuteSqlRaw("TRUNCATE realm CASCADE;");
}
}
[Theory]
[InlineData(null, false, "ClientId")]
[InlineData("", false, "ClientId")]
[InlineData("my-client", true, "")]
public async Task Create_Validation(string? clientId, bool succeeds, string fieldName)
{
// setup
Realm realm = await CreateRealmAsync("test-realm", "Test Realm");
var client = _factory.CreateClient();
// act
var response = await client.PostAsync(
$"/api/v1/realms/{realm.Id}/clients",
JsonContent.Create(new { ClientId = clientId }),
TestContext.Current.CancellationToken);
#if DEBUG
string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
#endif
if (succeeds)
{
Assert.Equal(HttpStatusCode.Created, response.StatusCode);
}
else
{
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
var problemDetails =
await response.Content.ReadFromJsonAsync<ValidationProblemDetails>(
TestContext.Current.CancellationToken);
Assert.Contains(problemDetails!.Errors, e => e.Key == fieldName);
}
}
[Fact]
public async Task Create_Success_ReturnsCreatedWithLocation()
{
// setup
Realm realm = await CreateRealmAsync("create-realm", "Create Realm");
var client = _factory.CreateClient();
// act
var response = await client.PostAsync(
$"/api/v1/realms/{realm.Id}/clients",
JsonContent.Create(new { ClientId = "new-client", Name = "New Client" }),
TestContext.Current.CancellationToken);
#if DEBUG
string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
#endif
// verify
Assert.Equal(HttpStatusCode.Created, response.StatusCode);
var body = await response.Content.ReadFromJsonAsync<ClientCreateReponse>(
TestContext.Current.CancellationToken);
Assert.NotNull(body);
Assert.Equal("new-client", body.ClientId);
Assert.True(body.Id > 0);
}
[Fact]
public async Task Create_UnknownRealm_ReturnsNotFound()
{
var client = _factory.CreateClient();
var response = await client.PostAsync(
$"/api/v1/realms/{Guid.NewGuid()}/clients",
JsonContent.Create(new { ClientId = "some-client" }),
TestContext.Current.CancellationToken);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task Get_Success()
{
// setup
Realm realm = await CreateRealmAsync("get-realm", "Get Realm");
Client dbClient = await CreateClientAsync(realm, "get-client", "Get Client");
var httpClient = _factory.CreateClient();
// act
var response = await httpClient.GetAsync(
$"/api/v1/realms/{realm.Id}/clients/{dbClient.Id}",
TestContext.Current.CancellationToken);
#if DEBUG
string contents = await response.Content.ReadAsStringAsync(TestContext.Current.CancellationToken);
#endif
// verify
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var body = await response.Content.ReadFromJsonAsync<ClientRepresentation>(
TestContext.Current.CancellationToken);
Assert.NotNull(body);
Assert.Equal(dbClient.Id, body.Id);
Assert.Equal("get-client", body.ClientId);
Assert.Equal("Get Client", body.Name);
Assert.Equal(realm.Id, body.RealmId);
}
[Fact]
public async Task Get_UnknownClient_ReturnsNotFound()
{
// setup
Realm realm = await CreateRealmAsync("notfound-realm", "NotFound Realm");
var httpClient = _factory.CreateClient();
// act
var response = await httpClient.GetAsync(
$"/api/v1/realms/{realm.Id}/clients/99999",
TestContext.Current.CancellationToken);
// verify
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
private async Task<Realm> CreateRealmAsync(string slug, string name)
{
using var scope = _factory.Services.CreateScope();
var db = scope.ServiceProvider.GetRequiredService<Db>();
var realm = new Realm { Slug = slug, Name = name };
db.Realms.Add(realm);
await db.SaveChangesAsync(TestContext.Current.CancellationToken);
return realm;
}
private async Task<Client> CreateClientAsync(Realm realm, string clientId, string? name = null)
{
using var scope = _factory.Services.CreateScope();
var db = scope.ServiceProvider.GetRequiredService<Db>();
var client = new Client
{
RealmId = realm.Id,
ClientId = clientId,
Name = name,
CreatedAt = DateTime.UtcNow,
};
db.Clients.Add(client);
await db.SaveChangesAsync(TestContext.Current.CancellationToken);
return client;
}
}

16
IdentityShroud.Api.Tests/Apis/RealmApisTests.cs
View file

@ -114,7 +114,7 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
{
// act
var client = _factory.CreateClient();
var response = await client.GetAsync("/realms/bar/.well-known/openid-configuration",
var response = await client.GetAsync($"/realms/{slug}/.well-known/openid-configuration",
TestContext.Current.CancellationToken);
// verify
@ -125,16 +125,18 @@ public class RealmApisTests : IClassFixture<ApplicationFactory>
public async Task GetJwks()
{
// setup
IEncryptionService encryptionService = _factory.Services.GetRequiredService<IEncryptionService>();
IDekEncryptionService dekEncryptionService = _factory.Services.GetRequiredService<IDekEncryptionService>();
using var rsa = RSA.Create(2048);
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
RealmKey realmKey = new(
Guid.NewGuid(),
"RSA",
encryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
DateTime.UtcNow);
RealmKey realmKey = new()
{
Id = Guid.NewGuid(),
KeyType = "RSA",
Key = dekEncryptionService.Encrypt(rsa.ExportPkcs8PrivateKey()),
CreatedAt = DateTime.UtcNow,
};
await ScopedContextAsync(async db =>
{

10
IdentityShroud.Api.Tests/Fixtures/ApplicationFactory.cs
View file

@ -1,11 +1,6 @@
using IdentityShroud.Core.Services;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc.Testing;
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.VisualStudio.TestPlatform.TestHost;
using Npgsql;
using Testcontainers.PostgreSql;
namespace IdentityShroud.Core.Tests.Fixtures;
@ -33,7 +28,10 @@ public class ApplicationFactory : WebApplicationFactory<Program>, IAsyncLifetime
new Dictionary<string, string?>
{
["Db:ConnectionString"] = _postgresqlServer.GetConnectionString(),
["Encryption:Master"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
["secrets:master:0:Id"] = "94970f27-3d88-4223-9940-7dd57548f5b5",
["secrets:master:0:Active"] = "true",
["secrets:master:0:Algorithm"] = "AES",
["secrets:master:0:Key"] = "GVd07qW0frRX9quPX/X62L88BeRR7+IzgRJHtG7ZzHw=",
});
});

17
IdentityShroud.Api.Tests/Mappers/KeyMapperTests.cs
View file

@ -1,17 +0,0 @@
using IdentityShroud.Api.Mappers;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages;
using IdentityShroud.TestUtils.Substitutes;
using Microsoft.AspNetCore.WebUtilities;
namespace IdentityShroud.Api.Tests.Mappers;
// public class KeyMapperTests
// {
// private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
//
// [Fact]
// public void Test()
// {
// }
// }

19
IdentityShroud.Api.Tests/Mappers/KeyServiceTests.cs
View file

@ -2,6 +2,7 @@ using System.Buffers.Text;
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Security.Keys;
using IdentityShroud.Core.Services;
using IdentityShroud.TestUtils.Substitutes;
@ -10,8 +11,7 @@ namespace IdentityShroud.Api.Tests.Mappers;
public class KeyServiceTests
{
private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
//private readonly IKeyProviderFactory _keyProviderFactory = Substitute.For<IKeyProviderFactory>();
private readonly NullDekEncryptionService _dekEncryptionService = new();
[Fact]
public void Test()
@ -21,19 +21,22 @@ public class KeyServiceTests
RSAParameters parameters = rsa.ExportParameters(includePrivateParameters: false);
RealmKey realmKey = new(
new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
"RSA",
rsa.ExportPkcs8PrivateKey(),
DateTime.UtcNow)
DekId kid = DekId.NewId();
RealmKey realmKey = new()
{
Id = new("60bb79cf-4bac-4521-87f2-ac87cc15541f"),
KeyType = "RSA",
Key = new(_dekEncryptionService.KeyId, rsa.ExportPkcs8PrivateKey()),
CreatedAt = DateTime.UtcNow,
Priority = 10,
};
// Act
KeyService sut = new(_encryptionService, new KeyProviderFactory(), new ClockService());
KeyService sut = new(_dekEncryptionService, new KeyProviderFactory(), new ClockService());
var jwk = sut.CreateJsonWebKey(realmKey);
Assert.NotNull(jwk);
Assert.Equal("RSA", jwk.KeyType);
Assert.Equal(realmKey.Id.ToString(), jwk.KeyId);
Assert.Equal("sig", jwk.Use);

