feature(#22): enhance key rotation logic to ensure valid signing keys and prune outdated secrets

https-richardy · https-richardy · commit d71cdf7d9b96 · 2026-04-22T16:41:07.000-03:00
diff --git a/Applications/Backend/Source/HttpsRichardy.Federation.WebApi/Workers/KeyRotationBackgroundService.cs b/Applications/Backend/Source/HttpsRichardy.Federation.WebApi/Workers/KeyRotationBackgroundService.cs
@@ -2,6 +2,8 @@ namespace HttpsRichardy.Federation.WebApi.Workers;
 
 public sealed class KeyRotationBackgroundService(IServiceScopeFactory scopeFactory, ILogger<KeyRotationBackgroundService> logger) : BackgroundService
 {
+    private static readonly TimeSpan _rotationInterval = TimeSpan.FromHours(24);
+
     protected override async Task ExecuteAsync(CancellationToken stoppingToken)
     {
         while (!stoppingToken.IsCancellationRequested)
@@ -10,6 +12,7 @@ protected override async Task ExecuteAsync(CancellationToken stoppingToken)
 
             var rotationService = scope.ServiceProvider.GetRequiredService<ISecretRotationService>();
             var realmCollection = scope.ServiceProvider.GetRequiredService<IRealmCollection>();
+            var secretCollection = scope.ServiceProvider.GetRequiredService<ISecretCollection>();
 
             var realms = await realmCollection.GetRealmsAsync(RealmFilters.WithoutFilters, stoppingToken);
 
@@ -19,10 +22,24 @@ await Parallel.ForEachAsync(realms, stoppingToken, async (realm, cancellation) =
                 {
                     logger.LogInformation("rotating keys for realm {realm}", realm.Name);
 
-                    /* !important: ensures the realm has at least one valid signing key before rotation */
                     await rotationService.EnsureSecretExistsAsync(realm, cancellation);
 
-                    await rotationService.RotateSecretAsync(realm, cancellation);
+                    var now = DateTime.UtcNow;
+                    var filters = SecretFilters.WithSpecifications()
+                        .WithRealm(realm.Id)
+                        .WithCanSign(now)
+                        .Build();
+
+                    var secrets = await secretCollection.GetSecretsAsync(filters, cancellation);
+                    var current = secrets
+                        .OrderByDescending(secret => secret.CreatedAt)
+                        .FirstOrDefault();
+
+                    if (current is not null && now - current.CreatedAt >= _rotationInterval)
+                    {
+                        await rotationService.RotateSecretAsync(realm, cancellation);
+                    }
+
                     await rotationService.PruneSecretsAsync(realm, cancellation);
                 }
                 catch (Exception exception)
@@ -31,7 +48,7 @@ await Parallel.ForEachAsync(realms, stoppingToken, async (realm, cancellation) =
                 }
             });
 
-            await Task.Delay(TimeSpan.FromHours(24), stoppingToken);
+            await Task.Delay(_rotationInterval, stoppingToken);
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@ namespace HttpsRichardy.Federation.WebApi.Workers;`
`2`	`2`
`3`	`3`	`public sealed class KeyRotationBackgroundService(IServiceScopeFactory scopeFactory, ILogger<KeyRotationBackgroundService> logger) : BackgroundService`
`4`	`4`	`{`
	`5`	`+ private static readonly TimeSpan _rotationInterval = TimeSpan.FromHours(24);`
	`6`	`+`
`5`	`7`	`protected override async Task ExecuteAsync(CancellationToken stoppingToken)`
`6`	`8`	`{`
`7`	`9`	`while (!stoppingToken.IsCancellationRequested)`
`@@ -10,6 +12,7 @@ protected override async Task ExecuteAsync(CancellationToken stoppingToken)`
`10`	`12`
`11`	`13`	`var rotationService = scope.ServiceProvider.GetRequiredService<ISecretRotationService>();`
`12`	`14`	`var realmCollection = scope.ServiceProvider.GetRequiredService<IRealmCollection>();`
	`15`	`+ var secretCollection = scope.ServiceProvider.GetRequiredService<ISecretCollection>();`
`13`	`16`
`14`	`17`	`var realms = await realmCollection.GetRealmsAsync(RealmFilters.WithoutFilters, stoppingToken);`
`15`	`18`
`@@ -19,10 +22,24 @@ await Parallel.ForEachAsync(realms, stoppingToken, async (realm, cancellation) =`
`19`	`22`	`{`
`20`	`23`	`logger.LogInformation("rotating keys for realm {realm}", realm.Name);`
`21`	`24`
`22`		`- /* !important: ensures the realm has at least one valid signing key before rotation */`
`23`	`25`	`await rotationService.EnsureSecretExistsAsync(realm, cancellation);`
`24`	`26`
`25`		`- await rotationService.RotateSecretAsync(realm, cancellation);`
	`27`	`+ var now = DateTime.UtcNow;`
	`28`	`+ var filters = SecretFilters.WithSpecifications()`
	`29`	`+ .WithRealm(realm.Id)`
	`30`	`+ .WithCanSign(now)`
	`31`	`+ .Build();`
	`32`	`+`
	`33`	`+ var secrets = await secretCollection.GetSecretsAsync(filters, cancellation);`
	`34`	`+ var current = secrets`
	`35`	`+ .OrderByDescending(secret => secret.CreatedAt)`
	`36`	`+ .FirstOrDefault();`
	`37`	`+`
	`38`	`+ if (current is not null && now - current.CreatedAt >= _rotationInterval)`
	`39`	`+ {`
	`40`	`+ await rotationService.RotateSecretAsync(realm, cancellation);`
	`41`	`+ }`
	`42`	`+`
`26`	`43`	`await rotationService.PruneSecretsAsync(realm, cancellation);`
`27`	`44`	`}`
`28`	`45`	`catch (Exception exception)`
`@@ -31,7 +48,7 @@ await Parallel.ForEachAsync(realms, stoppingToken, async (realm, cancellation) =`
`31`	`48`	`}`
`32`	`49`	`});`
`33`	`50`
`34`		`- await Task.Delay(TimeSpan.FromHours(24), stoppingToken);`
	`51`	`+ await Task.Delay(_rotationInterval, stoppingToken);`
`35`	`52`	`}`
`36`	`53`	`}`
`37`	`54`	`}`