chore(secrets): init

move openbao to its own library.
needed in preparation of the TO2 rework, where astarte_fdo will need
access to openbao's key

Signed-off-by: Francesco Noacco <francesco.noacco@secomind.com>

Author: noaccOS

.github/codecov.yml

@@ -23,6 +23,7 @@ coverage:
           - astarte_rpc
           - astarte_fdo
           - astarte_fdo_core
+          - astarte_secrets
 
 ignore:
   - "apps/*/test"
@@ -93,3 +94,7 @@ flags:
     carryforward: true
     paths:
       - libs/astarte_fdo_core
+  astarte_secrets:
+    carryforward: true
+    paths:
+      - libs/astarte_secrets

.github/workflows/astarte-libs-workflow.yml

@@ -57,3 +57,8 @@ jobs:
     with:
       lib: "astarte_rpc"
     secrets: inherit
+  astarte_secrets:
+    uses: ./.github/workflows/astarte-libs-build-workflow.yaml
+    with:
+      lib: "astarte_secrets"
+    secrets: inherit

Dockerfile

@@ -30,6 +30,14 @@ COPY libs/astarte_events/mix.exs libraries/astarte_events/mix.exs
 COPY libs/astarte_events/mix.lock libraries/astarte_events/mix.lock
 COPY libs/astarte_rpc/mix.exs libraries/astarte_rpc/mix.exs
 COPY libs/astarte_rpc/mix.lock libraries/astarte_rpc/mix.lock
+COPY libs/astarte_fdo_core/mix.exs libraries/astarte_fdo_core/mix.exs
+COPY libs/astarte_fdo_core/mix.lock libraries/astarte_fdo_core/mix.lock
+COPY libs/astarte_fdo/mix.exs libraries/astarte_fdo/mix.exs
+COPY libs/astarte_fdo/mix.lock libraries/astarte_fdo/mix.lock
+COPY libs/astarte_generators/mix.exs libraries/astarte_generators/mix.exs
+COPY libs/astarte_generators/mix.lock libraries/astarte_generators/mix.lock
+COPY libs/astarte_secrets/mix.exs libraries/astarte_secrets/mix.exs
+COPY libs/astarte_secrets/mix.lock libraries/astarte_secrets/mix.lock
 RUN mix do deps.get, deps.compile --skip-local-deps
 
 COPY libs ./libraries

apps/astarte_pairing/config/test.exs

@@ -106,9 +106,9 @@ config :astarte_fdo, :base_url_port, 4003
 config :astarte_fdo, :base_url_protocol, :http
 config :astarte_pairing, :enable_credential_reuse, true
 
-config :astarte_pairing, bao_authentication_mechanism: :token
-config :astarte_pairing, bao_token: "astarte_token"
-config :astarte_pairing, bao_url: "http://localhost:8200"
+config :astarte_secrets, bao_authentication_mechanism: :token
+config :astarte_secrets, bao_token: "astarte_token"
+config :astarte_secrets, bao_url: "http://localhost:8200"
 
 config :bcrypt_elixir,
   log_rounds: 4

apps/astarte_pairing/lib/astarte_pairing/config.ex

@@ -24,10 +24,9 @@ defmodule Astarte.Pairing.Config do
   use Skogsra
 
   alias Astarte.Pairing.CFSSLCredentials
-  alias Astarte.Pairing.Config
   alias Astarte.Pairing.Config.BaseURLProtocol
   alias Astarte.Pairing.Config.CQExNodes
-  alias Astarte.Pairing.Config.OpenBaoAuthenticationMechanism
+  alias Astarte.Secrets.Config, as: SecretsConfig
 
   @envdoc "The external broker URL which should be used by devices."
   app_env :broker_url, :astarte_pairing, :broker_url,
@@ -147,90 +146,6 @@ defmodule Astarte.Pairing.Config do
     end
   end
 