14
IdentityShroud.Api/Apis/ClientApi.cs
View file

@ -1,14 +1,14 @@
using FluentResults;
using IdentityShroud.Api.Mappers;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages.Realm;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Services;
using Microsoft.AspNetCore.Http.HttpResults;
using Microsoft.AspNetCore.Mvc;
namespace IdentityShroud.Api;
public record ClientCreateReponse(int Id, string ClientId);
/// <summary>
@ -34,13 +34,18 @@ public static class ClientApi
.WithName(ClientGetRouteName);
}
private static Task ClientGet(HttpContext context)
private static Ok<ClientRepresentation> ClientGet(
Guid realmId,
int clientId,
HttpContext context)
{
throw new NotImplementedException();
Client client = (Client)context.Items["ClientEntity"]!;
return TypedResults.Ok(new ClientMapper().ToDto(client));
}
private static async Task<Results<CreatedAtRoute<ClientCreateReponse>, InternalServerError>>
ClientCreate(
Guid realmId,
ClientCreateRequest request,
[FromServices] IClientService service,
HttpContext context,
@ -64,6 +69,5 @@ public static class ClientApi
["realmId"] = realm.Id,
["clientId"] = client.Id,
});
throw new NotImplementedException();
}
}

16
IdentityShroud.Api/Apis/Dto/ClientRepresentation.cs Normal file
View file

@ -0,0 +1,16 @@
namespace IdentityShroud.Api;
public record ClientRepresentation
{
public int Id { get; set; }
public Guid RealmId { get; set; }
public required string ClientId { get; set; }
public string? Name { get; set; }
public string? Description { get; set; }
public string? SignatureAlgorithm { get; set; }
public bool AllowClientCredentialsFlow { get; set; } = false;
public required DateTime CreatedAt { get; set; }
}

3
IdentityShroud.Api/Apis/Filters/ClientIdValidationFilter.cs
View file

@ -7,8 +7,9 @@ public class ClientIdValidationFilter(IClientService clientService) : IEndpointF
{
public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
{
Guid realmId = context.Arguments.OfType<Guid>().First();
int id = context.Arguments.OfType<int>().First();
Client? client = await clientService.FindById(id, context.HttpContext.RequestAborted);
Client? client = await clientService.FindById(realmId, id, context.HttpContext.RequestAborted);
if (client is null)
{
return Results.NotFound();

1
IdentityShroud.Api/Apis/Filters/RealmSlugValidationFilter.cs
View file

@ -1,6 +1,5 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Services;
namespace IdentityShroud.Api;

11
IdentityShroud.Api/Apis/Mappers/ClientMapper.cs Normal file
View file

@ -0,0 +1,11 @@
using IdentityShroud.Core.Model;
using Riok.Mapperly.Abstractions;
namespace IdentityShroud.Api.Mappers;
[Mapper]
public partial class ClientMapper
{
[MapperIgnoreSource(nameof(Client.Secrets))]
public partial ClientRepresentation ToDto(Client client);
}

3
IdentityShroud.Api/Apis/Mappers/KeyMapper.cs
View file

@ -1,9 +1,6 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using Microsoft.AspNetCore.WebUtilities;
namespace IdentityShroud.Api.Mappers;

22
IdentityShroud.Api/Apis/Validation/ClientCreateRequestValidator.cs Normal file
View file

@ -0,0 +1,22 @@
using FluentValidation;
using IdentityShroud.Core.Contracts;
namespace IdentityShroud.Api;
public class ClientCreateRequestValidator : AbstractValidator<ClientCreateRequest>
{
// most of standard ascii minus the control characters and space
private const string ClientIdPattern = "^[\x21-\x7E]+";
private string[] AllowedAlgorithms = [ "RS256", "ES256" ];
public ClientCreateRequestValidator()
{
RuleFor(e => e.ClientId).NotEmpty().MaximumLength(40).Matches(ClientIdPattern);
RuleFor(e => e.Name).MaximumLength(80);
RuleFor(e => e.Description).MaximumLength(2048);
RuleFor(e => e.SignatureAlgorithm)
.Must(v => v is null || AllowedAlgorithms.Contains(v))
.WithMessage($"SignatureAlgorithm must be one of {string.Join(", ", AllowedAlgorithms)} or null");
}
}

1
IdentityShroud.Api/AppJsonSerializerContext.cs
View file

@ -1,7 +1,6 @@
using System.Text.Json.Serialization;
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Messages.Realm;
using Microsoft.Extensions.Diagnostics.HealthChecks;
[JsonSerializable(typeof(OpenIdConfiguration))]
[JsonSerializable(typeof(RealmCreateRequest))]

2
IdentityShroud.Api/IdentityShroud.Api.csproj
View file

@ -17,7 +17,7 @@
<ItemGroup>
<PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.1.1" />
<PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0"/>
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
<PackageReference Include="Riok.Mapperly" Version="4.3.1" />
<PackageReference Include="Serilog" Version="4.3.0" />
<PackageReference Include="Serilog.AspNetCore" Version="10.0.0" />
<PackageReference Include="Serilog.Expressions" Version="5.0.0" />

6
IdentityShroud.Api/Program.cs
View file

@ -38,15 +38,19 @@ void ConfigureBuilder(WebApplicationBuilder builder)
services.AddScoped<Db>();
services.AddScoped<IClientService, ClientService>();
services.AddSingleton<IClock, ClockService>();
services.AddSingleton<IEncryptionService, EncryptionService>();
services.AddSingleton<IDekEncryptionService, DekEncryptionService>();
services.AddScoped<IDataEncryptionService, DataEncryptionService>();
services.AddScoped<IRealmContext, RealmContext>();
services.AddScoped<IKeyProviderFactory, KeyProviderFactory>();
services.AddScoped<IKeyService, KeyService>();
services.AddScoped<IRealmService, RealmService>();
services.AddOptions<DbConfiguration>().Bind(configuration.GetSection("db"));
services.AddSingleton<ISecretProvider, ConfigurationSecretProvider>();
services.AddScoped<KeyMapper>();
services.AddScoped<IRealmContext, RealmContext>();
services.AddValidatorsFromAssemblyContaining<RealmCreateRequestValidator>();
services.AddHttpContextAccessor();
builder.Host.UseSerilog((context, services, configuration) => configuration
.Enrich.FromLogContext()

3
IdentityShroud.Core.Tests/Fixtures/DbFixture.cs
View file

@ -1,5 +1,4 @@
using DotNet.Testcontainers.Containers;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Npgsql;
using Testcontainers.PostgreSql;

36
IdentityShroud.Core.Tests/Helpers/Base64UrlConverterTests.cs Normal file
View file

@ -0,0 +1,36 @@
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using IdentityShroud.Core.Helpers;
namespace IdentityShroud.Core.Tests.Helpers;
public class Base64UrlConverterTests
{
internal class Data
{
[JsonConverter(typeof(Base64UrlConverter))]
public byte[]? X { get; set; }
}
[Fact]
public void Serialize()
{
Data d = new() { X = ">>>???"u8.ToArray() };
string s = JsonSerializer.Serialize(d);
Assert.Contains("\"Pj4-Pz8_\"", s);
}
[Fact]
public void Deerialize()
{
var jsonstring = """
{ "X": "Pj4-Pz8_" }
""";
var d = JsonSerializer.Deserialize<Data>(jsonstring);
Assert.Equal(">>>???", Encoding.UTF8.GetString(d.X));
}
}

4
IdentityShroud.Core.Tests/IdentityShroud.Core.Tests.csproj
View file

@ -30,8 +30,4 @@
<ProjectReference Include="..\IdentityShroud.TestUtils\IdentityShroud.TestUtils.csproj" />
</ItemGroup>
<ItemGroup>
<Folder Include="Model\" />
</ItemGroup>
</Project>

4
IdentityShroud.Core.Tests/JwtSignatureGeneratorTests.cs
View file

@ -72,8 +72,8 @@ public class JwtSignatureGeneratorTests
var rsa = RSA.Create();
var parameters = new RSAParameters
{
Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus),
Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent)
Modulus = WebEncoders.Base64UrlDecode(jwk.Modulus!),
Exponent = WebEncoders.Base64UrlDecode(jwk.Exponent!)
};
rsa.ImportParameters(parameters);

21
IdentityShroud.Core.Tests/Security/AesGcmHelperTests.cs
View file

@ -1,21 +0,0 @@
using System.Security.Cryptography;
using System.Text;
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Tests.Security;
public class AesGcmHelperTests
{
[Fact]
public void EncryptDecryptCycleWorks()
{
string input = "Hello, world!";
var encryptionKey = RandomNumberGenerator.GetBytes(32);
var cypher = AesGcmHelper.EncryptAesGcm(Encoding.UTF8.GetBytes(input), encryptionKey);
var output = AesGcmHelper.DecryptAesGcm(cypher, encryptionKey);
Assert.Equal(input, Encoding.UTF8.GetString(output));
}
}

