Adds support for BYOK end-points

auth0 · Nov 7, 2024 · 9ca3f20 · 9ca3f20
1 parent 9aee384
commit 9ca3f20
Show file tree

Hide file tree

Showing 17 changed files with 452 additions and 4 deletions.
diff --git a/src/Auth0.ManagementApi/Clients/IKeysClient.cs b/src/Auth0.ManagementApi/Clients/IKeysClient.cs
@@ -4,6 +4,7 @@ namespace Auth0.ManagementApi.Clients
   using System.Threading;
   using System.Threading.Tasks;
   using Models.Keys;
+  using Paging;
 
   public interface IKeysClient
   {
@@ -36,5 +37,50 @@ public interface IKeysClient
     /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
     /// <returns>The revoked key's cert and kid.</returns>
     Task<RevokeSigningKeyResponse> RevokeSigningKeyAsync(string kid, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Retrieve details of all the encryption keys associated with your tenant.
+    /// </summary>
+    /// <param name="pagination"><see cref="PaginationInfo"/></param>
+    /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+    /// <returns>Retrieve details of all the encryption keys associated with your tenant. <see cref="Auth0.ManagementApi.Models.EncryptionKey" />.</returns>
+    Task<IPagedList<EncryptionKey>> GetAllEncryptionKeysAsync(PaginationInfo pagination, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Create the new, pre-activated encryption key, without the key material.
+    /// </summary>
+    /// <param name="request"><see cref="EncryptionKeyCreateRequest"/></param>
+    /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+    /// <returns>Newly created pre-activated encryption key <see cref="Auth0.ManagementApi.Models.EncryptionKey" />.</returns>
+    Task<EncryptionKey> CreateEncryptionKeyAsync(EncryptionKeyCreateRequest request, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Retrieve details of the encryption key with the given ID.
+    /// </summary>
+    /// <param name="request"><see cref="EncryptionKeyGetRequest"/></param>
+    /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+    /// <returns>Retrieve details of the encryption key associated with the id. <see cref="Auth0.ManagementApi.Models.EncryptionKey" />.</returns>
+    Task<EncryptionKey> GetEncryptionKeyAsync(EncryptionKeyGetRequest request, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Delete the custom provided encryption key with the given ID and move back to using native encryption key.
+    /// </summary>
+    /// <param name="kid">Encryption key ID</param>
+    /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+    Task DeleteEncryptionKeyAsync(string kid, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Import wrapped key material and activate encryption key.
+    /// </summary>
+    /// <param name="request"><see cref="EncryptionKeyImportRequest"/></param>
+    /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+    Task<EncryptionKey> ImportEncryptionKeyAsync(EncryptionKeyImportRequest request, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Create the public wrapping key to wrap your own encryption key material.
+    /// </summary>
+    /// <param name="request"><see cref="WrappingKeyCreateRequest"/></param>
+    /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+    Task<WrappingKey> CreatePublicWrappingKeyAsync(WrappingKeyCreateRequest request, CancellationToken cancellationToken = default);
   }
 }
diff --git a/src/Auth0.ManagementApi/Clients/KeysClient.cs b/src/Auth0.ManagementApi/Clients/KeysClient.cs
@@ -5,6 +5,9 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Auth0.ManagementApi.Models.Keys;
+using Auth0.ManagementApi.Paging;
+using Newtonsoft.Json;
+using EncryptionKey = Auth0.ManagementApi.Models.Keys.EncryptionKey;
 
