chore: add namespace functionality to openbao (astarte-platform#1856)

add two functions:
- create_namespace/3, which creates the nested key namespace
- list_namespaces/0, which lists all namespaces, and is used in tests

the client now always points to the "/v1" api

Signed-off-by: Francesco Noacco <francesco.noacco@secomind.com>

Author: noaccOS

apps/astarte_pairing/config/test.exs

@@ -102,8 +102,7 @@ config :astarte_pairing, :base_url_domain, "api.astarte.localhost"
 config :astarte_pairing, :base_url_port, 4003
 config :astarte_pairing, :base_url_protocol, :http
 config :astarte_pairing, :enable_credential_reuse, true
-
-config :astarte_pairing, bao_authentication_mechanism: :token, bao_token: ""
+config :astarte_pairing, bao_authentication_mechanism: :token, bao_token: "astarte_token"
 
 config :bcrypt_elixir,
   log_rounds: 4

apps/astarte_pairing/lib/astarte_pairing/fdo/open_bao/client.ex

@@ -24,10 +24,13 @@ defmodule Astarte.Pairing.FDO.OpenBao.Client do
   use HTTPoison.Base
 
   alias Astarte.Pairing.Config
+  alias HTTPoison.AsyncResponse
+  alias HTTPoison.Error
+  alias HTTPoison.Response
 
   @impl true
   def process_request_url(url) do
-    Config.bao_url!() <> url
+    Config.bao_url!() <> "/v1" <> url
   end
 
   @impl true
@@ -50,6 +53,35 @@ defmodule Astarte.Pairing.FDO.OpenBao.Client do
     end
   end
 
+  @doc """
+  Issues a LIST request to the given url.
+
+  Returns `{:ok, response}` if the request is successful, `{:error, reason}`
+  otherwise.
+
+  See `request/5` for more detailed information.
+  """
+  @spec list(binary, headers, Keyword.t()) ::
+          {:ok, Response.t() | AsyncResponse.t()} | {:error, Error.t()}
+  def list(url, headers \\ [], options \\ []) do
+    options = update_in(options, [:params], &[{"list", "true"} | &1 || []])
+    get(url, headers, options)
+  end
+
+  @doc """
+  Issues a LIST request to the given url, raising an exception in case of
+  failure.
+
+  If the request does not fail, the response is returned.
+
+  See `request!/5` for more detailed information.
+  """
+  @spec list!(binary, headers, Keyword.t()) :: Response.t() | AsyncResponse.t()
+  def list!(url, headers \\ [], options \\ []) do
+    options = update_in(options, [:params], &[{"list", "true"} | &1 || []])
+    get!(url, headers, options)
+  end
+
   defp maybe_add_default_token(headers, token) do
     # If the token is not already set, add the default token
     case Enum.find(headers, &authentication_header?/1) do