63
IdentityShroud.Core.Tests/Security/ConfigurationSecretProviderTests.cs Normal file
View file

@ -0,0 +1,63 @@
using System.Text;
using IdentityShroud.Core.Security;
using Microsoft.Extensions.Configuration;
namespace IdentityShroud.Core.Tests.Security;
public class ConfigurationSecretProviderTests
{
private static IConfiguration BuildConfigFromJson(string json)
{
// Convert the JSON string into a stream that the config builder can read.
var jsonBytes = Encoding.UTF8.GetBytes(json);
using var stream = new MemoryStream(jsonBytes);
// Build the configuration just like the real app does, but from the stream.
var config = new ConfigurationBuilder()
.AddJsonStream(stream) // <-- reads from the inmemory JSON
.Build();
return config;
}
[Fact]
public void Test()
{
string jsonConfig = """
{
"secrets": {
"master": [
{
"Id": "5676d159-5495-4945-aa84-59ee694aa8a2",
"Active": true,
"Algorithm": "AES",
"Key": "yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="
},
{
"Id": "b82489e7-a05a-4d64-b9a5-58d2f2c0dc39",
"Active": false,
"Algorithm": "AES",
"Key": "YSWK6vTJXCJOGLpCo+TtZ6anKNzvA1VT2xXLHbmq4M0="
}
]
}
}
""";
ConfigurationSecretProvider sut = new(BuildConfigFromJson(jsonConfig));
// act
var keys = sut.GetKeys("master");
// verify
Assert.Equal(2, keys.Length);
var active = keys.Single(k => k.Active);
Assert.Equal(new Guid("5676d159-5495-4945-aa84-59ee694aa8a2"), active.Id.Id);
Assert.Equal("AES", active.Algorithm);
Assert.Equal(Convert.FromBase64String("yoQ4W7EaNjo7s3FBYkWo5BLyX1BnLyWd7BlSaDIrkzo="), active.Key);
var inactive = keys.Single(k => !k.Active);
Assert.Equal(new Guid("b82489e7-a05a-4d64-b9a5-58d2f2c0dc39"), inactive.Id.Id);
}
}

13
IdentityShroud.Core.Tests/Services/ClientServiceTests.cs
View file

@ -10,7 +10,8 @@ namespace IdentityShroud.Core.Tests.Services;
public class ClientServiceTests : IClassFixture<DbFixture>
{
private readonly DbFixture _dbFixture;
private readonly IEncryptionService _encryptionService = EncryptionServiceSubstitute.CreatePassthrough();
private readonly NullDataEncryptionService _dataEncryptionService = new();
private readonly IClock _clock = Substitute.For<IClock>();
private readonly Guid _realmId = new("a1b2c3d4-0000-0000-0000-000000000001");
@ -51,7 +52,7 @@ public class ClientServiceTests : IClassFixture<DbFixture>
await using (var db = _dbFixture.CreateDbContext())
{
// Act
ClientService sut = new(db, _encryptionService, _clock);
ClientService sut = new(db, _dataEncryptionService, _clock);
var response = await sut.Create(
_realmId,
new ClientCreateRequest
@ -107,8 +108,8 @@ public class ClientServiceTests : IClassFixture<DbFixture>
await using var actContext = _dbFixture.CreateDbContext();
// Act
ClientService sut = new(actContext, _encryptionService, _clock);
Client? result = await sut.GetByClientId(clientId, TestContext.Current.CancellationToken);
ClientService sut = new(actContext, _dataEncryptionService, _clock);
Client? result = await sut.GetByClientId(_realmId, clientId, TestContext.Current.CancellationToken);
// Verify
if (shouldFind)
@ -142,8 +143,8 @@ public class ClientServiceTests : IClassFixture<DbFixture>
await using var actContext = _dbFixture.CreateDbContext();
// Act
ClientService sut = new(actContext, _encryptionService, _clock);
Client? result = await sut.FindById(searchId, TestContext.Current.CancellationToken);
ClientService sut = new(actContext, _dataEncryptionService, _clock);
Client? result = await sut.FindById(_realmId, searchId, TestContext.Current.CancellationToken);
// Verify
if (shouldFind)

64
IdentityShroud.Core.Tests/Services/DataEncryptionServiceTests.cs Normal file
View file

@ -0,0 +1,64 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Services;
using IdentityShroud.TestUtils.Substitutes;
namespace IdentityShroud.Core.Tests.Services;
public class DataEncryptionServiceTests
{
private readonly IRealmContext _realmContext = Substitute.For<IRealmContext>();
private readonly IDekEncryptionService _dekCryptor = new NullDekEncryptionService();// Substitute.For<IDekEncryptionService>();
private readonly DekId _activeDekId = DekId.NewId();
private readonly DekId _secondDekId = DekId.NewId();
private DataEncryptionService CreateSut()
=> new(_realmContext, _dekCryptor);
[Fact]
public void Encrypt_UsesActiveKey()
{
_realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([
CreateRealmDek(_secondDekId, false),
CreateRealmDek(_activeDekId, true),
]);
var cipher = CreateSut().Encrypt("Hello"u8);
Assert.Equal(_activeDekId, cipher.DekId);
}
[Fact]
public void Decrypt_UsesCorrectKey()
{
var first = CreateRealmDek(_activeDekId, true);
_realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first ]);
var sut = CreateSut();
var cipher = sut.Encrypt("Hello"u8);
// Deactivate original key
first.Active = false;
// Make new active
var second = CreateRealmDek(_secondDekId, true);
// Return both
_realmContext.GetDeks(Arg.Any<CancellationToken>()).Returns([ first, second ]);
var decoded = sut.Decrypt(cipher);
Assert.Equal("Hello"u8, decoded);
}
private RealmDek CreateRealmDek(DekId id, bool active)
=> new()
{
Id = id,
Active = active,
Algorithm = "AES",
KeyData = new(KekId.NewId(), RandomNumberGenerator.GetBytes(32)),
RealmId = default,
};
}

123
IdentityShroud.Core.Tests/Services/DekEncryptionServiceTests.cs Normal file
View file

@ -0,0 +1,123 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Services;
namespace IdentityShroud.Core.Tests.Services;
public class DekEncryptionServiceTests
{
[Fact]
public void RoundtripWorks()
{
// Note this code will tend to only test the latest verion.
// setup
byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
var secretProvider = Substitute.For<ISecretProvider>();
KeyEncryptionKey[] keys =
[
new KeyEncryptionKey(KekId.NewId(), true, "AES", keyValue)
];
secretProvider.GetKeys("master").Returns(keys);
ReadOnlySpan<byte> input = "Hello, World!"u8;
// act
DekEncryptionService sut = new(secretProvider);
EncryptedDek cipher = sut.Encrypt(input.ToArray());
byte[] result = sut.Decrypt(cipher);
// verify
Assert.Equal(input, result);
}
[Fact]
public void DetectsCorruptInput()
{
// When introducing a new version we need version specific tests to
// make sure decoding of legacy data still works.
KekId kid = KekId.NewId();
// setup
byte[] cipher = // NOTE INCORRECT CIPHER DO NOT USE IN OTHER TESTS
[
1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
193, 75, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
];
EncryptedDek secret = new(kid, cipher);
byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
var secretProvider = Substitute.For<ISecretProvider>();
KeyEncryptionKey[] keys =
[
new KeyEncryptionKey(kid, true, "AES", keyValue)
];
secretProvider.GetKeys("master").Returns(keys);
// act
DekEncryptionService sut = new(secretProvider);
Assert.Throws<InvalidOperationException>(
() => sut.Decrypt(secret),
ex => ex.Message.Contains("Decryption failed") ? null : "Expected Decryption failed in message");
}
[Fact]
public void DecodeSelectsRightKey()
{
// The key is marked inactive also it is the second key
// setup
KekId kid1 = KekId.NewId();
KekId kid2 = KekId.NewId();
byte[] cipher =
[
1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
];
EncryptedDek secret = new(kid1, cipher);
byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
var secretProvider = Substitute.For<ISecretProvider>();
KeyEncryptionKey[] keys =
[
new KeyEncryptionKey(kid2, true, "AES", keyValue2),
new KeyEncryptionKey(kid1, false, "AES", keyValue1),
];
secretProvider.GetKeys("master").Returns(keys);
// act
DekEncryptionService sut = new(secretProvider);
byte[] result = sut.Decrypt(secret);
// verify
Assert.Equal("Hello, World!"u8, result);
}
[Fact]
public void EncryptionUsesActiveKey()
{
// setup
KekId kid1 = KekId.NewId();
KekId kid2 = KekId.NewId();
byte[] keyValue1 = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
byte[] keyValue2 = Convert.FromBase64String("Dat1RwRvuLX3wdKMMP4NwHdBl8tJJsKfp01qikyo8aw=");
var secretProvider = Substitute.For<ISecretProvider>();
KeyEncryptionKey[] keys =
[
new KeyEncryptionKey(kid1, false, "AES", keyValue1),
new KeyEncryptionKey(kid2, true, "AES", keyValue2),
];
secretProvider.GetKeys("master").Returns(keys);
ReadOnlySpan<byte> input = "Hello, World!"u8;
// act
DekEncryptionService sut = new(secretProvider);
EncryptedDek cipher = sut.Encrypt(input.ToArray());
// Verify
Assert.Equal(kid2, cipher.KekId);
}
}