 namespace Auth0.ManagementApi.Clients
 {
@@ -13,6 +16,7 @@ namespace Auth0.ManagementApi.Clients
     /// </summary>
     public class KeysClient : BaseClient, IKeysClient
     {
+        readonly JsonConverter[] converters = new JsonConverter[] { new PagedListConverter<EncryptionKey>("keys") };
         /// <summary>
         /// Initializes a new instance of the <see cref="KeysClient"/> class.
         /// </summary>
@@ -65,5 +69,104 @@ public Task<RevokeSigningKeyResponse> RevokeSigningKeyAsync(string kid, Cancella
         {
             return Connection.SendAsync<RevokeSigningKeyResponse>(HttpMethod.Put, BuildUri($"keys/signing/{EncodePath(kid)}/revoke"), null, DefaultHeaders, cancellationToken: cancellationToken);
         }
+
+        /// <inheritdoc cref="IKeysClient.GetAllEncryptionKeysAsync"/>
+        public Task<IPagedList<EncryptionKey>> GetAllEncryptionKeysAsync(
+            PaginationInfo pagination, CancellationToken cancellationToken = default)
+        {
+            var queryStrings = new Dictionary<string, string>();
+
+            if (pagination != null)
+            {
+                queryStrings["page"] = pagination.PageNo.ToString();
+                queryStrings["per_page"] = pagination.PerPage.ToString();
+                queryStrings["include_totals"] = pagination.IncludeTotals.ToString().ToLower();
+            }
+
+            return Connection.GetAsync<IPagedList<EncryptionKey>>(
+                BuildUri("keys/encryption", queryStrings), DefaultHeaders, converters, cancellationToken);
+        }
+
+        /// <inheritdoc cref="IKeysClient.CreateEncryptionKeyAsync"/>
+        public Task<EncryptionKey> CreateEncryptionKeyAsync(
+            EncryptionKeyCreateRequest request, CancellationToken cancellationToken = default)
+        {
+            if (request == null)
+                throw new ArgumentNullException(nameof(request));
+
+            if (string.IsNullOrEmpty(request.Type))
+                throw new ArgumentNullException(nameof(request.Type));
+
+            return Connection.SendAsync<EncryptionKey>(
+                HttpMethod.Post,
+                BuildUri("keys/encryption"),
+                request, 
+                DefaultHeaders,
+                cancellationToken: cancellationToken);
+        }
+
+        /// <inheritdoc cref="IKeysClient.GetEncryptionKeyAsync"/>
+        public Task<EncryptionKey> GetEncryptionKeyAsync(
+            EncryptionKeyGetRequest request, CancellationToken cancellationToken = default)
+        {
+            if (request == null)
+                throw new ArgumentNullException(nameof(request));
+
+            if (string.IsNullOrEmpty(request.Kid))
+                throw new ArgumentNullException(nameof(request.Kid));
+
+            return Connection.GetAsync<EncryptionKey>(
+                BuildUri($"keys/encryption/{EncodePath(request.Kid)}"), DefaultHeaders, null, cancellationToken);
+        }
+
+        /// <inheritdoc cref="IKeysClient.DeleteEncryptionKeyAsync"/>
+        public Task DeleteEncryptionKeyAsync(string kid, CancellationToken cancellationToken = default)
+        {
+            if (kid == null)
+                throw new ArgumentNullException(nameof(kid));
+
+            return Connection.SendAsync<object>(
+                HttpMethod.Delete,
+                BuildUri($"keys/encryption/{EncodePath(kid)}"),
+                null,
+                DefaultHeaders, 
+                cancellationToken: cancellationToken);
+        }
+
+        /// <inheritdoc cref="IKeysClient.ImportEncryptionKeyAsync"/>
+        public Task<EncryptionKey> ImportEncryptionKeyAsync(
+            EncryptionKeyImportRequest request, CancellationToken cancellationToken = default)
+        {
+            if (request == null)
+                throw new ArgumentNullException(nameof(request));
+
+            if (string.IsNullOrEmpty(request.Kid))
+                throw new ArgumentNullException(nameof(request.Kid));
+
+            return Connection.SendAsync<EncryptionKey>(
+                HttpMethod.Post,
+                BuildUri($"keys/encryption/{EncodePath(request.Kid)}"),
+                request,
+                DefaultHeaders,
+                cancellationToken: cancellationToken);
+        }
+
+        /// <inheritdoc cref="IKeysClient.CreatePublicWrappingKeyAsync"/>
+        public Task<WrappingKey> CreatePublicWrappingKeyAsync(
+            WrappingKeyCreateRequest request, CancellationToken cancellationToken = default)
+        {
+            if (request == null)
+                throw new ArgumentNullException(nameof(request));
+
+            if (string.IsNullOrEmpty(request.Kid))
+                throw new ArgumentNullException(nameof(request.Kid));
+
+            return Connection.SendAsync<WrappingKey>(
+                HttpMethod.Post,
+                BuildUri($"keys/encryption/{EncodePath(request.Kid)}/wrapping-key"),
+                body: null,
+                headers: DefaultHeaders,
+                cancellationToken: cancellationToken);
+        }
     }
 }
diff --git a/src/Auth0.ManagementApi/Models/Keys/EncryptionKey.cs b/src/Auth0.ManagementApi/Models/Keys/EncryptionKey.cs
@@ -0,0 +1,53 @@
+using System;
+using System.Net.Security;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Converters;
+
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Represents and Encryption Key
+    /// </summary>
+    public class EncryptionKey
+    {
+        /// <summary>
+        /// Key ID
+        /// </summary>
+        [JsonProperty("kid")]
+        public string Kid { get; set; }
+
+        /// <inheritdoc cref="EncryptionKeyType"/>
+        [JsonProperty("type")]
+        [JsonConverter(typeof(StringEnumConverter))]
+        public EncryptionKeyType Type { get; set; }
+
+        /// <inheritdoc cref="EncryptionKeyState"/>
+        [JsonProperty("state")]