-  @envdoc "The URL to access OpenBao."
-  app_env :bao_url, :astarte_pairing, :bao_url,
-    os_env: "ASTARTE_OPENBAO_URL",
-    type: :binary,
-    default: "http://localhost:8200"
-
-  @envdoc "Internal variable used to store bao authentication"
-  app_env :bao_authentication, :astarte_pairing, :bao_authentication,
-    binding_skip: [:system],
-    type: :any
-
-  @envdoc "The mechanism to use for authenticating with OpenBao"
-  app_env :bao_authentication_mechanism, :astarte_pairing, :bao_authentication_mechanism,
-    os_env: "ASTARTE_OPENBAO_AUTHENTICATION_MECHANISM",
-    type: OpenBaoAuthenticationMechanism
-
-  @envdoc "Token to authenticate with OpenBao"
-  app_env :bao_token, :astarte_pairing, :bao_token,
-    os_env: "ASTARTE_OPENBAO_TOKEN",
-    type: :binary
-
-  @envdoc "Enable SSL for the OpenBao connection. If not specified, SSL is disabled."
-  app_env :bao_ssl_enabled, :astarte_housekeeping, :bao_ssl_enabled,
-    os_env: "ASTARTE_OPENBAO_SSL_ENABLED",
-    type: :boolean,
-    default: false
-
-  @envdoc """
-  Specifies the certificates of the root Certificate Authorities to be trusted for the OpenBao connection. When not specified, the bundled cURL certificate bundle will be used.
-  """
-  app_env :bao_ssl_ca_file, :astarte_housekeeping, :bao_ssl_ca_file,
-    os_env: "ASTARTE_OPENBAO_SSL_CA_FILE",
-    type: :binary,
-    default: CAStore.file_path()
-
-  @envdoc "Disable Server Name Indication. Defaults to false."
-  app_env :bao_ssl_disable_sni,
-          :astarte_housekeeping,
-          :bao_ssl_disable_sni,
-          os_env: "ASTARTE_OPENBAO_SSL_DISABLE_SNI",
-          type: :boolean,
-          default: false
-
-  @envdoc "Specify the hostname to be used in TLS Server Name Indication extension. If not specified, the amqp consumer host will be used. This value is used only if Server Name Indication is enabled."
-  app_env :bao_ssl_custom_sni, :astarte_housekeeping, :bao_ssl_custom_sni,
-    os_env: "ASTARTE_OPENBAO_SSL_CUSTOM_SNI",
-    type: :binary
-
-  def bao_ssl_options! do
-    if Config.bao_ssl_enabled!() do
-      build_bao_ssl_options()
-    else
-      []
-    end
-  end
-
-  defp build_bao_ssl_options do
-    [
-      cacertfile: bao_ssl_ca_file!(),
-      verify: :verify_peer,
-      depth: 10
-    ]
-    |> populate_bao_sni()
-  end
-
-  defp populate_bao_sni(ssl_options) do
-    if Config.bao_ssl_disable_sni!() do
-      Keyword.put(ssl_options, :server_name_indication, :disable)
-    else
-      server_name =
-        case Config.bao_ssl_custom_sni!() do
-          nil ->
-            Config.bao_url!()
-            |> URI.parse()
-            |> Map.fetch!(:host)
-
-          custom_sni ->
-            custom_sni
-        end
-
-      Keyword.put(ssl_options, :server_name_indication, to_charlist(server_name))
-    end
-  end
-
   def init! do
     if {:ok, nil} == ca_cert() do
       case CFSSLCredentials.ca_cert() do
@@ -250,8 +165,7 @@ defmodule Astarte.Pairing.Config do
         raise "FDO feature is enabled but not all its parameters are configured"
       end
 
-      parse_bao_authentication!()
-      |> put_bao_authentication()
+      SecretsConfig.init()
     end
   end
 
@@ -309,17 +223,4 @@ defmodule Astarte.Pairing.Config do
         false
     end
   end
-
-  defp parse_bao_authentication! do
-    case Config.bao_authentication_mechanism!() do
-      nil ->
-        raise "OpenBao authentication method not set"
-
-      :token ->
-        case Config.bao_token!() do
-          nil -> raise "OpenBao token not set"
-          token -> {:token, token}
-        end
-    end
-  end
 end

apps/astarte_pairing/mix.exs

@@ -97,11 +97,11 @@ defmodule Astarte.Pairing.Mixfile do
       {:cfxxl, github: "ispirata/cfxxl"},
       {:astarte_data_access, path: astarte_lib("astarte_data_access")},
       {:astarte_generators, path: astarte_lib("astarte_generators"), only: [:dev, :test]},
+      {:astarte_secrets, path: astarte_lib("astarte_secrets")},
       {:bcrypt_elixir, "~> 2.2"},
       {:xandra, "~> 0.19"},
       {:ecto, "~> 3.12"},
       {:exandra, "~> 0.13"},
-      {:typed_ecto_schema, "~> 0.4"},
       {:mimic, "~> 1.11", only: :test},
       {:credo, "~> 1.7", only: [:dev, :test], runtime: false},
       {:con_cache, "~> 1.1"},
@@ -110,8 +110,7 @@ defmodule Astarte.Pairing.Mixfile do
       {:astarte_fdo_core, path: astarte_lib("astarte_fdo_core")},
       {:astarte_rpc, path: astarte_lib("astarte_rpc")},
       # HTTP client needed by some tests, override to avoid conflicts with cfxxl
-      {:httpoison, "~> 2.2", override: true},
-      {:x509, "~> 0.8"}
+      {:httpoison, "~> 2.2", override: true}
     ]
   end
 

apps/astarte_pairing/test/test_helper.exs

@@ -16,7 +16,6 @@
 # limitations under the License.
 #
 
-Mimic.copy(:hackney)
 Mimic.copy(Astarte.DataAccess.Config)
 Mimic.copy(Astarte.DataAccess.Health.Health)
 Mimic.copy(Astarte.Events.TriggersHandler)
@@ -31,9 +30,6 @@ Mimic.copy(Astarte.FDO.Rendezvous)
 Mimic.copy(Astarte.FDO.Rendezvous.Client)
 Mimic.copy(Astarte.FDO.ServiceInfo)
 Mimic.copy(Astarte.Pairing.Config)
-Mimic.copy(Astarte.Pairing.FDO.OpenBao)
-Mimic.copy(Astarte.Pairing.FDO.OpenBao.Client)
-Mimic.copy(Astarte.Pairing.FDO.OpenBao.Core)
 Mimic.copy(Astarte.Pairing.Queries)
 Mimic.copy(DateTime)
 Mimic.copy(HTTPoison)

committed.toml

@@ -35,6 +35,7 @@ allowed_scopes = [
   "fdo",
   "fdo_core",
   "generators",
+  "secrets",
   # tools
   "e2e",
   "import",

libs/astarte_secrets/.formatter.exs

@@ -0,0 +1,4 @@
+[
+  inputs: ["{mix,.formatter}.exs", "{config,lib,test}/**/*.{ex,exs}"],
+  import_deps: [:ecto, :skogsra]
+]

libs/astarte_secrets/README.md

@@ -0,0 +1,3 @@
+# Astarte Secrets
+
+Secret management for Astarte Services using OpenBao