26
IdentityShroud.Core.Tests/Services/EncryptionServiceTests.cs
View file

@ -1,26 +0,0 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Services;
namespace IdentityShroud.Core.Tests.Services;
public class EncryptionServiceTests
{
[Fact]
public void RoundtripWorks()
{
// setup
string key = Convert.ToBase64String(RandomNumberGenerator.GetBytes(32));
var secretProvider = Substitute.For<ISecretProvider>();
secretProvider.GetSecret("Master").Returns(key);
EncryptionService sut = new(secretProvider);
byte[] input = RandomNumberGenerator.GetBytes(16);
// act
var cipher = sut.Encrypt(input);
var result = sut.Decrypt(cipher);
Assert.Equal(input, result);
}
}

30
IdentityShroud.Core.Tests/Services/EncryptionTests.cs Normal file
View file

@ -0,0 +1,30 @@
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Services;
namespace IdentityShroud.Core.Tests.Services;
public class EncryptionTests
{
[Fact]
public void DecodeV1_Success()
{
// When introducing a new version we need version specific tests to
// make sure decoding of legacy data still works.
// setup
byte[] cipher =
[
1, 198, 55, 58, 56, 110, 238, 59, 158, 214, 85, 241, 26, 44, 140, 229, 128, 111, 167, 154, 160, 177, 152,
193, 74, 4, 235, 82, 207, 87, 32, 10, 239, 4, 246, 25, 21, 249, 25, 59, 160, 101
];
byte[] keyValue = Convert.FromBase64String("IGd9yUMusjNW0ezv8ink3QWlAHKFH45d21LyrbJTokw=");
// act
byte[] result = Encryption.Decrypt(cipher, keyValue);
// verify
Assert.Equal("Hello, World!"u8, result);
}
}

10
IdentityShroud.Core.Tests/Services/RealmServiceTests.cs
View file

@ -1,9 +1,9 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using IdentityShroud.Core.Security.Keys;
using IdentityShroud.Core.Services;
using IdentityShroud.Core.Tests.Fixtures;
using IdentityShroud.TestUtils.Substitutes;
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Tests.Services;
@ -40,7 +40,13 @@ public class RealmServiceTests : IClassFixture<DbFixture>
await using (var db = _dbFixture.CreateDbContext())
{
_keyService.CreateKey(Arg.Any<KeyPolicy>())
.Returns(new RealmKey(Guid.NewGuid(), "TST", [21], DateTime.UtcNow));
.Returns(new RealmKey()
{
Id = Guid.NewGuid(),
KeyType = "TST",
Key = new(KekId.NewId(), [21]),
CreatedAt = DateTime.UtcNow
});
// Act
RealmService sut = new(db, _keyService);
var response = await sut.Create(

15
IdentityShroud.Core.Tests/UnitTest1.cs
View file

@ -2,7 +2,6 @@
using System.Text;
using System.Text.Json;
using IdentityShroud.Core.DTO;
using IdentityShroud.Core.Messages;
using Microsoft.AspNetCore.WebUtilities;
namespace IdentityShroud.Core.Tests;
@ -36,7 +35,6 @@ public class UnitTest1
// Option 3: Generate a new key for testing
rsa.KeySize = 2048;
// Your already encoded header and payload
string header = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJybVZ3TU5rM0o1WHlmMWhyS3NVbEVYN1BNUm42dlZKY0h3U3FYMUVQRnFJIn0";
string payload = "eyJleHAiOjE3Njk5MzY5MDksImlhdCI6MTc2OTkzNjYwOSwianRpIjoiMjNiZDJmNjktODdhYi00YmM2LWE0MWQtZGZkNzkxNDc4ZDM0IiwiaXNzIjoiaHR0cHM6Ly9pYW0ua2Fzc2FjbG91ZC5ubC9hdXRoL3JlYWxtcy9tcGx1c2thc3NhIiwiYXVkIjpbImthc3NhLW1hbmFnZW1lbnQtc2VydmljZSIsImFwYWNoZTItaW50cmFuZXQtYXV0aCIsImFjY291bnQiXSwic3ViIjoiMDkzY2NmMTUtYzRhOS00YWI0LTk3MWYtZDVhMDIyMzZkODVhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibXBvYmFja2VuZCIsInNpZCI6IjI2NmUyNjJiLTU5NjMtNDUyZi04ZTI3LWIwZTkzMjBkNTZkNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLW1wbHVza2Fzc2EiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwiZGVhbGVyLW1lZGV3ZXJrZXItcm9sZSIsIm1wbHVza2Fzc2EtbWVkZXdlcmtlci1yb2xlIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBhY2hlMi1pbnRyYW5ldC1hdXRoIjp7InJvbGVzIjpbImludHJhbmV0IiwicmVsZWFzZW5vdGVzX3dyaXRlIl19LCJrYXNzYS1tYW5hZ2VtZW50LXNlcnZpY2UiOnsicm9sZXMiOlsicG9zYWNjb3VudF9wYXNzd29yZHJlc2V0IiwiZHJhZnRfbGljZW5zZV93cml0ZSIsImxpY2Vuc2VfcmVhZCIsImtub3dsZWRnZUl0ZW1fcmVhZCIsIm1haWxpbmdfcmVhZCIsIm1wbHVzYXBpX3JlYWQiLCJkYXRhYmFzZV91c2VyX3dyaXRlIiwiZW52aXJvbm1lbnRfd3JpdGUiLCJna3NfYXV0aGNvZGVfcmVhZCIsImVtcGxveWVlX3JlYWQiLCJkYXRhYmFzZV91c2VyX3JlYWQiLCJhcGlhY2NvdW50X3Bhc3N3b3JkcmVzZXQiLCJtcGx1c2FwaV93cml0ZSIsImVudmlyb25tZW50X3JlYWQiLCJrbm93bGVkZ2VJdGVtX3dyaXRlIiwiZGF0YWJhc2VfdXNlcl9wYXNzd29yZF9yZWFkIiwibGljZW5zZV93cml0ZSIsImN1c3RvbWVyX3dyaXRlIiwiZGVhbGVyX3JlYWQiLCJlbXBsb3llZV93cml0ZSIsImRhdGFiYXNlX2NvbmZpZ3VyYXRpb25fd3JpdGUiLCJyZWxhdGlvbnNfcmVhZCIsImRhdGFiYXNlX3VzZXJfcGFzc3dvcmRfbXBsdXNfZW5jcnlwdGVkX3JlYWQiLCJkcmFmdF9saWNlbnNlX3JlYWQiLCJkYXRhYmFzZV9jb25maWd1cmF0aW9uX3JlYWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoia21zIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZGVhbGVySWQiOjEsIm5hbWUiOiJFZWxrZSBLbGVpbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImVlbGtlQGJvbHQubmwiLCJsb2NhbGUiOiJlbiIsImdpdmVuX25hbWUiOiJFZWxrZSIsImZhbWlseV9uYW1lIjoiS2xlaW4iLCJlbWFpbCI6ImVlbGtlQGJvbHQubmwiLCJlbXBsb3llZU51bWJlciI6NTR9";
@ -52,6 +50,15 @@ public class UnitTest1
// Or generate complete JWT
// string completeJwt = JwtSignatureGenerator.GenerateCompleteJwt(header, payload, rsa);
// Console.WriteLine($"Complete JWT: {completeJwt}");
rsa.ExportRSAPublicKey(); // PKCS#1
}
using (ECDsa dsa = ECDsa.Create())
{
dsa.ExportPkcs8PrivateKey();
dsa.ExportSubjectPublicKeyInfo(); // x509
}
}
}
@ -67,9 +74,9 @@ public static class JwtReader
return new JsonWebToken()
{
Header = JsonSerializer.Deserialize<JsonWebTokenHeader>(
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot))),
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, 0, firstDot)))!,
Payload = JsonSerializer.Deserialize<JsonWebTokenPayload>(
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1)))),
Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(jwt, firstDot + 1, secondDot - (firstDot + 1))))!,
Signature = WebEncoders.Base64UrlDecode(jwt, secondDot + 1, jwt.Length - (secondDot + 1))
};
}

