build(docker): init openbao (#1844)

it is now possible to select the authentication mechanism for openbao
(for now only token is supported)

when using a token as authentication method with openbao, this token is
added by default to client requests, unless another token is specified

Signed-off-by: Francesco Noacco <francesco.noacco@secomind.com>

Author: noaccOS

.env

@@ -19,3 +19,6 @@ VERNEMQ_ENABLE_SSL_LISTENER=true
 
 CLUSTERING_STRATEGY=docker-compose
 RELEASE_COOKIE=astarte-docker-compose
+
+ASTARTE_OPENBAO_AUTHENTICATION_MECHANISM="token"
+ASTARTE_OPENBAO_TOKEN="astarte_token"

apps/astarte_pairing/config/test.exs

@@ -103,5 +103,7 @@ config :astarte_pairing, :base_url_port, 4003
 config :astarte_pairing, :base_url_protocol, :http
 config :astarte_pairing, :enable_credential_reuse, true
 
+config :astarte_pairing, bao_authentication_mechanism: :token, bao_token: ""
+
 config :bcrypt_elixir,
   log_rounds: 4

apps/astarte_pairing/lib/astarte_pairing/config.ex

@@ -27,6 +27,7 @@ defmodule Astarte.Pairing.Config do
   alias Astarte.Pairing.Config
   alias Astarte.Pairing.Config.BaseURLProtocol
   alias Astarte.Pairing.Config.CQExNodes
+  alias Astarte.Pairing.Config.OpenBaoAuthenticationMechanism
 
   @envdoc "The external broker URL which should be used by devices."
   app_env :broker_url, :astarte_pairing, :broker_url,
@@ -81,12 +82,26 @@ defmodule Astarte.Pairing.Config do
     type: :binary,
     default: "http://rendezvous:8041"
 
-  # TODO: properly set default value once available in docker-compose
   @envdoc "The URL to access OpenBao."
   app_env :bao_url, :astarte_pairing, :bao_url,
     os_env: "ASTARTE_OPENBAO_URL",
     type: :binary,
-    default: ""
+    default: "http://localhost:8200"
+
+  @envdoc "Internal variable used to store bao authentication"
+  app_env :bao_authentication, :astarte_pairing, :bao_authentication,
+    binding_skip: [:system],
+    type: :any
+
+  @envdoc "The mechanism to use for authenticating with OpenBao"
+  app_env :bao_authentication_mechanism, :astarte_pairing, :bao_authentication_mechanism,
+    os_env: "ASTARTE_OPENBAO_AUTHENTICATION_MECHANISM",
+    type: OpenBaoAuthenticationMechanism
+
+  @envdoc "Token to authenticate with OpenBao"
+  app_env :bao_token, :astarte_pairing, :bao_token,
+    os_env: "ASTARTE_OPENBAO_TOKEN",
+    type: :binary
 
   @envdoc "Enable SSL for the OpenBao connection. If not specified, SSL is disabled."
   app_env :bao_ssl_enabled, :astarte_housekeeping, :bao_ssl_enabled,
@@ -169,6 +184,9 @@ defmodule Astarte.Pairing.Config do
       if !Enum.all?(variables_to_check, &variable_set?(&1)) do
         raise "FDO feature is enabled but not all its parameters are configured"
       end
+
+      parse_bao_authentication!()
+      |> put_bao_authentication()
     end
   end
 
@@ -226,4 +244,17 @@ defmodule Astarte.Pairing.Config do
         false
     end
   end
+
+  defp parse_bao_authentication! do
+    case Config.bao_authentication_mechanism!() do
+      nil ->
+        raise "OpenBao authentication method not set"
+
+      :token ->
+        case Config.bao_token!() do
+          nil -> raise "OpenBao token not set"
+          token -> {:token, token}
+        end
+    end
+  end
 end

apps/astarte_pairing/lib/astarte_pairing/config/openbao_authentication_mechanism.ex

