refactor(fdo): use openbao for key storage

.github/workflows/astarte-apps-build-workflow.yaml

@@ -117,6 +117,12 @@ jobs:
           --health-interval=2s
           --health-timeout=2s
           --health-retries=5
+      rendezvous:
+        image: astarte/go-fdo-server:ade68cda47-20251128
+        ports:
+          - 8041:8041
+        restart: on-failure
+        command: '--log-level=debug rendezvous 0.0.0.0:8041 --db-type sqlite --db-dsn "file:/var/lib/fdo/rendezvous.db"'
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/astarte-end-to-end-test-workflow.yaml

@@ -112,8 +112,8 @@ jobs:
       - name: Checkout fdo e2e repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          repository: astarte-platform/astarte-device-fdo-rust
-          ref: dev
+          repository: noaccos/astarte-device-fdo-rust
+          ref: push-mzlxtwylktkr
       - uses: ./.github/actions/install-deps
       - name: Install astartectl
         run: |

apps/astarte_housekeeping/lib/astarte_housekeeping/realms/queries.ex

@@ -625,9 +625,15 @@ defmodule Astarte.Housekeeping.Realms.Queries do
   defp create_ownership_vouchers_table(keyspace_name) do
     query = """
     CREATE TABLE #{keyspace_name}.ownership_vouchers (
-      private_key blob,
-      voucher_data blob,
       guid blob,
+      voucher_data blob,
+      output_voucher blob,
+      replacement_guid blob,
+      replacement_rendezvous_info blob,
+      replacement_public_key blob,
+      key_name varchar,
+      key_algorithm int,
+      user_id blob,
       PRIMARY KEY (guid)
     );
     """
@@ -673,9 +679,6 @@ defmodule Astarte.Housekeeping.Realms.Queries do
       device_service_info map<tuple<text, text>, blob>,
       owner_service_info list<blob>,
       last_chunk_sent int,
-      replacement_guid blob,
-      replacement_rv_info blob,
-      replacement_pub_key blob,
       replacement_hmac blob,
       PRIMARY KEY (guid)
     )

apps/astarte_housekeeping/priv/migrations/realm/0015_drop_replacement_data.sql

@@ -0,0 +1,2 @@
+ALTER TABLE :keyspace.to2_sessions
+DROP (replacement_guid, replacement_rv_info, replacement_pub_key)

apps/astarte_housekeeping/priv/migrations/realm/0016_drop_private_key.sql

@@ -0,0 +1,2 @@
+ALTER TABLE :keyspace.ownership_vouchers
+DROP private_key

apps/astarte_housekeeping/priv/migrations/realm/0017_add_replacement_data_and_remote_key.sql

@@ -0,0 +1,10 @@
+ALTER TABLE :keyspace.ownership_vouchers
+ADD (
+  replacement_guid blob,
+  replacement_rendezvous_info blob,
+  replacement_public_key blob,
+  output_voucher blob,
+  key_name varchar,
+  key_algorithm int,
+  user_id blob
+);

