merge pull request #23 from https-richardy/feature/22-per-realm-secret-rotation

[#22] - implement per-realm JWT secret rotation with lifecycle management

Author: https-richardy

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Connect/FetchJsonWebKeysHandler.cs

@@ -1,13 +1,30 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Connect;
 
-public sealed class FetchJsonWebKeysHandler(ISecretCollection collection) :
+public sealed class FetchJsonWebKeysHandler(ISecretCollection collection, IRealmCollection realmCollection) :
     IDispatchHandler<FetchJsonWebKeysParameters, Result<JsonWebKeySetScheme>>
 {
     public async Task<Result<JsonWebKeySetScheme>> HandleAsync(
         FetchJsonWebKeysParameters parameters, CancellationToken cancellation = default)
     {
-        var secret = await collection.GetSecretAsync(cancellation: cancellation);
-        var jwks = JsonWebKeysMapper.AsJsonWebKeySetScheme(secret);
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithName(parameters.Realm)
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result<JsonWebKeySetScheme>.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        var filters = SecretFilters.WithSpecifications()
+            .WithCanValidate()
+            .WithRealm(realm.Id)
+            .Build();
+
+        var secrets = await collection.GetSecretsAsync(filters, cancellation);
+        var jwks = JsonWebKeysMapper.AsJsonWebKeySetScheme(secrets);
 
         return Result<JsonWebKeySetScheme>.Success(jwks);
     }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Connect/FetchOpenIDConfigurationsHandler.cs

@@ -1,13 +1,25 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Connect;
 
-public sealed class FetchOpenIDConfigurationHandler(IHostInformationProvider host) :
+public sealed class FetchOpenIDConfigurationHandler(IHostInformationProvider host, IRealmCollection realmCollection) :
     IDispatchHandler<FetchOpenIDConfigurationParameters, Result<OpenIDConfigurationScheme>>
 {
-    public Task<Result<OpenIDConfigurationScheme>> HandleAsync(
+    public async Task<Result<OpenIDConfigurationScheme>> HandleAsync(
         FetchOpenIDConfigurationParameters parameters, CancellationToken cancellation = default)
     {
-        var configuration = ConnectMapper.AsConfiguration(host.Address);
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithName(parameters.Realm)
+            .Build();
 
-        return Task.FromResult(Result<OpenIDConfigurationScheme>.Success(configuration));
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result<OpenIDConfigurationScheme>.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        var configuration = ConnectMapper.AsConfiguration(host.Address, parameters.Realm);
+
+        return Result<OpenIDConfigurationScheme>.Success(configuration);
     }
 }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Realm/RealmCreationHandler.cs

@@ -1,6 +1,9 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Realm;
 
-public sealed class RealmCreationHandler(IRealmCollection collection, IClientCredentialsGenerator credentialsGenerator) :
+public sealed class RealmCreationHandler(
+    IRealmCollection collection,
+    IClientCredentialsGenerator credentialsGenerator,
+    ISecretRotationService secretRotationService) :
     IDispatchHandler<RealmCreationScheme, Result<RealmDetailsScheme>>
 {
     public async Task<Result<RealmDetailsScheme>> HandleAsync(
@@ -31,6 +34,7 @@ public async Task<Result<RealmDetailsScheme>> HandleAsync(
             .ToList();
 
         await collection.InsertAsync(realm, cancellation: cancellation);
+        await secretRotationService.EnsureSecretExistsAsync(realm, cancellation);
 
         return Result<RealmDetailsScheme>.Success(RealmMapper.AsResponse(realm));
     }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Secret/FetchRealmSecretsHandler.cs

@@ -0,0 +1,34 @@
+namespace HttpsRichardy.Federation.Application.Handlers.Secret;
+
+public sealed class FetchRealmSecretsHandler(ISecretCollection collection, IRealmCollection realmCollection) :
+    IDispatchHandler<FetchRealmSecretsParameters, Result<IReadOnlyCollection<SecretScheme>>>
+{
+    public async Task<Result<IReadOnlyCollection<SecretScheme>>> HandleAsync(
+        FetchRealmSecretsParameters parameters, CancellationToken cancellation = default)
+    {
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithIdentifier(parameters.RealmId)
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result<IReadOnlyCollection<SecretScheme>>.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        var filters = SecretFilters.WithSpecifications()
+            .WithRealm(parameters.RealmId)
+            .Build();
+
+        var secrets = await collection.GetSecretsAsync(filters, cancellation);
+        var schemes = secrets
+            .OrderByDescending(secret => secret.CreatedAt)
+            .Select(secret => secret.AsResponse())
+            .ToList()
+            .AsReadOnly();
+
+        return Result<IReadOnlyCollection<SecretScheme>>.Success(schemes);
+    }
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Secret/RotateRealmSecretsHandler.cs