+        [JsonConverter(typeof(StringEnumConverter))]
+        public EncryptionKeyState State { get; set; }
+
+        /// <summary>
+        /// Key creation timestamp
+        /// </summary>
+        [JsonProperty("created_at")]
+        public DateTime CreatedAt { get; set; }
+
+        /// <summary>
+        /// Key update timestamp
+        /// </summary>
+        [JsonProperty("updated_at")]
+        public DateTime UpdatedAt { get; set; }
+
+        /// <summary>
+        /// ID of the parent wrapping key.
+        /// </summary>
+        [JsonProperty("parent_kid")]
+        public string ParentKid { get; set; }
+
+        /// <summary>
+        /// Public key in PEM format
+        /// </summary>
+        [JsonProperty("public_key")]
+        public string PublicKey { get; set; }
+    }
+}
diff --git a/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyCreateRequest.cs b/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyCreateRequest.cs
@@ -0,0 +1,17 @@
+using Newtonsoft.Json;
+
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Contains information required for creating an encryption key.
+    /// </summary>
+    public class EncryptionKeyCreateRequest
+    {
+        /// <summary>
+        /// Type of the encryption key to be created.
+        /// Possible values: [customer-provided-root-key, tenant-encryption-key]
+        /// </summary>
+        [JsonProperty("type")]
+        public string Type { get; set; }
+    }
+}
diff --git a/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyGetRequest.cs b/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyGetRequest.cs
@@ -0,0 +1,13 @@
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Contains information required for getting an encryption key.
+    /// </summary>
+    public class EncryptionKeyGetRequest
+    {
+        /// <summary>
+        /// Encryption key ID.
+        /// </summary>
+        public string Kid { get; set; }
+    }
+}
diff --git a/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyImportRequest.cs b/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyImportRequest.cs
@@ -0,0 +1,21 @@
+using Newtonsoft.Json;
+
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Contains information required for importing an encryption key.
+    /// </summary>
+    public class EncryptionKeyImportRequest
+    {
+        /// <summary>
+        /// Encryption key ID
+        /// </summary>
+        public string Kid { get; set; }
+
+        /// <summary>
+        /// Base64 encoded ciphertext of key material wrapped by public wrapping key.
+        /// </summary>
+        [JsonProperty("wrapped_key")]
+        public string WrappedKey { get; set; }
+    }
+}
diff --git a/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyState.cs b/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyState.cs
@@ -0,0 +1,22 @@
+using System.Runtime.Serialization;
+
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Encryption Key State
+    /// </summary>
+    public enum EncryptionKeyState
+    {
+        [EnumMember(Value = "pre-activation")]
+        PreActivation,
+
+        [EnumMember(Value = "active")]
+        Active,
+
+        [EnumMember(Value = "deactivated")]
+        Deactivated,
+
+        [EnumMember(Value = "destroyed")]
+        Destroyed,
+    }
+}
diff --git a/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyType.cs b/src/Auth0.ManagementApi/Models/Keys/EncryptionKeyType.cs
@@ -0,0 +1,22 @@
+using System.Runtime.Serialization;
+
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Encryption Key Type
+    /// </summary>
+    public enum EncryptionKeyType
+    {
+        [EnumMember(Value = "customer-provided-root-key")]
+        CustomerProvidedRootKey,
+
+        [EnumMember(Value = "environment-root-key")]
+        EnvironmentRootKey,
+
+        [EnumMember(Value = "tenant-master-key")]
+        TenantMasterKey,
+
+        [EnumMember(Value = "tenant-encryption-key")]
+        TenantEncryptionKey,
+    }
+}
diff --git a/src/Auth0.ManagementApi/Models/Keys/WrappingKey.cs b/src/Auth0.ManagementApi/Models/Keys/WrappingKey.cs
@@ -0,0 +1,22 @@
+using Newtonsoft.Json;
+
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Represents the WrappingKey
+    /// </summary>
+    public class WrappingKey
+    {
+        /// <summary>
+        /// Public wrapping key in PEM format
+        /// </summary>
+        [JsonProperty("public_key")]
+        public string PublicKey { get; set; }
+
+        /// <summary>
+        /// Encryption Algorithm that shall be used to wrap your key material
+        /// </summary>
+        [JsonProperty("algorithm")]
+        public string Algorithm { get; set; }
+    }
+}
diff --git a/src/Auth0.ManagementApi/Models/Keys/WrappingKeyCreateRequest.cs b/src/Auth0.ManagementApi/Models/Keys/WrappingKeyCreateRequest.cs
@@ -0,0 +1,13 @@
+namespace Auth0.ManagementApi.Models.Keys
+{
+    /// <summary>
+    /// Contains information required for creating a wrapping key.
+    /// </summary>
+    public class WrappingKeyCreateRequest
+    {
+        /// <summary>
+        /// Encryption key ID
+        /// </summary>
+        public string Kid { get; set; }
+    }
+}
diff --git a/tests/Auth0.AuthenticationApi.IntegrationTests/Testing/ManagementTestBaseUtils.cs b/tests/Auth0.AuthenticationApi.IntegrationTests/Testing/ManagementTestBaseUtils.cs
@@ -22,7 +22,8 @@ public static async Task CleanupAsync(ManagementApiClient client, CleanUpType ty
                 new UsersCleanUpStrategy(client),
                 new RulesCleanUpStrategy(client),
                 new LogStreamsCleanUpStrategy(client),
-                new RolesCleanUpStrategy(client)
+                new RolesCleanUpStrategy(client),
+                new EncryptionKeysCleanupStrategy(client)
             };
 
             var cleanUpStrategy = strategies.Single(s => s.Type == type);