eelke
07393f57fc
Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: #6
40 lines
1.1 KiB
C#
40 lines
1.1 KiB
C#
using System.ComponentModel.DataAnnotations;
|
|
using System.ComponentModel.DataAnnotations.Schema;
|
|
using IdentityShroud.Core.Security;
|
|
|
|
namespace IdentityShroud.Core.Model;
|
|
|
|
[Table("realm")]
|
|
public class Realm
|
|
{
|
|
|
|
public Guid Id { get; set; }
|
|
/// <summary>
|
|
/// Note this is part of the url we should encourage users to keep it short but we do not want to limit them too much
|
|
/// </summary>
|
|
[MaxLength(40)]
|
|
public string Slug { get; set; } = "";
|
|
|
|
[MaxLength(128)]
|
|
public string Name { get; set; } = "";
|
|
public List<Client> Clients { get; init; } = [];
|
|
|
|
public List<RealmKey> Keys { get; init; } = [];
|
|
|
|
public List<RealmDek> Deks { get; init; } = [];
|
|
|
|
/// <summary>
|
|
/// Can be overriden per client
|
|
/// </summary>
|
|
public string DefaultSignatureAlgorithm { get; set; } = JsonWebAlgorithm.RS256;
|
|
}
|
|
|
|
[Table("realm_dek")]
|
|
public record RealmDek
|
|
{
|
|
public required DekId Id { get; init; }
|
|
public required bool Active { get; set; }
|
|
public required string Algorithm { get; init; }
|
|
public required EncryptedDek KeyData { get; init; }
|
|
public required Guid RealmId { get; init; }
|
|
}
|