apps/astarte_pairing/lib/astarte_pairing/fdo/open_bao/core.ex

@@ -20,4 +20,116 @@ defmodule Astarte.Pairing.FDO.OpenBao.Core do
   @moduledoc """
   Implementation of function to interface with OpenBao.
   """
+
+  alias Astarte.DataAccess.Config, as: DataAccessConfig
+  alias Astarte.Pairing.FDO.OpenBao.Client
+  alias HTTPoison.Response
+
+  require Logger
+
+  @doc """
+  Returns the namespace name for the given params, represented as a list of tokens
+  """
+  def namespace_tokens(realm_name, user_id, key_algorithm) do
+    ["fdo_owner_keys", instance_tokens(), realm_name, user_tokens(user_id), key_algorithm]
+    |> List.flatten()
+  end
+
+  defp instance_tokens do
+    case DataAccessConfig.astarte_instance_id!() do
+      "" ->
+        "default_instance"
+
+      instance_id ->
+        ["instance", instance_id]
+    end
+  end
+
+  defp user_tokens(nil), do: "default_user"
+  defp user_tokens(user_id), do: ["user_id", user_id]
+
+  def create_nested_namespace(namespace_tokens) do
+    Enum.reduce_while(namespace_tokens, {:ok, ""}, fn new_namespace, {:ok, base_namespace} ->
+      headers = [{"X-Vault-Namespace", base_namespace}]
+
+      case Client.post("/sys/namespaces/#{new_namespace}", "", headers) do
+        {:ok, %HTTPoison.Response{status_code: 200}} ->
+          new_base_namespace = base_namespace <> "/" <> new_namespace
+          {:cont, {:ok, new_base_namespace}}
+
+        error ->
+          "Error creating new namespace #{new_namespace} on #{base_namespace}: #{inspect(error)}"
+          |> Logger.error()
+
+          {:halt, {:error, :namespace_creation_error}}
+      end
+    end)
+  end
+
+  defp parse_data_key(json_str, key) do
+    with {:ok, data} <- parse_json_data(json_str) do
+      fetch_data_key(data, key)
+    end
+  end
+
+  defp parse_json_data(json_str) do
+    with {:ok, map} when is_map(map) <- Jason.decode(json_str),
+         {:ok, data} <- Map.fetch(map, "data") do
+      {:ok, data}
+    else
+      _ -> {:error, {:invalid_response_body, json_str}}
+    end
+  end
+
+  defp fetch_data_key(data, key) do
+    with :error <- Map.fetch(data, key) do
+      {:error, {:unexpected_body_format, data}}
+    end
+  end
+
+  def list_namespaces(base_namespace \\ "", acc \\ MapSet.new()) do
+    with {:ok, children} <- list_relative_namespaces(base_namespace) do
+      child_namespaces = children |> Enum.map(&(base_namespace <> &1))
+      acc = child_namespaces |> MapSet.new() |> MapSet.union(acc)
+
+      Enum.reduce_while(children, {:ok, acc}, &do_list_namespaces(base_namespace, &1, &2))
+    end
+  end
+
+  defp list_relative_namespaces(base_namespace) do
+    headers = [{"X-Vault-Namespace", base_namespace}]
+
+    case Client.list("/sys/namespaces", headers) do
+      {:ok, %Response{status_code: 200, body: body}} ->
+        case parse_data_key(body, "keys") do
+          {:ok, _keys} = ok ->
+            ok
+
+          error ->
+            Logger.warning("Error while listing namespaces: #{inspect(error)}")
+            error
+        end
+
+      {:ok, %Response{status_code: 404}} ->
+        # Responds with 404 when there is no relative namespace
+        {:ok, []}
+
+      error ->
+        Logger.warning("Error while listing namespaces: #{inspect(error)}")
+        error
+    end
+  end
+
+  defp do_list_namespaces(base_namespace, child, {:ok, acc}) do
+    child_namespace = base_namespace <> child
+
+    case list_namespaces(child_namespace, acc) do
+      {:ok, child_branch} ->
+        acc = child_branch |> MapSet.new() |> MapSet.union(acc)
+        {:cont, {:ok, acc}}
+
+      error ->
+        {:halt, error}
+    end
+  end
 end

apps/astarte_pairing/lib/astarte_pairing/fdo/open_bao/open_bao.ex

@@ -20,4 +20,17 @@ defmodule Astarte.Pairing.FDO.OpenBao do
   @moduledoc """
   Functionality to interface with OpenBao.
   """
+
+  alias Astarte.Pairing.FDO.OpenBao.Core
+
+  def create_namespace(realm_name, user_id \\ nil, key_algorithm) do
+    Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    |> Core.create_nested_namespace()
+  end
+
+  def list_namespaces do
+    with {:ok, namespaces} <- Core.list_namespaces() do
+      {:ok, Enum.to_list(namespaces)}
+    end
+  end
 end

apps/astarte_pairing/test/astarte_pairing/fdo/open_bao/client_test.exs

@@ -34,7 +34,7 @@ defmodule Astarte.Pairing.FDO.OpenBao.ClientTest do
 
   test "always performs requests on the open bao base url", %{bao_url: bao_url} do
     path = "/example"
-    expected_url = bao_url <> path
+    expected_url = bao_url <> "/v1" <> path
 
     validate_request(fn _method, url, _headers, _body, _opts ->
       assert url == expected_url

