mizzet1
diff --git a/‎.github/workflows/astarte-end-to-end-test-workflow.yaml‎
Lines changed: 137 additions & 0 deletions b/‎.github/workflows/astarte-end-to-end-test-workflow.yaml‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎apps/astarte_appengine_api/test/support/helpers/database.ex‎
Lines changed: 11 additions & 0 deletions b/‎apps/astarte_appengine_api/test/support/helpers/database.ex‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎apps/astarte_appengine_api/test/support/helpers/database_v2.ex‎
Lines changed: 10 additions & 0 deletions b/‎apps/astarte_appengine_api/test/support/helpers/database_v2.ex‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎apps/astarte_data_updater_plant/test/support/database_test_helper.ex‎
Lines changed: 10 additions & 0 deletions b/‎apps/astarte_data_updater_plant/test/support/database_test_helper.ex‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎apps/astarte_data_updater_plant/test/support/helpers/database.ex‎
Lines changed: 22 additions & 1 deletion b/‎apps/astarte_data_updater_plant/test/support/helpers/database.ex‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎apps/astarte_housekeeping/lib/astarte_housekeeping/realms/queries.ex‎
Lines changed: 54 additions & 0 deletions b/‎apps/astarte_housekeeping/lib/astarte_housekeeping/realms/queries.ex‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎apps/astarte_housekeeping/priv/migrations/realm/0009_create_ownership_vouchers_table.sql‎
Lines changed: 6 additions & 0 deletions b/‎apps/astarte_housekeeping/priv/migrations/realm/0009_create_ownership_vouchers_table.sql‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎apps/astarte_housekeeping/priv/migrations/realm/0010_create_device_session_table.sql‎
Lines changed: 28 additions & 0 deletions b/‎apps/astarte_housekeeping/priv/migrations/realm/0010_create_device_session_table.sql‎
Lines changed: 28 additions & 0 deletions
@@ -24,10 +24,15 @@ on:
 env:
   elixir_version: "1.15"
   otp_version: "26.1"
+  CLEA_DEV_BASE: ""
+  CLEA_DEV_REALM: ""
+  CLEA_DEV_REALM_TOKEN: ""
+  BOARD_BASE_URL: ""
 
 jobs:
   e2e-build:
     uses: ./.github/workflows/astarte-e2e-build-workflow.yaml
+
   astarte-build:
     uses: ./.github/workflows/astarte-build-workflow.yaml
 