apps/astarte_pairing/README.md

@@ -34,6 +34,7 @@ docker run --rm -d -p 9042:9042 --name scylla scylladb/scylla
 docker run --rm  -d -p 5672:5672 -p 15672:15672 --name rabbit rabbitmq:3.12.0-management
 docker run --rm -d --net=host -p 8080/tcp ispirata/docker-alpine-cfssl-autotest:astarte
 docker run --rm -d -p 8200:8200 --name openbao openbao/openbao:latest server -dev -dev-root-token-id=astarte_token
+docker run -rm -d -p 8041:8041 --name rendezvous astarte/go-fdo-server:ade68cda47-20251128 --log-level=debug rendezvous 0.0.0.0:8041 --db-type sqlite --db-dsn "file:/var/lib/fdo/rendezvous.db"
 ```
 
 by default `CASSANDRA_NODES` and `CFSSL_API_URL` environment variables map to localhost, so that

apps/astarte_pairing/config/test.exs

@@ -108,7 +108,8 @@ config :astarte_pairing, :enable_credential_reuse, true
 
 config :astarte_secrets, bao_authentication_mechanism: :token
 config :astarte_secrets, bao_token: "astarte_token"
-config :astarte_secrets, bao_url: "http://localhost:8200"
+
+config :astarte_fdo, fdo_rendezvous_url: "http://localhost:8041"
 
 config :bcrypt_elixir,
   log_rounds: 4

apps/astarte_pairing/lib/astarte_pairing/queries.ex

@@ -207,7 +207,7 @@ defmodule Astarte.Pairing.Queries do
     query =
       from o in OwnershipVoucher,
         prefix: ^keyspace_name,
-        select: o.private_key
+        select: o.key_name
 
     consistency = Consistency.domain_model(:read)
 
@@ -218,7 +218,7 @@ defmodule Astarte.Pairing.Queries do
         realm_name,
         guid,
         cbor_ownership_voucher,
-        owner_private_key,
+        key_name,
         ttl
       ) do
     keyspace_name = Realm.keyspace_name(realm_name)
@@ -227,7 +227,7 @@ defmodule Astarte.Pairing.Queries do
 
     %OwnershipVoucher{
       voucher_data: cbor_ownership_voucher,
-      private_key: owner_private_key,
+      key_name: key_name,
       guid: guid
     }
     |> Repo.insert(opts)
@@ -245,13 +245,15 @@ defmodule Astarte.Pairing.Queries do
   def replace_ownership_voucher(
         realm_name,
         guid,
-        new_voucher,
-        owner_private_key,
-        ttl
+        new_voucher
       ) do
-    with {:ok, _} <- delete_ownership_voucher(realm_name, guid) do
-      create_ownership_voucher(realm_name, guid, new_voucher, owner_private_key, ttl)
-    end
+    keyspace = Realm.keyspace_name(realm_name)
+    consistency = Consistency.device_info(:write)
+    opts = [prefix: keyspace, consistency: consistency]
+
+    %OwnershipVoucher{guid: guid}
+    |> Ecto.Changeset.change(output_voucher: new_voucher)
+    |> Repo.update(opts)
   end
 
   def store_session(realm_name, guid, session) do

apps/astarte_pairing/lib/astarte_pairing_web/controllers/owner_key_controller.ex

@@ -55,26 +55,37 @@ defmodule Astarte.PairingWeb.OwnerKeyController do
         }
       ) do
     with {:ok, keys} <-
-           Secrets.Core.get_keys_from_algorithm(realm_name, @supported_key_algorithms) do
+           Secrets.Core.get_keys(realm_name, @supported_key_algorithms) do
       send_resp(conn, 200, Jason.encode!(keys))
     end
   end
 
+  def get_keys_for_algorithm(conn, %{
+        "realm_name" => realm_name,
+        "key_algorithm" => key_algorithm
+      }) do
+    with {:ok, algorithm} <- Secrets.Core.string_to_key_type(key_algorithm),
+         {:ok, keys} <- Secrets.Core.get_keys(realm_name, [algorithm]) do
+      json(conn, %{data: keys})
+    end
+  end
+
   def get_key(conn, %{
         "realm_name" => realm_name,
         "key_algorithm" => key_algorithm,
         "key_name" => key_name
       }) do
-    with {:ok, algorithm_atom} <- Secrets.Core.string_to_key_type(key_algorithm) do
-      case Secrets.Core.find_key(realm_name, algorithm_atom, key_name) do
-        {:ok, key} ->
-          json(conn, %{data: %{key_name: key.name, public_key: key.public_pem}})
+    with {:ok, algorithm_atom} <- Secrets.Core.string_to_key_type(key_algorithm),
+         {:ok, key} <- Secrets.Core.find_key(realm_name, key_name, algorithm_atom) do
+      json(conn, %{data: %{key_name: key.name, public_key: key.public_pem}})
+    else
+      :error ->
+        {:error, :unprocessable_key}
 
-        :not_found ->
-          conn
-          |> put_status(:not_found)
-          |> json(%{errors: %{detail: "Key not found"}})
-      end
+      :not_found ->
+        conn
+        |> put_status(:not_found)
+        |> json(%{errors: %{detail: "Key not found"}})
     end
   end
 end

apps/astarte_pairing/lib/astarte_pairing_web/controllers/ownership_voucher_controller.ex

@@ -19,54 +19,38 @@
 defmodule Astarte.PairingWeb.OwnershipVoucherController do
   use Astarte.PairingWeb, :controller
 
-  alias Astarte.DataAccess.FDO.OwnershipVoucher.CreateRequest
   alias Astarte.FDO.OwnershipVoucher
   alias Astarte.FDO.OwnershipVoucher.LoadRequest
   alias Astarte.FDO.TO0
   alias Astarte.Secrets.Core, as: SecretsCore
 
   action_fallback Astarte.PairingWeb.FallbackController
 
-  def create(conn, %{
-        "data" => data,
-        "realm_name" => realm_name
-      }) do
-    create = CreateRequest.changeset(%CreateRequest{}, data)
-
-    with {:ok, create} <- Ecto.Changeset.apply_action(create, :insert),
