[#22] - implement per-realm JWT secret rotation with lifecycle management

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Connect/FetchJsonWebKeysHandler.cs

@@ -1,13 +1,30 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Connect;
 
-public sealed class FetchJsonWebKeysHandler(ISecretCollection collection) :
+public sealed class FetchJsonWebKeysHandler(ISecretCollection collection, IRealmCollection realmCollection) :
     IDispatchHandler<FetchJsonWebKeysParameters, Result<JsonWebKeySetScheme>>
 {
     public async Task<Result<JsonWebKeySetScheme>> HandleAsync(
         FetchJsonWebKeysParameters parameters, CancellationToken cancellation = default)
     {
-        var secret = await collection.GetSecretAsync(cancellation: cancellation);
-        var jwks = JsonWebKeysMapper.AsJsonWebKeySetScheme(secret);
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithName(parameters.Realm)
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result<JsonWebKeySetScheme>.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        var filters = SecretFilters.WithSpecifications()
+            .WithCanValidate()
+            .WithRealm(realm.Id)
+            .Build();
+
+        var secrets = await collection.GetSecretsAsync(filters, cancellation);
+        var jwks = JsonWebKeysMapper.AsJsonWebKeySetScheme(secrets);
 
         return Result<JsonWebKeySetScheme>.Success(jwks);
     }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Connect/FetchOpenIDConfigurationsHandler.cs

@@ -1,13 +1,25 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Connect;
 
-public sealed class FetchOpenIDConfigurationHandler(IHostInformationProvider host) :
+public sealed class FetchOpenIDConfigurationHandler(IHostInformationProvider host, IRealmCollection realmCollection) :
     IDispatchHandler<FetchOpenIDConfigurationParameters, Result<OpenIDConfigurationScheme>>
 {
-    public Task<Result<OpenIDConfigurationScheme>> HandleAsync(
+    public async Task<Result<OpenIDConfigurationScheme>> HandleAsync(
         FetchOpenIDConfigurationParameters parameters, CancellationToken cancellation = default)
     {
-        var configuration = ConnectMapper.AsConfiguration(host.Address);
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithName(parameters.Realm)
+            .Build();
 
-        return Task.FromResult(Result<OpenIDConfigurationScheme>.Success(configuration));
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result<OpenIDConfigurationScheme>.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        var configuration = ConnectMapper.AsConfiguration(host.Address, parameters.Realm);
+
+        return Result<OpenIDConfigurationScheme>.Success(configuration);
     }
 }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Realm/RealmCreationHandler.cs

@@ -1,6 +1,9 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Realm;
 
-public sealed class RealmCreationHandler(IRealmCollection collection, IClientCredentialsGenerator credentialsGenerator) :
+public sealed class RealmCreationHandler(
+    IRealmCollection collection,
+    IClientCredentialsGenerator credentialsGenerator,
+    ISecretRotationService secretRotationService) :
     IDispatchHandler<RealmCreationScheme, Result<RealmDetailsScheme>>
 {
     public async Task<Result<RealmDetailsScheme>> HandleAsync(
@@ -31,6 +34,7 @@ public async Task<Result<RealmDetailsScheme>> HandleAsync(
             .ToList();
 
         await collection.InsertAsync(realm, cancellation: cancellation);
+        await secretRotationService.EnsureSecretExistsAsync(realm, cancellation);
 
         return Result<RealmDetailsScheme>.Success(RealmMapper.AsResponse(realm));
     }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Secret/FetchRealmSecretsHandler.cs