@@ -0,0 +1,41 @@
+#
+# This file is part of Astarte.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+defmodule Astarte.Pairing.Config.OpenBaoAuthenticationMechanism do
+  @moduledoc """
+  The mechanism to use to authenticate with OpenBao
+  """
+
+  use Skogsra.Type
+
+  @methods [:token]
+  @methods_map Map.new(@methods, &{Atom.to_string(&1), &1})
+
+  @impl Skogsra.Type
+  def cast(value) when is_binary(value) do
+    Map.fetch(@methods_map, value)
+  end
+
+  @impl Skogsra.Type
+  def cast(value) when value in @methods, do: {:ok, value}
+
+  @impl Skogsra.Type
+  def cast(_), do: :error
+end

apps/astarte_pairing/lib/astarte_pairing/fdo/open_bao/client.ex

@@ -38,4 +38,26 @@ defmodule Astarte.Pairing.FDO.OpenBao.Client do
 
     Keyword.merge(auth_opts, options)
   end
+
+  @impl true
+  def process_request_headers(headers) do
+    case Config.bao_authentication() do
+      {:ok, {:token, token}} ->
+        maybe_add_default_token(headers, token)
+
+      _ ->
+        headers
+    end
+  end
+
+  defp maybe_add_default_token(headers, token) do
+    # If the token is not already set, add the default token
+    case Enum.find(headers, &authentication_header?/1) do
+      nil -> [{"X-Vault-Token", token} | headers]
+      _ -> headers
+    end
+  end
+
+  defp authentication_header?({header, _value}),
+    do: String.downcase(header, :ascii) in ["x-vault-token", "authorization"]
 end

apps/astarte_pairing/test/astarte_pairing/fdo/open_bao/client_test.exs

@@ -95,6 +95,54 @@ defmodule Astarte.Pairing.FDO.OpenBao.ClientTest do
     end
   end
 
+  describe "using token authentication" do
+    setup :token_authentication
+
+    test "the token header is not added if the 'Authorization' header exists" do
+      path = "/example"
+      new_token = UUID.uuid4()
+      bearer = "Bearer " <> new_token
+
+      validate_request(fn _method, _url, headers, _body, _opts ->
+        assert [bearer] == get_header(headers, "authorization")
+        assert [] == get_header(headers, "x-vault-token")
+      end)
+
+      Client.get(path, [{"Authorization", bearer}])
+    end
+
+    test "the token header is not added if the 'X-Vault-Token' header exists" do
+      path = "/example"
+      new_token = UUID.uuid4()
+
+      validate_request(fn _method, _url, headers, _body, _opts ->
+        assert [] == get_header(headers, "authorization")
+        assert [new_token] == get_header(headers, "x-vault-token")
+      end)
+
+      Client.get(path, [{"X-Vault-Token", new_token}])
+    end
+
+    test "adds the vault token if no other token is specified", %{token: token} do
+      path = "/example"
+
+      validate_request(fn _method, _url, headers, _body, _opts ->
+        assert [] == get_header(headers, "authorization")
+        assert [token] == get_header(headers, "x-vault-token")
+      end)
+
+      Client.get(path)
+    end
+  end
+
+  defp token_authentication(_context) do
+    token = UUID.uuid4()
+    stub(Config, :bao_authentication, fn -> {:ok, {:token, token}} end)
+    stub(Config, :bao_authentication!, fn -> {:token, token} end)
+
+    %{token: token}
+  end
+
   defp enable_ssl(_context) do
     stub(Config, :bao_ssl_enabled!, fn -> true end)
     :ok
@@ -106,4 +154,11 @@ defmodule Astarte.Pairing.FDO.OpenBao.ClientTest do
       {:ok, 200, []}
     end)
   end
+
+  defp get_header(headers, header) do
+    Enum.filter(headers, fn {header_name, _} ->
+      String.downcase(header_name) == header
+    end)
+    |> Enum.map(fn {_header, value} -> value end)
+  end
 end

docker-compose.yml

@@ -68,6 +68,7 @@ services:
       ASTARTE_BASE_URL_PROTOCOL: "http"
       PAIRING_FDO_RENDEZVOUS_URL: "http://rendezvous:8041"
       PAIRING_FDO_ENABLE_CREDENTIAL_REUSE: true
+      ASTARTE_OPENBAO_URL: "http://openbao:8200"
     restart: on-failure
     depends_on:
       - "rabbitmq"
@@ -216,6 +217,10 @@ services:
           - broker.${DOCKER_COMPOSE_ASTARTE_BASE_DOMAIN}
           - ${FDO_REALM:-test}.api.${DOCKER_COMPOSE_ASTARTE_BASE_DOMAIN}
 
+  openbao:
+    image: openbao/openbao:2
+    command: server -dev -dev-root-token-id="${ASTARTE_OPENBAO_TOKEN}"
+
   rendezvous:
     image: astarte/go-fdo-server:ade68cda47-20251128
     restart: on-failure