@@ -60,6 +65,80 @@ jobs:
           wget https://github.com/astarte-platform/wait-for-astarte-docker-compose/releases/download/v1.1.0/wait-for-astarte-docker-compose_1.1.0_linux_amd64.tar.gz
           tar xf wait-for-astarte-docker-compose_1.1.0_linux_amd64.tar.gz
           ./wait-for-astarte-docker-compose
+    - uses: actions/checkout@v2
+    - name: Initialize docker compose files
+      run: docker run -v $(pwd)/compose:/compose astarte/docker-compose-initializer
+    - name: Restore astarte images
+      uses: actions/download-artifact@v4
+      with:
+        name: astarte-images
+        path: ${{ runner.temp }}
+    - name: Restore astarte e2e image
+      uses: actions/download-artifact@v4
+      with:
+        name: astarte-e2e-image
+        path: ${{ runner.temp }}
+    - name: Load astarte images
+      run: ls ${{ runner.temp }}/*.tar | xargs --max-args 1 docker load --input
+    - name: Start all Astarte services
+      run: docker compose up -d
+    - name: Wait for Astarte to come up
+      run: |
+        wget https://github.com/astarte-platform/wait-for-astarte-docker-compose/releases/download/v1.1.0/wait-for-astarte-docker-compose_1.1.0_linux_amd64.tar.gz
+        tar xf wait-for-astarte-docker-compose_1.1.0_linux_amd64.tar.gz
+        ./wait-for-astarte-docker-compose
+    - name: Install astartectl
+      run: |
+        wget https://github.com/astarte-platform/astartectl/releases/download/v22.11.02/astartectl_22.11.02_linux_x86_64.tar.gz
+        tar xf astartectl_22.11.02_linux_x86_64.tar.gz
+        chmod +x astartectl
+    - name: Generate realm keypair and JWT
+      run: |
+        ./astartectl utils gen-keypair test
+        E2E_HOUSEKEEPING_API_JWT=$(./astartectl utils gen-jwt housekeeping -k compose/astarte-keys/housekeeping_private.pem)
+        echo "E2E_HOUSEKEEPING_API_JWT=$E2E_HOUSEKEEPING_API_JWT" >> $GITHUB_ENV
+    - name: Generate JWT
+      run: |
+        JWT=$(./astartectl utils gen-jwt appengine channels pairing realm-management -k test_private.pem)
+        echo "E2E_JWT=$JWT" >> $GITHUB_ENV
+    - name: Run Astarte E2E
+      working-directory: tools/astarte_e2e
+      env:
+        E2E_HOST: "astarte-e2e"
+        E2E_PAIRING_URL: http://api.astarte.localhost/pairing
+        E2E_APPENGINE_URL: http://api.astarte.localhost/appengine
+        E2E_HOUSEKEEPING_URL: http://api.astarte.localhost/housekeeping
+        E2E_REALM_MANAGEMENT_URL: http://api.astarte.localhost/realmmanagement
+        E2E_AMQP_CONSUMER_HOST: rabbitmq
+        E2E_IGNORE_SSL_ERRORS: true
+        E2E_CHECK_INTERVAL_SECONDS: 5
+        E2E_CHECK_REPETITIONS: 5
+        E2E_MAILER_TO_ADDRESS: mail@example.com
+        E2E_MAIL_SUBJECT: "Subj: Astarte Notification"
+      run: |
+       docker run \
+        -e E2E_REALM_PUBLIC_KEY_PEM="$(cat ../../test_public.pem)" \
+        --env-file=<(env | grep '^E2E_' | grep -v '^E2E_REALM_PUBLIC_KEY_PEM=') \
+        --network astarte \
+        --hostname "$E2E_HOST" \
+        astarte-e2e
+    - name: Check Docker
+      if: ${{ failure() }}
+      run: docker compose logs
+    - name: Bring down Astarte docker-compose
+      run: docker compose down
+
+  fdo-end-to-end:
+    needs: [astarte-build]
+    name: FDO end-to-end Test
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout fdo e2e repo
+        uses: actions/checkout@v6
+        with:
+          repository: astarte-platform/astarte-device-fdo-rust
+          ref: dev
+      - uses: ./.github/actions/install-deps
       - name: Install astartectl
         run: |
           wget https://github.com/astarte-platform/astartectl/releases/download/v22.11.02/astartectl_22.11.02_linux_x86_64.tar.gz
@@ -100,3 +179,61 @@ jobs:
         run: docker compose logs
       - name: Bring down Astarte docker-compose
         run: docker compose down
+          mkdir -p ${{ runner.temp }}/bin
+          mv ./astartectl ${{ runner.temp }}/bin
+          echo ${{ runner.temp }}/bin >> "$GITHUB_PATH"
+      - name: Install additional dependencies
+        run: |
+          sudo apt-get install -y openssl jq
+      - uses: actions/checkout@v6
+        name: checkout astarte
+        with:
+          path: .tmp/repos/astarte
+      - name: Restore astarte images
+        uses: actions/download-artifact@v4
+        with:
+          name: astarte-images
+          path: ${{ runner.temp }}
+      - name: Initialize keys
+        working-directory: .tmp/repos/astarte
+        run: |
+          docker run -v $(pwd)/compose:/compose astarte/docker-compose-initializer
+          astartectl utils gen-keypair test
+      - name: Load astarte images
+        run: ls ${{ runner.temp }}/*.tar | xargs --max-args 1 docker load --input
+      - name: Enable FDO
+        run: echo "PAIRING_ENABLE_FDO=true" >> .tmp/repos/astarte/.env
+      - name: Start all Astarte services
+        working-directory: .tmp/repos/astarte
+        run: docker compose up -d
+      - uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+      - uses: mozilla-actions/sccache-action@v0.0.9
+      - name: Cache container build
+        id: cache-container
+        uses: actions/cache@v4.3.0
+        with:
+          path: .tmp/cache/containers
+          key: ${{ runner.os }}-${{ hashFiles('justfile', 'scripts/**/*.sh', 'containers/**') }}
+      - name: Install just
+        uses: taiki-e/install-action@v2.49.43
+        with:
+          tool: just
+      - run: just go-server-setup
+      - name: Wait for Astarte to come up
+        run: |
+          wget https://github.com/astarte-platform/wait-for-astarte-docker-compose/releases/download/v1.1.0/wait-for-astarte-docker-compose_1.1.0_linux_amd64.tar.gz
+          tar xf wait-for-astarte-docker-compose_1.1.0_linux_amd64.tar.gz
+          ./wait-for-astarte-docker-compose
+      - name: Create realm
+        working-directory: .tmp/repos/astarte
+        run: |
+          astartectl housekeeping realms create -y "test" \
+            --astarte-url "http://api.astarte.localhost" \
+            --realm-public-key "test_public.pem" \
+            -k compose/astarte-keys/housekeeping_private.pem
+      - name: Run FDO
+        run: just astarte-run
+      - name: Check Docker
+        working-directory: .tmp/repos/astarte
+        if: ${{ failure() }}
+        run: docker compose logs astarte-pairing
@@ -21,6 +21,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [1.3.0-rc.1] - 2026-01-26
 