@@ -0,0 +1,34 @@
+namespace HttpsRichardy.Federation.Application.Handlers.Secret;
+
+public sealed class FetchRealmSecretsHandler(ISecretCollection collection, IRealmCollection realmCollection) :
+    IDispatchHandler<FetchRealmSecretsParameters, Result<IReadOnlyCollection<SecretScheme>>>
+{
+    public async Task<Result<IReadOnlyCollection<SecretScheme>>> HandleAsync(
+        FetchRealmSecretsParameters parameters, CancellationToken cancellation = default)
+    {
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithIdentifier(parameters.RealmId)
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result<IReadOnlyCollection<SecretScheme>>.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        var filters = SecretFilters.WithSpecifications()
+            .WithRealm(parameters.RealmId)
+            .Build();
+
+        var secrets = await collection.GetSecretsAsync(filters, cancellation);
+        var schemes = secrets
+            .OrderByDescending(secret => secret.CreatedAt)
+            .Select(secret => secret.AsResponse())
+            .ToList()
+            .AsReadOnly();
+
+        return Result<IReadOnlyCollection<SecretScheme>>.Success(schemes);
+    }
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Secret/RotateRealmSecretsHandler.cs

@@ -0,0 +1,25 @@
+namespace HttpsRichardy.Federation.Application.Handlers.Secret;
+
+public sealed class RotateRealmSecretsHandler(ISecretRotationService rotationService, IRealmCollection realmCollection) :
+    IDispatchHandler<RotateRealmSecretsParameters, Result>
+{
+    public async Task<Result> HandleAsync(
+        RotateRealmSecretsParameters parameters, CancellationToken cancellation = default)
+    {
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithIdentifier(parameters.RealmId)
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, cancellation);
+        var realm = realms.FirstOrDefault();
+
+        if (realm is null)
+        {
+            return Result.Failure(RealmErrors.RealmDoesNotExist);
+        }
+
+        await rotationService.RotateSecretAsync(realm, cancellation);
+
+        return Result.Success();
+    }
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Mappers/JsonWebKeysMapper.cs

@@ -15,11 +15,11 @@ public static JsonWebKeyScheme AsJsonWebKeys(Secret secret)
         };
     }
 
-    public static JsonWebKeySetScheme AsJsonWebKeySetScheme(Secret secret)
+    public static JsonWebKeySetScheme AsJsonWebKeySetScheme(IReadOnlyCollection<Secret> secrets)
     {
         return new JsonWebKeySetScheme
         {
-            Keys = [JsonWebKeysMapper.AsJsonWebKeys(secret)]
+            Keys = [.. secrets.Select(secret => JsonWebKeysMapper.AsJsonWebKeys(secret))]
         };
     }
 }

Applications/Backend/Source/HttpsRichardy.Federation.Application/Mappers/OpenIDMapper.cs

@@ -2,13 +2,13 @@ namespace HttpsRichardy.Federation.Application.Mappers;
 
 public static class ConnectMapper
 {
-    public static OpenIDConfigurationScheme AsConfiguration(Uri baseUri)
+    public static OpenIDConfigurationScheme AsConfiguration(Uri baseUri, string realm)
     {
         var issuer = baseUri.GetLeftPart(UriPartial.Authority);
         var authorizeUri = new Uri(baseUri, OpenIDEndpoints.Authorize);
         var tokenUri = new Uri(baseUri, OpenIDEndpoints.Token);
         var userInfoUri = new Uri(baseUri, OpenIDEndpoints.UserInfo);
-        var jwksUri = new Uri(baseUri, OpenIDEndpoints.Jwks);
+        var jwksUri = new Uri(baseUri, $"{realm}/{OpenIDEndpoints.Jwks}");
 
         var configuration = new OpenIDConfigurationScheme
         {

Applications/Backend/Source/HttpsRichardy.Federation.Application/Mappers/SecretMapper.cs

@@ -0,0 +1,12 @@
+namespace HttpsRichardy.Federation.Application.Mappers;
+
+public static class SecretMapper
+{
+    public static SecretScheme AsResponse(this Secret secret) => new()
+    {
+        Id = secret.Id,
+        CreatedAt = secret.CreatedAt,
+        ExpiresAt = secret.ExpiresAt,
+        GracePeriodEndsAt = secret.GracePeriodEndsAt
+    };
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Payloads/Connect/FetchJsonWebKeysParameters.cs