apps/astarte_pairing/test/astarte_pairing/fdo/open_bao/core_test.exs

@@ -0,0 +1,139 @@
+#
+# This file is part of Astarte.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+defmodule Astarte.Pairing.FDO.OpenBao.CoreTest do
+  use ExUnit.Case, async: true
+  use Mimic
+
+  alias Astarte.Pairing.FDO.OpenBao
+  alias Astarte.Pairing.FDO.OpenBao.Core
+
+  import Astarte.Helpers.OpenBao
+
+  describe "namespace_tokens/3" do
+    setup :namespace_tokens_setup
+
+    test "always starts with fdo_owner_keys", context do
+      %{realm_name: realm_name, user_id: user_id, key_algorithm: key_algorithm} = context
+
+      assert ["fdo_owner_keys" | _] =
+               Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    end
+
+    test "uses default_instance for empty astarte_instance_id", context do
+      %{realm_name: realm_name, user_id: user_id, key_algorithm: key_algorithm} = context
+
+      assert [_, "default_instance" | _] =
+               Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    end
+
+    @tag instance: "someinstance"
+    test "uses nested namespaces when instance id is set", context do
+      %{
+        realm_name: realm_name,
+        user_id: user_id,
+        key_algorithm: key_algorithm,
+        instance: instance
+      } = context
+
+      assert [_, "instance", ^instance | _] =
+               Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    end
+
+    test "places realm name after instance", context do
+      %{realm_name: realm_name, user_id: user_id, key_algorithm: key_algorithm} = context
+
+      assert [_, _, ^realm_name | _] =
+               Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    end
+
+    test "uses default_user for empty user id", context do
+      %{realm_name: realm_name, key_algorithm: key_algorithm} = context
+
+      assert [_, _, _, "default_user" | _] =
+               Core.namespace_tokens(realm_name, nil, key_algorithm)
+    end
+
+    @tag user_id: "userid"
+    test "uses nested namespaces when user id is set", context do
+      %{realm_name: realm_name, user_id: user_id, key_algorithm: key_algorithm} = context
+
+      assert [_, _, _, "user_id", ^user_id | _] =
+               Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    end
+
+    test "ends with key algorithm", context do
+      %{realm_name: realm_name, user_id: user_id, key_algorithm: key_algorithm} = context
+
+      assert [_, _, _, _, ^key_algorithm] =
+               Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    end
+
+    @tag instance: "someinstance"
+    @tag user_id: "user_id"
+    test "produces expected result", context do
+      %{
+        realm_name: realm_name,
+        user_id: user_id,
+        key_algorithm: key_algorithm,
+        instance: instance
+      } = context
+
+      assert [
+               "fdo_owner_keys",
+               "instance",
+               instance,
+               realm_name,
+               "user_id",
+               user_id,
+               key_algorithm
+             ] == Core.namespace_tokens(realm_name, user_id, key_algorithm)
+    end
+  end
+
+  describe "create_nested_namespace/1" do
+    @describetag skip: "needs openbao in ci"
+
+    setup :create_nested_namespace_setup
+
+    test "returns the final namespace created", context do
+      %{final_namespace: namespace, tokens: tokens} = context
+
+      assert {:ok, namespace} == Core.create_nested_namespace(tokens)
+    end
+
+    test "creates nested namespaces", context do
+      %{tokens: tokens, all_namespaces: namespaces} = context
+      namespaces = MapSet.new(namespaces)
+
+      {:ok, _} = Core.create_nested_namespace(tokens)
+      {:ok, fetched_namespaces} = OpenBao.list_namespaces()
+      fetched_namespaces = MapSet.new(fetched_namespaces)
+
+      assert MapSet.subset?(namespaces, fetched_namespaces)
+    end
+  end
+
+  defp create_nested_namespace_setup(_context) do
+    namespace = "/some/namespace/path"
+    tokens = namespace |> String.split("/", trim: true)
+    all_namespaces = ["some/", "some/namespace/", "some/namespace/path/"]
+
+    %{final_namespace: namespace, tokens: tokens, all_namespaces: all_namespaces}
+  end
+end

apps/astarte_pairing/test/astarte_pairing/fdo/open_bao/open_bao_test.exs

@@ -0,0 +1,43 @@
+#
+# This file is part of Astarte.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+defmodule Astarte.Pairing.FDO.OpenBaoTest do
+  use ExUnit.Case, async: true
+  use Mimic
+
+  alias Astarte.Pairing.FDO.OpenBao
+  alias Astarte.Pairing.FDO.OpenBao.Core
+
+  import Astarte.Helpers.OpenBao
+
+  describe "create_namespace/3" do
+    setup :namespace_tokens_setup
+
+    test "calls core functions", context do
+      %{realm_name: realm_name, user_id: user_id, key_algorithm: key_algorithm} = context
+
+      ref = System.unique_integer()
+
+      Core
+      |> expect(:namespace_tokens, fn ^realm_name, ^user_id, ^key_algorithm -> ref end)
+      |> expect(:create_nested_namespace, fn ^ref -> {:ok, ""} end)
+
+      assert {:ok, _} = OpenBao.create_namespace(realm_name, user_id, key_algorithm)
+    end
+  end
+end