+## [1.3.0] - Unreleased
+- [astarte_pairing] FDO authentication (EXPERIMENTAL feature, disabled by default). New environment variables are needed in order to use FDO:
+  - `PAIRING_ENABLE_FDO` - whether the FDO feature is enabled or not (default: false)
+  - `PAIRING_FDO_RENDEZVOUS_URL` - URL of the rendezvous server (default: "http://rendezvous:8041")
+  - `ASTARTE_BASE_URL_DOMAIN` - domain part of the base URL of astarte, used by devices to connect in TO2 phase (required if FDO enabled)
+  - `ASTARTE_BASE_URL_PORT` - port of the base URL of astarte (required if FDO enabled)
+  - `ASTARTE_BASE_URL_PROTOCOL` - protocol of the base URL of astarte (required if FDO enabled)
+
+## [1.3.0-rc.0] - 2025-11-21
 ### Added
 
 - New environment variables for trigger notifications between realm management replicas and realm management -> pairing. These variables are currently being used only by realm management
 
@@ -109,6 +109,15 @@ defmodule Astarte.Helpers.Database do
   );
   """
 
+  @create_ownership_vouchers_table """
+  CREATE TABLE #{Realm.keyspace_name(@test_realm)}.ownership_vouchers (
+     private_key blob,
+     voucher_data blob,
+     device_id uuid,
+     PRIMARY KEY (device_id, voucher_data)
+   );
+  """
+
   @create_devices_table """
       CREATE TABLE #{Realm.keyspace_name(@test_realm)}.devices (
         device_id uuid,
@@ -435,6 +444,8 @@ defmodule Astarte.Helpers.Database do
       {:ok, _} ->
         Repo.query!(@create_capabilities_type)
 
+        Repo.query!(@create_ownership_vouchers_table)
+
         Repo.query!(@create_devices_table)
 
         Repo.query!(@create_deletion_in_progress_table)
 
@@ -69,6 +69,15 @@ defmodule Astarte.Helpers.DatabaseV2 do
   );
   """
 
+  @create_ownership_vouchers_table """
+  CREATE TABLE :keyspace.ownership_vouchers (
+      private_key blob,
+      voucher_data blob,
+      device_id uuid,
+      PRIMARY KEY (device_id, voucher_data)
+   );
+  """
+
   @create_devices_table """
   CREATE TABLE :keyspace.devices (
     device_id uuid,
@@ -249,6 +258,7 @@ defmodule Astarte.Helpers.DatabaseV2 do
     realm_keyspace = Realm.keyspace_name(realm_name)
     execute!(realm_keyspace, @create_keyspace)
     execute!(realm_keyspace, @create_capabilities_type)
+    execute!(realm_keyspace, @create_ownership_vouchers_table)
     execute!(realm_keyspace, @create_devices_table)
     execute!(realm_keyspace, @create_groups_table)
     execute!(realm_keyspace, @create_names_table)
 
@@ -53,6 +53,15 @@ defmodule Astarte.DataUpdaterPlant.DatabaseTestHelper do
     );
   """
 
+  @create_ownership_vouchers_table """
+  CREATE TABLE :keyspace.ownership_vouchers (
+      private_key blob,
+      voucher_data blob,
+      device_id uuid,
+     PRIMARY KEY (device_id, voucher_data)
+   );
+  """
+
   @create_devices_table """
       CREATE TABLE :keyspace.devices (
         device_id uuid,
@@ -369,6 +378,7 @@ defmodule Astarte.DataUpdaterPlant.DatabaseTestHelper do
     case execute(keyspace_name, @create_autotestrealm) do
       {:ok, _} ->
         execute!(keyspace_name, @create_capabilities_type)
+        execute!(keyspace_name, @create_ownership_vouchers_table)
         execute!(keyspace_name, @create_devices_table)
         execute!(keyspace_name, @create_endpoints_table)
 
 
@@ -75,6 +75,15 @@ defmodule Astarte.Helpers.Database do
   );
   """
 
+  @create_ownership_vouchers_table """
+  CREATE TABLE :keyspace.ownership_vouchers (
+      private_key blob,
+      voucher_data blob,
+      device_id uuid,
+     PRIMARY KEY (device_id, voucher_data)
+   );
+  """
+
   @create_devices_table """
   CREATE TABLE :keyspace.devices (
     device_id uuid,
@@ -101,7 +110,6 @@ defmodule Astarte.Helpers.Database do
     last_seen_ip inet,
     attributes map<varchar, varchar>,
     capabilities capabilities,
-
     groups map<text, timeuuid>,
 