@@ -0,0 +1,25 @@
+namespace HttpsRichardy.Federation.Application.Handlers.Secret;
+
+public sealed class RotateRealmSecretsHandler(ISecretRotationService rotationService, IRealmCollection realmCollection) :
+    IDispatchHandler<RotateRealmSecretsParameters, Result>
+{
+    public async Task<Result> HandleAsync(
+        RotateRealmSecretsParameters parameters, CancellationToken cancellation = default)
+    {
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithIdentifier(parameters.RealmId)
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        await rotationService.RotateSecretAsync(realm, cancellation);
+
+        return Result.Success();
+    }
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Mappers/JsonWebKeysMapper.cs

@@ -15,11 +15,11 @@ public static JsonWebKeyScheme AsJsonWebKeys(Secret secret)
         };
     }
 
-    public static JsonWebKeySetScheme AsJsonWebKeySetScheme(Secret secret)
+    public static JsonWebKeySetScheme AsJsonWebKeySetScheme(IReadOnlyCollection<Secret> secrets)
     {
         return new JsonWebKeySetScheme
         {
-            Keys = [JsonWebKeysMapper.AsJsonWebKeys(secret)]
+            Keys = [.. secrets.Select(secret => JsonWebKeysMapper.AsJsonWebKeys(secret))]
         };
     }
 }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Mappers/OpenIDMapper.cs

@@ -2,13 +2,13 @@ namespace HttpsRichardy.Federation.Application.Mappers;
 
 public static class ConnectMapper
 {
-    public static OpenIDConfigurationScheme AsConfiguration(Uri baseUri)
+    public static OpenIDConfigurationScheme AsConfiguration(Uri baseUri, string realm)
     {
         var issuer = baseUri.GetLeftPart(UriPartial.Authority);
         var authorizeUri = new Uri(baseUri, OpenIDEndpoints.Authorize);
         var tokenUri = new Uri(baseUri, OpenIDEndpoints.Token);
         var userInfoUri = new Uri(baseUri, OpenIDEndpoints.UserInfo);
-        var jwksUri = new Uri(baseUri, OpenIDEndpoints.Jwks);
+        var jwksUri = new Uri(baseUri, $"{realm}/{OpenIDEndpoints.Jwks}");
 
         var configuration = new OpenIDConfigurationScheme
         {

Applications/Backend/Source/HttpsRichardy.Federation.Application/Mappers/SecretMapper.cs

@@ -0,0 +1,12 @@
+namespace HttpsRichardy.Federation.Application.Mappers;
+
+public static class SecretMapper
+{
+    public static SecretScheme AsResponse(this Secret secret) => new()
+    {
+        Id = secret.Id,
+        CreatedAt = secret.CreatedAt,
+        ExpiresAt = secret.ExpiresAt,
+        GracePeriodEndsAt = secret.GracePeriodEndsAt
+    };
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Payloads/Connect/FetchJsonWebKeysParameters.cs

@@ -1,3 +1,6 @@
 namespace HttpsRichardy.Federation.Application.Payloads.Connect;
 
-public sealed record FetchJsonWebKeysParameters : IDispatchable<Result<JsonWebKeySetScheme>>;
+public sealed record FetchJsonWebKeysParameters : IDispatchable<Result<JsonWebKeySetScheme>>
+{
+    public string Realm { get; init; } = default!;
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Payloads/Connect/FetchOpenIDConfigurationParameters.cs

@@ -1,4 +1,7 @@
 namespace HttpsRichardy.Federation.Application.Payloads.Connect;
 
 public sealed record FetchOpenIDConfigurationParameters :
-    IDispatchable<Result<OpenIDConfigurationScheme>>;
+    IDispatchable<Result<OpenIDConfigurationScheme>>
+{
+    public string Realm { get; init; } = default!;
+}