16
IdentityShroud.Core/Contracts/IClientService.cs
View file

@ -2,18 +2,6 @@ using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Contracts;
//public record CreateClientRequest(Guid RealmId, string ClientId, string? Description);
public class ClientCreateRequest
{
public required string ClientId { get; set; }
public string? Name { get; set; }
public string? Description { get; set; }
public string? SignatureAlgorithm { get; set; }
public bool? AllowClientCredentialsFlow { get; set; }
}
public interface IClientService
{
Task<Result<Client>> Create(
@ -21,6 +9,6 @@ public interface IClientService
ClientCreateRequest request,
CancellationToken ct = default);
Task<Client?> GetByClientId(string clientId, CancellationToken ct = default);
Task<Client?> FindById(int id, CancellationToken ct = default);
Task<Client?> GetByClientId(Guid realmId, string clientId, CancellationToken ct = default);
Task<Client?> FindById(Guid realmId, int id, CancellationToken ct = default);
}

9
IdentityShroud.Core/Contracts/IDataEncryptionService.cs Normal file
View file

@ -0,0 +1,9 @@
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Contracts;
public interface IDataEncryptionService
{
EncryptedValue Encrypt(ReadOnlySpan<byte> plain);
byte[] Decrypt(EncryptedValue input);
}

11
IdentityShroud.Core/Contracts/IDekEncryptionService.cs Normal file
View file

@ -0,0 +1,11 @@
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Contracts;
public interface IDekEncryptionService
{
EncryptedDek Encrypt(ReadOnlySpan<byte> plain);
byte[] Decrypt(EncryptedDek input);
}

7
IdentityShroud.Core/Contracts/IEncryptionService.cs
View file

@ -1,7 +0,0 @@
namespace IdentityShroud.Core.Contracts;
public interface IEncryptionService
{
byte[] Encrypt(byte[] plain);
byte[] Decrypt(ReadOnlyMemory<byte> cipher);
}

9
IdentityShroud.Core/Contracts/IRealmContext.cs Normal file
View file

@ -0,0 +1,9 @@
using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Contracts;
public interface IRealmContext
{
public Realm GetRealm();
Task<IList<RealmDek>> GetDeks(CancellationToken ct = default);
}

1
IdentityShroud.Core/Contracts/IRealmService.cs
View file

@ -11,4 +11,5 @@ public interface IRealmService
Task<Result<RealmCreateResponse>> Create(RealmCreateRequest request, CancellationToken ct = default);
Task LoadActiveKeys(Realm realm);
Task LoadDeks(Realm realm);
}

8
IdentityShroud.Core/Contracts/ISecretProvider.cs
View file

@ -1,6 +1,14 @@
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Contracts;
public interface ISecretProvider
{
string GetSecret(string name);
/// <summary>
/// Should return one active key, might return inactive keys.
/// </summary>
/// <returns></returns>
KeyEncryptionKey[] GetKeys(string name);
}

10
IdentityShroud.Core/DTO/Client/ClientCreateRequest.cs Normal file
View file

@ -0,0 +1,10 @@
namespace IdentityShroud.Core.Contracts;
public class ClientCreateRequest
{
public required string ClientId { get; set; }
public string? Name { get; set; }
public string? Description { get; set; }
public string? SignatureAlgorithm { get; set; }
public bool? AllowClientCredentialsFlow { get; set; }
}

26
IdentityShroud.Core/DTO/JsonWebKey.cs
View file

@ -1,7 +1,5 @@
using System.Buffers;
using System.Buffers.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using IdentityShroud.Core.Helpers;
namespace IdentityShroud.Core.Messages;
@ -49,25 +47,3 @@ public class JsonWebKey
// [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
// public string? X509CertificateThumbprint { get; set; }
}
public class Base64UrlConverter : JsonConverter<byte[]>
{
public override byte[] Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
{
// GetValueSpan gives you the raw UTF-8 bytes of the JSON string value
if (reader.HasValueSequence)
{
var valueSequence = reader.ValueSequence.ToArray();
return Base64Url.DecodeFromUtf8(valueSequence);
}
return Base64Url.DecodeFromUtf8(reader.ValueSpan);
}
public override void Write(Utf8JsonWriter writer, byte[] value, JsonSerializerOptions options)
{
int encodedLength = Base64Url.GetEncodedLength(value.Length);
Span<byte> buffer = encodedLength <= 256 ? stackalloc byte[encodedLength] : new byte[encodedLength];
Base64Url.EncodeToUtf8(value, buffer);
writer.WriteStringValue(buffer);
}
}

36
IdentityShroud.Core/Db.cs
View file

@ -1,5 +1,7 @@
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
@ -19,6 +21,40 @@ public class Db(
public virtual DbSet<Client> Clients { get; set; }
public virtual DbSet<Realm> Realms { get; set; }
public virtual DbSet<RealmKey> Keys { get; set; }
public virtual DbSet<RealmDek> Deks { get; set; }
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
var dekIdConverter = new ValueConverter<DekId, Guid>(
id => id.Id,
guid => new DekId(guid));
var kekIdConverter = new ValueConverter<KekId, Guid>(
id => id.Id,
guid => new KekId(guid));
modelBuilder.Entity<RealmDek>()
.Property(d => d.Id)
.HasConversion(dekIdConverter);
modelBuilder.Entity<RealmDek>()
.OwnsOne(d => d.KeyData, keyData =>
{
keyData.Property(k => k.KekId).HasConversion(kekIdConverter);
});
modelBuilder.Entity<RealmKey>()
.OwnsOne(k => k.Key, key =>
{
key.Property(k => k.KekId).HasConversion(kekIdConverter);
});
modelBuilder.Entity<ClientSecret>()
.OwnsOne(c => c.Secret, secret =>
{
secret.Property(s => s.DekId).HasConversion(dekIdConverter);
});
}
protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{

28
IdentityShroud.Core/Helpers/Base64UrlConverter.cs Normal file
View file

@ -0,0 +1,28 @@
using System.Buffers;
using System.Buffers.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
namespace IdentityShroud.Core.Helpers;
public class Base64UrlConverter : JsonConverter<byte[]>
{
public override byte[] Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
{
// GetValueSpan gives you the raw UTF-8 bytes of the JSON string value
if (reader.HasValueSequence)
{
var valueSequence = reader.ValueSequence.ToArray();
return Base64Url.DecodeFromUtf8(valueSequence);
}
return Base64Url.DecodeFromUtf8(reader.ValueSpan);
}
public override void Write(Utf8JsonWriter writer, byte[] value, JsonSerializerOptions options)
{
int encodedLength = Base64Url.GetEncodedLength(value.Length);
Span<byte> buffer = encodedLength <= 256 ? stackalloc byte[encodedLength] : new byte[encodedLength];
Base64Url.EncodeToUtf8(value, buffer);
writer.WriteStringValue(buffer);
}
}

1
IdentityShroud.Core/Helpers/SlugHelper.cs
View file

@ -1,4 +1,3 @@
using System;
using System.Globalization;
using System.Security.Cryptography;
using System.Text;

8
IdentityShroud.Core/IdentityShroud.Core.csproj
View file

@ -12,7 +12,9 @@
<PackageReference Include="FluentValidation" Version="12.1.1" />
<PackageReference Include="jose-jwt" Version="5.2.0" />
<PackageReference Include="LanguageExt.Core" Version="4.4.9" />
<PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.3.9" />
<PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="10.0.2" />
<PackageReference Include="Microsoft.AspNetCore.WebUtilities" Version="10.0.2" />
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.0" />
</ItemGroup>
@ -20,10 +22,4 @@
<Using Include="FluentResults" />
</ItemGroup>
<ItemGroup>
<Reference Include="Microsoft.AspNetCore.WebUtilities">
<HintPath>..\..\..\.nuget\packages\microsoft.aspnetcore.webutilities\10.0.2\lib\net10.0\Microsoft.AspNetCore.WebUtilities.dll</HintPath>
</Reference>
</ItemGroup>
</Project>

1
IdentityShroud.Core/Model/Client.cs
View file

@ -1,6 +1,5 @@
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
using IdentityShroud.Core.Security;
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Model;

4
IdentityShroud.Core/Model/ClientSecret.cs
View file

@ -1,5 +1,7 @@
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Model;
@ -11,5 +13,5 @@ public class ClientSecret
public Guid ClientId { get; set; }
public DateTime CreatedAt { get; set; }
public DateTime? RevokedAt { get; set; }
public required byte[] SecretEncrypted { get; set; }
public required EncryptedValue Secret { get; set; }
}