@@ -1,3 +1,6 @@
 namespace HttpsRichardy.Federation.Application.Payloads.Connect;
 
-public sealed record FetchJsonWebKeysParameters : IDispatchable<Result<JsonWebKeySetScheme>>;
+public sealed record FetchJsonWebKeysParameters : IDispatchable<Result<JsonWebKeySetScheme>>
+{
+    public string Realm { get; init; } = default!;
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Payloads/Connect/FetchOpenIDConfigurationParameters.cs

@@ -1,4 +1,7 @@
 namespace HttpsRichardy.Federation.Application.Payloads.Connect;
 
 public sealed record FetchOpenIDConfigurationParameters :
-    IDispatchable<Result<OpenIDConfigurationScheme>>;
+    IDispatchable<Result<OpenIDConfigurationScheme>>
+{
+    public string Realm { get; init; } = default!;
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Payloads/Secret/FetchRealmSecretsParameters.cs

@@ -0,0 +1,7 @@
+namespace HttpsRichardy.Federation.Application.Payloads.Secret;
+
+public sealed record FetchRealmSecretsParameters :
+    IDispatchable<Result<IReadOnlyCollection<SecretScheme>>>
+{
+    public string RealmId { get; init; } = default!;
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Payloads/Secret/RotateRealmSecretsParameters.cs

@@ -0,0 +1,7 @@
+namespace HttpsRichardy.Federation.Application.Payloads.Secret;
+
+public sealed record RotateRealmSecretsParameters :
+    IDispatchable<Result>
+{
+    public string RealmId { get; init; } = default!;
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Payloads/Secret/SecretScheme.cs

@@ -0,0 +1,9 @@
+namespace HttpsRichardy.Federation.Application.Payloads.Secret;
+
+public sealed record SecretScheme
+{
+    public string Id { get; set; } = default!;
+    public DateTime CreatedAt { get; set; }
+    public DateTime? ExpiresAt { get; set; }
+    public DateTime? GracePeriodEndsAt { get; set; }
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Services/ISecretRotationService.cs

@@ -0,0 +1,30 @@
+namespace HttpsRichardy.Federation.Application.Services;
+
+public interface ISecretRotationService
+{
+    public Task EnsureSecretExistsAsync(
+        Realm realm,
+        CancellationToken cancellation = default
+    );
+
+    public Task PruneSecretsAsync(
+        Realm realm,
+        CancellationToken cancellation = default
+    );
+
+    public Task CreateSecretAsync(
+        Realm realm,
+        CancellationToken cancellation = default
+    );
+
+    public Task RotateSecretAsync(
+        Realm realm,
+        CancellationToken cancellation = default
+    );
+
+    public Task DeleteSecretAsync(
+       Realm realm,
+       Secret secret,
+       CancellationToken cancellation = default
+   );
+}

Applications/Backend/Source/HttpsRichardy.Federation.Application/Usings.cs

@@ -20,6 +20,7 @@
 global using HttpsRichardy.Federation.Application.Payloads.Group;
 global using HttpsRichardy.Federation.Application.Payloads.Permission;
 global using HttpsRichardy.Federation.Application.Payloads.Realm;
+global using HttpsRichardy.Federation.Application.Payloads.Secret;
 global using HttpsRichardy.Federation.Application.Payloads.User;
 global using HttpsRichardy.Federation.Application.Payloads.Client;
 global using HttpsRichardy.Federation.Application.Payloads.Connect;

Applications/Backend/Source/HttpsRichardy.Federation.Domain/Aggregates/Secret.cs

@@ -4,4 +4,8 @@ public sealed class Secret : Aggregate
 {
     public string PrivateKey { get; set; } = default!;
     public string PublicKey { get; set; } = default!;
-}
+    public string RealmId { get; set; } = default!;
+
+    public DateTime? ExpiresAt { get; set; }
+    public DateTime? GracePeriodEndsAt { get; set; }
+}

