auth0 · kailash-b · Nov 7, 2024 · Nov 4, 2024
@@ -82,5 +82,11 @@ public interface IKeysClient
     /// <param name="request"><see cref="WrappingKeyCreateRequest"/></param>
     /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
     Task<WrappingKey> CreatePublicWrappingKeyAsync(WrappingKeyCreateRequest request, CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Perform rekeying operation on the key hierarchy.
+    /// </summary>
+    /// <param name="cancellationToken">The cancellation token to cancel operation.</param>
+    Task RekeyAsync(CancellationToken cancellationToken = default);
   }
 }
@@ -160,13 +160,24 @@ public Task<WrappingKey> CreatePublicWrappingKeyAsync(
 
             if (string.IsNullOrEmpty(request.Kid))
                 throw new ArgumentNullException(nameof(request.Kid));
-            
+
             return Connection.SendAsync<WrappingKey>(
                 HttpMethod.Post,
                 BuildUri($"keys/encryption/{EncodePath(request.Kid)}/wrapping-key"),
                 body: null,
                 headers: DefaultHeaders,
                 cancellationToken: cancellationToken);
         }
+
+        /// <inheritdoc cref="IKeysClient.RekeyAsync"/>
+        public Task RekeyAsync(CancellationToken cancellationToken = default)
+        {
+            return Connection.SendAsync<object>(
+                HttpMethod.Post,
+                BuildUri("keys/encryption/rekey"),
+                body: null,
+                headers: DefaultHeaders,
+                cancellationToken: cancellationToken);
+        }
     }
 }
@@ -155,5 +155,41 @@ public async void Test_import_encrypted_keys()
             importedKeys.Type.Should().Be(EncryptionKeyType.CustomerProvidedRootKey);
             importedKeys.ParentKid.Should().Be("a20128c5-9bf5-4209-8c43-b6dfcee60e9b");
         }
+
+        [Fact]
+        public async void Test_rekey_encrypted_keys()
+        {
+            // Get the existing Tenant Master Key
+            var existingTenantMasterKey = await GetExistingTenantMasterKey();
+
+            await fixture.ApiClient.Keys.RekeyAsync();
+
+            var newTenantMasterKey = await GetExistingTenantMasterKey();
+
+            // After rekey operation, a new Tenant Master Key should be generated
+            existingTenantMasterKey.Should().NotBeEquivalentTo(newTenantMasterKey);
+
+            var existingTenantMasterKeyAfterRekey = 
+                await fixture.ApiClient.Keys.GetEncryptionKeyAsync(
+                    new EncryptionKeyGetRequest() 
+                        {
+                            Kid = existingTenantMasterKey.Kid
+                        }
+                    );
+
+            // Confirming that the old master key is destroyed
+            existingTenantMasterKeyAfterRekey.State.Should().Be(EncryptionKeyState.Destroyed);
+        }
+
+        private async Task<EncryptionKey> GetExistingTenantMasterKey()
+        {
+            var existingEncryptionKeys = await fixture.ApiClient.Keys.GetAllEncryptionKeysAsync(new PaginationInfo());
+
+            // Get the existing Tenant Master Key
+            var existingTenantMasterKey = 
+                existingEncryptionKeys.FirstOrDefault(x => x.State == EncryptionKeyState.Active &&
+                                                           x.Type == EncryptionKeyType.TenantMasterKey);
+            return existingTenantMasterKey;
+        }
     }
 }