14
IdentityShroud.Core/Model/Realm.cs
View file

@ -1,7 +1,6 @@
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
using IdentityShroud.Core.Security;
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Model;
@ -22,9 +21,20 @@ public class Realm
public List<RealmKey> Keys { get; init; } = [];
public List<RealmDek> Deks { get; init; } = [];
/// <summary>
/// Can be overriden per client
/// </summary>
public string DefaultSignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
}
[Table("realm_dek")]
public record RealmDek
{
public required DekId Id { get; init; }
public required bool Active { get; set; }
public required string Algorithm { get; init; }
public required EncryptedDek KeyData { get; init; }
public required Guid RealmId { get; init; }
}

15
IdentityShroud.Core/Model/RealmKey.cs
View file

@ -1,15 +1,20 @@
using System.ComponentModel.DataAnnotations.Schema;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Security;
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Model;
[Table("realm_key")]
public record RealmKey(Guid Id, string KeyType, byte[] KeyDataEncrypted, DateTime CreatedAt)
public record RealmKey
{
public Guid Id { get; private set; } = Id;
public string KeyType { get; private set; } = KeyType;
public byte[] KeyDataEncrypted { get; private set; } = KeyDataEncrypted;
public DateTime CreatedAt { get; private set; } = CreatedAt;
public required Guid Id { get; init; }
public required string KeyType { get; init; }
public required EncryptedDek Key { get; init; }
public required DateTime CreatedAt { get; init; }
public DateTime? RevokedAt { get; set; }
/// <summary>

70
IdentityShroud.Core/Security/AesGcmHelper.cs
View file

@ -1,70 +0,0 @@
using System.Security.Cryptography;
namespace IdentityShroud.Core.Security;
public static class AesGcmHelper
{
public static byte[] EncryptAesGcm(byte[] plaintext, byte[] key)
{
int tagSize = AesGcm.TagByteSizes.MaxSize;
using var aes = new AesGcm(key, tagSize);
Span<byte> nonce = stackalloc byte[AesGcm.NonceByteSizes.MaxSize];
RandomNumberGenerator.Fill(nonce);
Span<byte> ciphertext = stackalloc byte[plaintext.Length];
Span<byte> tag = stackalloc byte[tagSize];
aes.Encrypt(nonce, plaintext, ciphertext, tag);
// Return concatenated nonce|ciphertext|tag
var result = new byte[nonce.Length + ciphertext.Length + tag.Length];
nonce.CopyTo(result.AsSpan(0, nonce.Length));
ciphertext.CopyTo(result.AsSpan(nonce.Length, ciphertext.Length));
tag.CopyTo(result.AsSpan(nonce.Length + ciphertext.Length, tag.Length));
return result;
}
// --------------------------------------------------------------------
// DecryptAesGcm
// • key 32byte (256bit) secret key (same key used for encryption)
// • payload byte[] containing nonce‖ciphertext‖tag
// • returns the original plaintext bytes
// --------------------------------------------------------------------
public static byte[] DecryptAesGcm(ReadOnlyMemory<byte> payload, byte[] key)
{
if (key == null) throw new ArgumentNullException(nameof(key));
if (key.Length != 32) // 256bit key
throw new ArgumentException("Key must be 256bits (32 bytes) for AES256GCM.", nameof(key));
// ----------------------------------------------------------------
// 1⃣ Extract the three components.
// ----------------------------------------------------------------
// AesGcm.NonceByteSizes.MaxSize = 12 bytes (standard GCM nonce length)
// AesGcm.TagByteSizes.MaxSize = 16 bytes (128bit authentication tag)
int nonceSize = AesGcm.NonceByteSizes.MaxSize; // 12
int tagSize = AesGcm.TagByteSizes.MaxSize; // 16
if (payload.Length < nonceSize + tagSize)
throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
ReadOnlySpan<byte> nonce = payload.Span[..nonceSize];
ReadOnlySpan<byte> ciphertext = payload.Span.Slice(nonceSize, payload.Length - nonceSize - tagSize);
ReadOnlySpan<byte> tag = payload.Span.Slice(payload.Length - tagSize, tagSize);
byte[] plaintext = new byte[ciphertext.Length];
using var aes = new AesGcm(key, tagSize);
try
{
aes.Decrypt(nonce, ciphertext, tag, plaintext);
}
catch (CryptographicException ex)
{
// Tag verification failed → tampering or wrong key/nonce.
throw new InvalidOperationException("Decryption failed authentication tag mismatch.", ex);
}
return plaintext;
}
}

5
IdentityShroud.Core/Security/ConfigurationSecretProvider.cs
View file

@ -14,4 +14,9 @@ public class ConfigurationSecretProvider(IConfiguration configuration) : ISecret
{
return secrets.GetValue<string>(name) ?? "";
}
public KeyEncryptionKey[] GetKeys(string name)
{
return secrets.GetSection(name).Get<KeyEncryptionKey[]>() ?? [];
}
}

6
IdentityShroud.Core/Security/DekId.cs Normal file
View file

@ -0,0 +1,6 @@
namespace IdentityShroud.Core.Security;
public record struct DekId(Guid Id)
{
public static DekId NewId() => new(Guid.NewGuid());
}

6
IdentityShroud.Core/Security/EncryptedDek.cs Normal file
View file

@ -0,0 +1,6 @@
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Security;
[Owned]
public record EncryptedDek(KekId KekId, byte[] Value);

8
IdentityShroud.Core/Security/EncryptedValue.cs Normal file
View file

@ -0,0 +1,8 @@
using Microsoft.EntityFrameworkCore;
namespace IdentityShroud.Core.Security;
[Owned]
public record EncryptedValue(DekId DekId, byte[] Value);

70
IdentityShroud.Core/Security/Encryption.cs Normal file
View file

@ -0,0 +1,70 @@
using System.Security.Cryptography;
namespace IdentityShroud.Core.Security;
public static class Encryption
{
private record struct AlgVersion(int Version, int NonceSize, int TagSize);
private static AlgVersion[] _versions =
[
new(0, 0, 0), // version 0 does not realy exist
new(1, 12, 16), // version 1
];
public static byte[] Encrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> key)
{
const int versionNumber = 1;
AlgVersion versionParams = _versions[versionNumber];
int resultSize = 1 + versionParams.NonceSize + versionParams.TagSize + plaintext.Length;
// allocate buffer for complete response
var result = new byte[resultSize];
result[0] = (byte)versionParams.Version;
// make the spans that point to the parts of the result where their data is located
var nonce = result.AsSpan(1, versionParams.NonceSize);
var tag = result.AsSpan(1 + versionParams.NonceSize, versionParams.TagSize);
var cipher = result.AsSpan(1 + versionParams.NonceSize + versionParams.TagSize);
// use the spans to place the data directly in its place
RandomNumberGenerator.Fill(nonce);
using var aes = new AesGcm(key, versionParams.TagSize);
aes.Encrypt(nonce, plaintext, cipher, tag);
return result;
}
public static byte[] Decrypt(ReadOnlyMemory<byte> input, ReadOnlySpan<byte> key)
{
var payload = input.Span;
int versionNumber = (int)payload[0];
if (versionNumber != 1)
throw new ArgumentException("Invalid payload");
AlgVersion versionParams = _versions[versionNumber];
if (payload.Length < 1 + versionParams.NonceSize + versionParams.TagSize)
throw new ArgumentException("Payload is too short to contain nonce, ciphertext, and tag.", nameof(payload));
ReadOnlySpan<byte> nonce = payload.Slice(1, versionParams.NonceSize);
ReadOnlySpan<byte> tag = payload.Slice(1 + versionParams.NonceSize, versionParams.TagSize);
ReadOnlySpan<byte> cipher = payload.Slice(1 + versionParams.NonceSize + versionParams.TagSize);
byte[] plaintext = new byte[cipher.Length];
using var aes = new AesGcm(key, versionParams.TagSize);
try
{
aes.Decrypt(nonce, cipher, tag, plaintext);
}
catch (CryptographicException ex)
{
// Tag verification failed → tampering or wrong key/nonce.
throw new InvalidOperationException("Decryption failed authentication tag mismatch.", ex);
}
return plaintext;
}
}

2
IdentityShroud.Core/Security/JsonWebAlgorithm.cs
View file

@ -1,5 +1,3 @@
using System.Security.Cryptography;
namespace IdentityShroud.Core.Security;
public static class JsonWebAlgorithm