-         %CreateRequest{
-           decoded_ownership_voucher: decoded_ownership_voucher,
-           cbor_ownership_voucher: cbor_ownership_voucher,
-           private_key: private_key,
-           extracted_private_key: extracted_private_key,
-           device_guid: device_guid
-         } = create,
-         :ok <-
-           OwnershipVoucher.save_voucher(
-             realm_name,
-             cbor_ownership_voucher,
-             device_guid,
-             private_key
-           ),
-         :ok <-
-           TO0.claim_ownership_voucher(
-             realm_name,
-             decoded_ownership_voucher,
-             extracted_private_key
-           ) do
-      send_resp(conn, 200, "")
-    end
-  end
-
   @doc """
-  Validates an FDO Ownership Voucher load request.
+  Validates an FDO Ownership Voucher load request and register the OV in the database.
 
   Returns `200 OK` with the owner public key PEM on success.
   """
   def register(conn, %{"data" => data, "realm_name" => realm_name}) do
     with {:ok, req} <-
            LoadRequest.changeset(%LoadRequest{}, Map.put(data, "realm_name", realm_name))
-           |> Ecto.Changeset.apply_action(:insert) do
+           |> Ecto.Changeset.apply_action(:insert),
+         :ok <-
+           OwnershipVoucher.save_voucher(realm_name, %{
+             voucher_data: req.cbor_ownership_voucher,
+             guid: req.device_guid,
+             key_name: req.key_name,
+             key_algorithm: req.key_algorithm,
+             replacement_guid: req.replacement_guid,
+             replacement_rendezvous_info: req.decoded_replacement_rendezvous_info,
+             replacement_public_key: req.decoded_replacement_public_key
+           }),
+         :ok <-
+           TO0.claim_ownership_voucher(
+             realm_name,
+             req.decoded_ownership_voucher,
+             req.extracted_owner_key
+           ) do
       json(conn, %{
         data: %{
           public_key: req.extracted_owner_key.public_pem,
@@ -86,7 +70,7 @@ defmodule Astarte.PairingWeb.OwnershipVoucherController do
     with {:ok, pem} <- ensure_ownership_voucher_parameter(data),
          {:ok, voucher} <- OwnershipVoucher.decode_binary_voucher(pem),
          key_algorithm = OwnershipVoucher.key_algorithm(voucher),
-         {:ok, keys_map} <- SecretsCore.get_keys_from_algorithm(realm_name, key_algorithm) do
+         {:ok, keys_map} <- SecretsCore.get_keys(realm_name, key_algorithm) do
       json(conn, %{data: keys_map})
     end
   end

apps/astarte_pairing/lib/astarte_pairing_web/plug/setup_fdo.ex

@@ -43,6 +43,7 @@ defmodule Astarte.PairingWeb.Plug.SetupFDO do
     case read_body(conn) do
       {:ok, body, conn} ->
         conn
+        |> put_resp_header("content-type", "application/cbor")
         |> put_resp_header("message-type", to_string(next_message_id))
         |> assign(:message_id, message_id)
         |> assign(:cbor_body, body)

apps/astarte_pairing/lib/astarte_pairing_web/router.ex

@@ -104,6 +104,7 @@ defmodule Astarte.PairingWeb.Router do
 
       post "/owner_keys", OwnerKeyController, :create_or_upload_key
       get "/owner_keys", OwnerKeyController, :list_keys
+      get "/owner_keys/:key_algorithm", OwnerKeyController, :get_keys_for_algorithm
       get "/owner_keys/:key_algorithm/:key_name", OwnerKeyController, :get_key
       post "/owner_keys_for_voucher", OwnershipVoucherController, :owner_keys_for_voucher
       post "/ownership_vouchers", OwnershipVoucherController, :register

apps/astarte_pairing/test/astarte_pairing_web/controllers/fdo_onboarding_controller_test.exs

@@ -156,13 +156,8 @@ defmodule Astarte.PairingWeb.FDOOnboardingControllerTest do
            conn: conn,
            create_path: path,
            message_id: id,
-           session: session,
-           realm_name: realm,
-           owner_key_pem: owner_key_pem,
-           cbor_ownership_voucher: cbor_ownership_voucher
+           session: session
          } do
-      insert_voucher(realm, owner_key_pem, cbor_ownership_voucher, session.guid)
-
       request_body = Session.encrypt_and_sign(session, CBOR.encode(%{prove: "device"}))
       conn = post(conn, path, request_body)
       assert {100, id} == assert_cbor_error(conn)

apps/astarte_pairing/test/astarte_pairing_web/controllers/owner_key_controller_test.exs

@@ -206,19 +206,17 @@ defmodule Astarte.PairingWeb.Controllers.OwnerKeyControllerTest do
 
       keys = Jason.decode!(keys)
 
-      assert keys == [
-               %{
-                 "es256" => [
-                   "key_to_create",
-                   "key_to_create1",
-                   "key_to_create2",
-                   "key_to_create3"
-                 ]
-               },
-               %{"es384" => []},
-               %{"rs256" => []},
-               %{"rs384" => []}
-             ]
+      assert keys == %{
+               "es256" => [
+                 "key_to_create",
+                 "key_to_create1",
+                 "key_to_create2",
+                 "key_to_create3"
+               ],
+               "es384" => [],
+               "rs256" => [],
+               "rs384" => []
+             }
     end
   end