Applications/Backend/Source/HttpsRichardy.Federation.Domain/Collections/ISecretCollection.cs

@@ -2,5 +2,13 @@ namespace HttpsRichardy.Federation.Domain.Collections;
 
 public interface ISecretCollection : IAggregateCollection<Secret>
 {
-    public Task<Secret> GetSecretAsync(CancellationToken cancellation = default);
+    public Task<IReadOnlyCollection<Secret>> GetSecretsAsync(
+        SecretFilters filters,
+        CancellationToken cancellation = default
+    );
+
+    public Task<System.Numerics.BigInteger> CountSecretsAsync(
+        SecretFilters filters,
+        CancellationToken cancellation = default
+    );
 }

Applications/Backend/Source/HttpsRichardy.Federation.Domain/Filtering/Builders/SecretFiltersBuilder.cs

@@ -0,0 +1,45 @@
+namespace HttpsRichardy.Federation.Domain.Filtering.Builders;
+
+public sealed class SecretFiltersBuilder :
+    FiltersBuilderBase<SecretFilters, SecretFiltersBuilder>
+{
+    public SecretFiltersBuilder WithRealm(string? realmId)
+    {
+        if (!string.IsNullOrWhiteSpace(realmId))
+            _filters.RealmId = realmId;
+
+        return this;
+    }
+
+    public SecretFiltersBuilder WithCanSign(DateTime? now = null)
+    {
+        _filters.CanSign = true;
+        _filters.Now = now;
+
+        return this;
+    }
+
+    public SecretFiltersBuilder WithCanValidate(DateTime? now = null)
+    {
+        _filters.CanValidate = true;
+        _filters.Now = now;
+
+        return this;
+    }
+
+    public SecretFiltersBuilder WithInGrace(DateTime? now = null)
+    {
+        _filters.InGracePeriod = true;
+        _filters.Now = now;
+
+        return this;
+    }
+
+    public SecretFiltersBuilder WithExpired(DateTime? now = null)
+    {
+        _filters.IsExpired = true;
+        _filters.Now = now;
+
+        return this;
+    }
+}

Applications/Backend/Source/HttpsRichardy.Federation.Domain/Filtering/RealmFilters.cs

@@ -4,5 +4,6 @@ public sealed class RealmFilters : Filters
 {
     public string? Name { get; set; }
 
+    public static RealmFilters WithoutFilters => new();
     public static RealmFiltersBuilder WithSpecifications() => new();
 }

Applications/Backend/Source/HttpsRichardy.Federation.Domain/Filtering/SecretFilters.cs

@@ -0,0 +1,14 @@
+namespace HttpsRichardy.Federation.Domain.Filtering;
+
+public sealed class SecretFilters : Filters
+{
+    public string? RealmId { get; set; }
+    public bool? CanSign { get; set; }
+    public bool? CanValidate { get; set; }
+    public bool? InGracePeriod { get; set; }
+    public bool? IsExpired { get; set; }
+    public DateTime? Now { get; set; }
+
+    public static SecretFilters WithoutFilters => new();
+    public static SecretFiltersBuilder WithSpecifications() => new();
+}

Applications/Backend/Source/HttpsRichardy.Federation.Infrastructure.IoC/Extensions/ApplicationServicesExtension.cs

@@ -8,6 +8,7 @@ public static void AddServices(this IServiceCollection services)
         services.AddTransient<IPasswordHasher, PasswordHasher>();
         services.AddTransient<IAuthenticationService, AuthenticationService>();
         services.AddTransient<ISecurityTokenService, JwtSecurityTokenService>();
+        services.AddTransient<ISecretRotationService, SecretRotationService>();
         services.AddTransient<IClientCredentialsGenerator, ClientCredentialsGenerator>();
 
         services.AddTransient<IRedirectUriPolicy, RedirectUriPolicy>();