41
IdentityShroud.Core/Security/KekId.cs Normal file
View file

@ -0,0 +1,41 @@
using System.ComponentModel;
using System.Globalization;
using System.Text.Json;
using System.Text.Json.Serialization;
namespace IdentityShroud.Core.Security;
[JsonConverter(typeof(KekIdJsonConverter))]
[TypeConverter(typeof(KekIdTypeConverter))]
public readonly record struct KekId
{
public Guid Id { get; }
public KekId(Guid id)
{
Id = id;
}
public static KekId NewId()
{
return new KekId(Guid.NewGuid());
}
}
public class KekIdJsonConverter : JsonConverter<KekId>
{
public override KekId Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
=> new KekId(reader.GetGuid());
public override void Write(Utf8JsonWriter writer, KekId value, JsonSerializerOptions options)
=> writer.WriteStringValue(value.Id);
}
public class KekIdTypeConverter : TypeConverter
{
public override bool CanConvertFrom(ITypeDescriptorContext? context, Type sourceType)
=> sourceType == typeof(string) || base.CanConvertFrom(context, sourceType);
public override object? ConvertFrom(ITypeDescriptorContext? context, CultureInfo? culture, object value)
=> value is string s ? new KekId(Guid.Parse(s)) : base.ConvertFrom(context, culture, value);
}

10
IdentityShroud.Core/Security/KeyEncryptionKey.cs Normal file
View file

@ -0,0 +1,10 @@
namespace IdentityShroud.Core.Security;
/// <summary>
/// Contains a KEK and associated relevant data. This structure
/// </summary>
/// <param name="Id"></param>
/// <param name="Active"></param>
/// <param name="Algorithm"></param>
/// <param name="Key"></param>
public record KeyEncryptionKey(KekId Id, bool Active, string Algorithm, byte[] Key);

1
IdentityShroud.Core/Security/Keys/IKeyProvider.cs
View file

@ -1,5 +1,4 @@
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Security.Keys;

2
IdentityShroud.Core/Security/Keys/Rsa/RsaProvider.cs
View file

@ -1,8 +1,6 @@
using System.Buffers.Text;
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
namespace IdentityShroud.Core.Security.Keys.Rsa;

16
IdentityShroud.Core/Security/RsaHelper.cs
View file

@ -1,16 +0,0 @@
using System.Security.Cryptography;
namespace IdentityShroud.Core.Security;
public static class RsaHelper
{
/// <summary>
/// Load RSA private key from PKCS#8 format
/// </summary>
public static RSA LoadFromPkcs8(byte[] pkcs8Key)
{
var rsa = RSA.Create();
rsa.ImportPkcs8PrivateKey(pkcs8Key, out _);
return rsa;
}
}

21
IdentityShroud.Core/Services/ClientService.cs
View file

@ -7,7 +7,7 @@ namespace IdentityShroud.Core.Services;
public class ClientService(
Db db,
IEncryptionService cryptor,
IDataEncryptionService cryptor,
IClock clock) : IClientService
{
public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)
@ -34,24 +34,31 @@ public class ClientService(
return client;
}
public async Task<Client?> GetByClientId(string clientId, CancellationToken ct = default)
public async Task<Client?> GetByClientId(
Guid realmId,
string clientId,
CancellationToken ct = default)
{
return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId, ct);
return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);
}
public async Task<Client?> FindById(int id, CancellationToken ct = default)
public async Task<Client?> FindById(
Guid realmId,
int id,
CancellationToken ct = default)
{
return await db.Clients.FirstOrDefaultAsync(c => c.Id == id, ct);
return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);
}
private ClientSecret CreateSecret()
{
byte[] secret = RandomNumberGenerator.GetBytes(24);
Span<byte> secret = stackalloc byte[24];
RandomNumberGenerator.Fill(secret);
return new ClientSecret()
{
CreatedAt = clock.UtcNow(),
SecretEncrypted = cryptor.Encrypt(secret),
Secret = cryptor.Encrypt(secret.ToArray()),
};
}

41
IdentityShroud.Core/Services/DataEncryptionService.cs Normal file
View file

@ -0,0 +1,41 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Services;
public class DataEncryptionService(
IRealmContext realmContext,
IDekEncryptionService dekCryptor) : IDataEncryptionService
{
// Note this array is expected to have one item in it most of the during key rotation it will have two
// until it is ensured the old key can safely be removed. More then two will work but is not really expected.
private IList<RealmDek>? _deks = null;
private IList<RealmDek> GetDeks()
{
if (_deks is null)
_deks = realmContext.GetDeks().Result;
return _deks;
}
private RealmDek GetActiveDek() => GetDeks().Single(d => d.Active);
private RealmDek GetKey(DekId id) => GetDeks().Single(d => d.Id == id);
public byte[] Decrypt(EncryptedValue input)
{
var dek = GetKey(input.DekId);
var key = dekCryptor.Decrypt(dek.KeyData);
return Encryption.Decrypt(input.Value, key);
}
public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
{
var dek = GetActiveDek();
var key = dekCryptor.Decrypt(dek.KeyData);
byte[] cipher = Encryption.Encrypt(plain, key);
return new (dek.Id, cipher);
}
}

38
IdentityShroud.Core/Services/DekEncryptionService.cs Normal file
View file

@ -0,0 +1,38 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Services;
/// <summary>
///
/// </summary>
public class DekEncryptionService : IDekEncryptionService
{
// Note this array is expected to have one item in it most of the during key rotation it will have two
// until it is ensured the old key can safely be removed. More then two will work but is not really expected.
private readonly KeyEncryptionKey[] _encryptionKeys;
private KeyEncryptionKey ActiveKey => _encryptionKeys.Single(k => k.Active);
private KeyEncryptionKey GetKey(KekId keyId) => _encryptionKeys.Single(k => k.Id == keyId);
public DekEncryptionService(ISecretProvider secretProvider)
{
_encryptionKeys = secretProvider.GetKeys("master");
// if (_encryptionKey.Length != 32) // 256bit key
// throw new Exception("Key must be 256bits (32 bytes) for AES256GCM.");
}
public EncryptedDek Encrypt(ReadOnlySpan<byte> plaintext)
{
var encryptionKey = ActiveKey;
byte[] cipher = Encryption.Encrypt(plaintext, encryptionKey.Key);
return new (encryptionKey.Id, cipher);
}
public byte[] Decrypt(EncryptedDek input)
{
var encryptionKey = GetKey(input.KekId);
return Encryption.Decrypt(input.Value, encryptionKey.Key);
}
}

27
IdentityShroud.Core/Services/EncryptionService.cs
View file

@ -1,27 +0,0 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Security;
namespace IdentityShroud.Core.Services;
/// <summary>
///
/// </summary>
public class EncryptionService : IEncryptionService
{
private readonly byte[] encryptionKey;
public EncryptionService(ISecretProvider secretProvider)
{
encryptionKey = Convert.FromBase64String(secretProvider.GetSecret("Master"));
}
public byte[] Encrypt(byte[] plain)
{
return AesGcmHelper.EncryptAesGcm(plain, encryptionKey);
}
public byte[] Decrypt(ReadOnlyMemory<byte> cipher)
{
return AesGcmHelper.DecryptAesGcm(cipher, encryptionKey);
}
}

24
IdentityShroud.Core/Services/KeyService.cs
View file

@ -1,4 +1,3 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Messages;
using IdentityShroud.Core.Model;
@ -7,7 +6,7 @@ using IdentityShroud.Core.Security.Keys;
namespace IdentityShroud.Core.Services;
public class KeyService(
IEncryptionService cryptor,
IDekEncryptionService cryptor,
IKeyProviderFactory keyProviderFactory,
IClock clock) : IKeyService
{
@ -30,23 +29,18 @@ public class KeyService(
IKeyProvider provider = keyProviderFactory.CreateProvider(realmKey.KeyType);
provider.SetJwkParameters(
cryptor.Decrypt(realmKey.KeyDataEncrypted),
cryptor.Decrypt(realmKey.Key),
jwk);
return jwk;
}
private RealmKey CreateKey(string keyType, byte[] plainKey) =>
new RealmKey(
Guid.NewGuid(),
keyType,
cryptor.Encrypt(plainKey),
clock.UtcNow());
// public byte[] GetPrivateKey(IEncryptionService encryptionService)
// {
// if (_privateKeyDecrypted.Length == 0 && PrivateKeyEncrypted.Length > 0)
// _privateKeyDecrypted = encryptionService.Decrypt(PrivateKeyEncrypted);
// return _privateKeyDecrypted;
// }
new RealmKey()
{
Id = Guid.NewGuid(),
KeyType = keyType,
Key = cryptor.Encrypt(plainKey),
CreatedAt = clock.UtcNow(),
};
}

26
IdentityShroud.Core/Services/RealmContext.cs Normal file
View file

@ -0,0 +1,26 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using Microsoft.AspNetCore.Http;
namespace IdentityShroud.Core.Services;
public class RealmContext(
IHttpContextAccessor accessor,
IRealmService realmService) : IRealmContext
{
public Realm GetRealm()
{
return (Realm)accessor.HttpContext.Items["RealmEntity"];
}
public async Task<IList<RealmDek>> GetDeks(CancellationToken ct = default)
{
Realm realm = GetRealm();
if (realm.Deks.Count == 0)
{
await realmService.LoadDeks(realm);
}
return realm.Deks;
}
}