     PRIMARY KEY (device_id)
@@ -319,6 +327,19 @@ defmodule Astarte.Helpers.Database do
     execute!(realm_keyspace, @create_individual_datastreams_table, [], timeout: 60_000)
     execute!(realm_keyspace, @create_interfaces_table, [], timeout: 60_000)
     execute!(realm_keyspace, @create_deletion_in_progress_table, [], timeout: 60_000)
+    execute!(realm_keyspace, @create_keyspace)
+    execute!(realm_keyspace, @create_capabilities_type)
+    execute!(realm_keyspace, @create_ownership_vouchers_table)
+    execute!(realm_keyspace, @create_devices_table)
+    execute!(realm_keyspace, @create_groups_table)
+    execute!(realm_keyspace, @create_names_table)
+    execute!(realm_keyspace, @create_kv_store)
+    execute!(realm_keyspace, @create_endpoints_table)
+    execute!(realm_keyspace, @create_simple_triggers_table)
+    execute!(realm_keyspace, @create_individual_properties_table)
+    execute!(realm_keyspace, @create_individual_datastreams_table)
+    execute!(realm_keyspace, @create_interfaces_table)
+    execute!(realm_keyspace, @create_deletion_in_progress_table)
 
     Enum.each(@insert_endpoints, fn query ->
       execute!(realm_keyspace, query, [], timeout: 60_000)
 
@@ -260,6 +260,8 @@ defmodule Astarte.Housekeeping.Realms.Queries do
          :ok <- create_simple_triggers_table(keyspace_name),
          :ok <- create_grouped_devices_table(keyspace_name),
          :ok <- create_deletion_in_progress_table(keyspace_name),
+         :ok <- create_ownership_vouchers_table(keyspace_name),
+         :ok <- create_to2_sessions_table(keyspace_name),
          :ok <- insert_realm_public_key(keyspace_name, public_key_pem),
          :ok <- insert_realm_astarte_schema_version(keyspace_name),
          :ok <- insert_realm(realm_name, device_limit),
@@ -599,6 +601,58 @@ defmodule Astarte.Housekeeping.Realms.Queries do
     end
   end
 
+  defp create_ownership_vouchers_table(keyspace_name) do
+    query = """
+    CREATE TABLE #{keyspace_name}.ownership_vouchers (
+      private_key blob,
+      voucher_data blob,
+      guid blob,
+      PRIMARY KEY (guid)
+    );
+    """
+
+    with {:ok, %{rows: nil, num_rows: 1}} <- CSystem.execute_schema_change(query) do
+      :ok
+    end
+  end
+
+  defp create_to2_sessions_table(keyspace_name) do
+    query = """
+    CREATE TABLE #{keyspace_name}.to2_sessions (
+      guid blob,
+      device_id uuid,
+      hmac blob,
+      nonce blob,
+      sig_type int,
+      epid_group blob,
+      device_public_key blob,
+      prove_dv_nonce blob,
+      setup_dv_nonce blob,
+      kex_suite_name ascii,
+      cipher_suite_name int,
+      max_owner_service_info_size int,
+      owner_random blob,
+      secret blob,
+      sevk blob,
+      svk blob,
+      sek blob,
+      device_service_info map<tuple<text, text>, blob>,
+      owner_service_info list<blob>,
+      last_chunk_sent int,
+      replacement_guid blob,
+      replacement_rv_info blob,
+      replacement_pub_key blob,
+      replacement_hmac blob,
+      PRIMARY KEY (guid)
+    )
+    WITH default_time_to_live = 7200;
+    """
+
+    with {:ok, %{rows: nil, num_rows: 1}} <- CSystem.execute_schema_change(query) do
+      :ok
+    end
+  end
+
   defp create_grouped_devices_table(keyspace_name) do
     query = """
     CREATE TABLE #{keyspace_name}.grouped_devices (
 
@@ -0,0 +1,6 @@
+CREATE TABLE :keyspace.ownership_vouchers (
+  private_key blob,
+  voucher_data blob,
+  guid blob,
+  PRIMARY KEY (guid)
+);
@@ -0,0 +1,28 @@
+CREATE TABLE :keyspace.to2_sessions (
+  guid blob,
+  device_id uuid,
+  hmac blob,
+  nonce blob,
+  sig_type int,
+  epid_group blob,
+  device_public_key blob,
+  prove_dv_nonce blob,
+  setup_dv_nonce blob,
+  kex_suite_name ascii,
+  cipher_suite_name int,
+  max_owner_service_info_size int,
+  owner_random blob,
+  secret blob,
+  sevk blob,
+  svk blob,
+  sek blob,
+  device_service_info map<tuple<text, text>, blob>,
+  owner_service_info list<blob>,
+  last_chunk_sent int,
+  replacement_guid blob,
+  replacement_rv_info blob,
+  replacement_pub_key blob,
+  replacement_hmac blob,
+  PRIMARY KEY (guid)
+)
+WITH default_time_to_live = 7200;