7
IdentityShroud.Core/Services/RealmService.cs
View file

@ -1,4 +1,3 @@
using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Helpers;
using IdentityShroud.Core.Messages.Realm;
@ -59,6 +58,12 @@ public class RealmService(
.Query()
.Where(k => k.RevokedAt == null)
.LoadAsync();
}
public async Task LoadDeks(Realm realm)
{
await db.Entry(realm).Collection(r => r.Deks)
.Query()
.LoadAsync();
}
}

1
IdentityShroud.TestUtils/Asserts/JsonObjectAssert.cs
View file

@ -1,6 +1,5 @@
using System.Text.Json.Nodes;
using System.Text.RegularExpressions;
using Xunit;
namespace IdentityShroud.TestUtils.Asserts;

1
IdentityShroud.TestUtils/Asserts/ResultAssert.cs
View file

@ -1,5 +1,4 @@
using FluentResults;
using Xunit;
namespace IdentityShroud.Core.Tests;

7
IdentityShroud.TestUtils/IdentityShroud.TestUtils.csproj
View file

@ -10,6 +10,7 @@
<ItemGroup>
<PackageReference Include="FluentResults" Version="4.0.0" />
<PackageReference Include="xunit.v3.assert" Version="3.2.2" />
<PackageReference Include="NSubstitute" Version="5.3.0" />
</ItemGroup>
<ItemGroup>
@ -21,10 +22,4 @@
<Using Include="NSubstitute"/>
</ItemGroup>
<ItemGroup>
<Reference Include="NSubstitute">
<HintPath>..\..\..\.nuget\packages\nsubstitute\5.3.0\lib\net6.0\NSubstitute.dll</HintPath>
</Reference>
</ItemGroup>
</Project>

18
IdentityShroud.TestUtils/Substitutes/EncryptionServiceSubstitute.cs
View file

@ -1,18 +0,0 @@
using IdentityShroud.Core.Contracts;
namespace IdentityShroud.TestUtils.Substitutes;
public static class EncryptionServiceSubstitute
{
public static IEncryptionService CreatePassthrough()
{
var encryptionService = Substitute.For<IEncryptionService>();
encryptionService
.Encrypt(Arg.Any<byte[]>())
.Returns(x => x.ArgAt<byte[]>(0));
encryptionService
.Decrypt(Arg.Any<ReadOnlyMemory<byte>>())
.Returns(x => x.ArgAt<ReadOnlyMemory<byte>>(0).ToArray());
return encryptionService;
}
}

18
IdentityShroud.TestUtils/Substitutes/NullDataEncryptionService.cs Normal file
View file

@ -0,0 +1,18 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Security;
namespace IdentityShroud.TestUtils.Substitutes;
public class NullDataEncryptionService : IDataEncryptionService
{
public DekId KeyId { get; } = DekId.NewId();
public EncryptedValue Encrypt(ReadOnlySpan<byte> plain)
{
return new(KeyId, plain.ToArray());
}
public byte[] Decrypt(EncryptedValue input)
{
return input.Value;
}
}

18
IdentityShroud.TestUtils/Substitutes/NullDekEncryptionService.cs Normal file
View file

@ -0,0 +1,18 @@
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Security;
namespace IdentityShroud.TestUtils.Substitutes;
public class NullDekEncryptionService : IDekEncryptionService
{
public KekId KeyId { get; } = KekId.NewId();
public EncryptedDek Encrypt(ReadOnlySpan<byte> plain)
{
return new(KeyId, plain.ToArray());
}
public byte[] Decrypt(EncryptedDek input)
{
return input.Value;
}
}

17
IdentityShroud.sln.DotSettings.user
View file

@ -2,8 +2,10 @@
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAesGcm_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F26fbd7ed219da834e9eaf78ad486d552132eb3c92bbfccff8c27249cdf5f6722_003FAesGcm_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AAesGcm_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F2baadb96535b9acc4cb6c54e5379b87513f15ea119f8b153ed795a99ea3d340_003FAesGcm_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ACallInfo_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F402b2077f38742cb9b381ab9e79e493229c00_003F81_003F75c3679f_003FCallInfo_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AConfigurationSection_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F55e3307e9c416bdbce02cdd9eabe8ac72fe3b3d981f3b2220e31ff9c916653c_003FConfigurationSection_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADebugger_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Ff9d2f95d72fa884d8b6ddefc717c56da3657fbb2d5fb683656c3589eb6587_003FDebugger_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ADeveloperExceptionPageMiddlewareImpl_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F2b5a64a615692cae2c8f378e99676581abe4bc355bb3844bfc6c6db3d576853_003FDeveloperExceptionPageMiddlewareImpl_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AECDsa_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fb69681dc22e362c8b157b358e58abc4b44cb12b573c82fa37c483ad8807c8f_003FECDsa_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AGeneratedRouteBuilderExtensions_002Eg_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F698a85dfa04f73158f8da37069798c22c467dfc_003FGeneratedRouteBuilderExtensions_002Eg_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AGeneratedRouteBuilderExtensions_002Eg_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F9f95c1d38311d5248a1d1324797b98c2e56789a_003FGeneratedRouteBuilderExtensions_002Eg_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AHealthCheckEndpointRouteBuilderExtensions_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F6d0f079e13da4e98881aa3e6e169c6d34f08_003F0e_003Fc2b30661_003FHealthCheckEndpointRouteBuilderExtensions_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
@ -14,20 +16,27 @@
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AOkOfT_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fe2a19de442f561af862af2dcad0852b7e62707a5cf194d266d1656f92bbb6d2_003FOkOfT_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcdd0beaf7beaf8366c0862f34fe40da30911084d957625ab31577851ee8cae7_003FPostgreSqlBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003APostgreSqlContainer_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc82112acf224de1d157da0309437b227be6c1ef877865c23872f49eaf9d73c_003FPostgreSqlContainer_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AReadOnlyMemory_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fc19b2538fdfabf70658aed8979dd83e9ca11e27f5b3df68950e8ecb4d879e_003FReadOnlyMemory_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AResultsOfT_002EGenerated_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fff2e2c5ca93c7786ef8425ca6caf751702328924211687ce72e74fd1265e8_003FResultsOfT_002EGenerated_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ARouteGroupBuilder_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fd42b8f8feda3bfb3dc17f133a52ce45931ed5066c46a4d834c8ed46e0a6_003FRouteGroupBuilder_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AThrowHelper_002ESerialization_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003F8433b9271c0f176fb5ceb7b1c3d62e1318fe8e62b4e5d7e882952dc543fec_003FThrowHelper_002ESerialization_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATypedResults_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fcea118513a410f660e578fe32bed95cf86457dd135e4b4632ca91eb4f7b_003FTypedResults_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AWebEncoders_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002Econfig_003FJetBrains_003FRider2025_002E3_003Fresharper_002Dhost_003FSourcesCache_003Fce6b69dd397f614758bc5821136ec8af3fa22563dd657769e231f51be1fbbc_003FWebEncoders_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
<s:String x:Key="/Default/dotCover/Editor/HighlightingSourceSnapshotLocation/@EntryValue">/home/eelke/.cache/JetBrains/Rider2025.3/resharper-host/temp/Rider/vAny/CoverageData/_IdentityShroud.-1277985570/Snapshot/snapshot.utdcvr</s:String>
<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/DotNetCliExePath/@EntryValue">/home/eelke/.dotnet/dotnet</s:String>
<s:String x:Key="/Default/Environment/Hierarchy/Build/BuildTool/CustomBuildToolPath/@EntryValue">/home/eelke/.dotnet/sdk/10.0.102/MSBuild.dll</s:String>
<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=4bf578c0_002Dc8f9_002D46e4_002D9bdc_002D38da0a3f253a/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=ead9ca22_002Dfc70_002D4ddf_002Db4c7_002D534498815537/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="All tests from Solution" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
&lt;Solution /&gt;
&lt;/SessionState&gt;</s:String>
<s:String x:Key="/Default/Environment/UnitTesting/UnitTestSessionStore/Sessions/=7ce84f90_002D6ae2_002D4e9e_002D860e_002Deb90f45871f3/@EntryIndexedValue">&lt;SessionState ContinuousTestingMode="0" IsActive="True" Name="Junie Session" xmlns="urn:schemas-jetbrains-com:jetbrains-ut-session"&gt;
&lt;ProjectFile&gt;DC887623-8680-4D3B-B23A-D54F7DA91891/d:Services/f:ClientServiceTests.cs&lt;/ProjectFile&gt;
&lt;/SessionState&gt;</s:String>

4
README.md Normal file
View file

@ -0,0 +1,4 @@
# IdentityShroud
IdentityShroud is a .NET project for identity management and protection.