From 0734e1a5d15453c48652e3f2f59823f678107025 Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Thu, 23 May 2024 07:12:30 -0700
Subject: [PATCH] remove unnecessary privileges (Redis)

* pin Redis to v7.2 (BSD license)
* enable release asset functionality
---
 Makefile                   |  2 +-
 docker-compose.yml         | 10 ++++----
 src/balena-tests/balena.sh | 52 ++++++++++++++++++++++++++++----------
 3 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/Makefile b/Makefile
index 9f59fd1132..f733dae1c7 100644
--- a/Makefile
+++ b/Makefile
@@ -87,7 +87,7 @@ restart: ## Restart all services
 .PHONY: update
 update: # Pull and deploy latest changes from git
 	@git pull
-	@(MAKE) up
+	@$(MAKE) up
 
 .PHONY: destroy ## Stop and remove any existing containers and volumes
 destroy:
diff --git a/docker-compose.yml b/docker-compose.yml
index c6d174c2b2..0071389906 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -79,7 +79,7 @@ services:
       *with-default-privileges,
       *with-default-volumes,
     ]
-    image: balena/open-balena-api:v22.0.0
+    image: balena/open-balena-api:v22.2.0
     depends_on:
       - db
       - redis
@@ -110,6 +110,8 @@ services:
       TRUST_PROXY: 172.16.0.0/12
       VPN_PORT: 443
       WEBRESOURCES_S3_BUCKET: web-resources
+      WEBRESOURCES_S3_REGION: "us-east-1"  # this is required for minio
+      HIDE_UNVERSIONED_ENDPOINT: "false"
 
   # https://github.com/balena-io/open-balena-registry
   registry:
@@ -187,10 +189,8 @@ services:
   # https://hub.docker.com/_/redis
   redis:
     <<: *base-service
-    image: redis:alpine
-    cap_add:
-      - SYS_RESOURCE
-      - SYS_ADMIN
+    # https://redis.io/blog/what-redis-license-change-means-for-our-managed-service-providers/
+    image: redis:7.2-alpine
     volumes:
       - redis-data:/data
     healthcheck:
diff --git a/src/balena-tests/balena.sh b/src/balena-tests/balena.sh
index 678291d453..29feffefaf 100755
--- a/src/balena-tests/balena.sh
+++ b/src/balena-tests/balena.sh
@@ -52,7 +52,7 @@ function update_ca_certificates() {
     if [[ -e "${CERTS}/ca-bundle.pem" ]]; then
         if [[ "$(readlink -f "${CERTS}/${TLD}-chain.pem")" =~ \/private\/ ]]; then
             mkdir -p /usr/local/share/ca-certificates
-            cat < "${CERTS}/ca-bundle.pem" > /usr/local/share/ca-certificates/balenaRootCA.crt
+            cat <"${CERTS}/ca-bundle.pem" > /usr/local/share/ca-certificates/balenaRootCA.crt
             # shellcheck disable=SC2034
             CURL_CA_BUNDLE=${CURL_CA_BUNDLE:-${CERTS}/ca-bundle.pem}
             NODE_EXTRA_CA_CERTS=${NODE_EXTRA_CA_CERTS:-${CURL_CA_BUNDLE}}
@@ -62,7 +62,7 @@ function update_ca_certificates() {
             # ... or
             # https://thomas-leister.de/en/how-to-import-ca-root-certificate/
             # https://github.com/puppeteer/puppeteer/issues/2377
-            ROOT_CA=${ROOT_CA:-$(cat < "${NODE_EXTRA_CA_CERTS}" | openssl base64 -A)}
+            ROOT_CA=${ROOT_CA:-$(cat <"${NODE_EXTRA_CA_CERTS}" | openssl base64 -A)}
         else
             rm -f /usr/local/share/ca-certificates/balenaRootCA.crt
             unset NODE_EXTRA_CA_CERTS CURL_CA_BUNDLE ROOT_CA
@@ -140,7 +140,7 @@ function configure_virtual_device() {
 
 function check_device_status() {
 	if [[ -e /balena/config.json ]]; then
-		balena_device_uuid="$(cat < /balena/config.json | jq -r .uuid)"
+		balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
 
 		if [[ -n $balena_device_uuid ]]; then
 			is_online="$(balena devices --json --fleet "${TEST_FLEET}" \
@@ -185,21 +185,33 @@ function deploy_release() {
     popd
 }
 
-function get_last_release() {
-    with_backoff balena releases "${TEST_FLEET}" \
-      | head -n 2 \
-      | tail -n 1 \
-      | grep -E '^.*\s+success\s+.*\s+true$' \
-      | awk '{print $2}'
+function get_releases() {
+      with_backoff balena releases --json "${TEST_FLEET}"
+}
+
+function get_release_commit() {
+      echo "$(get_releases)" | jq -re \
+        'select((.[].status=="success")
+        and (.[].is_invalidated==false)
+        and (.[].is_final==true)
+        and (.[].release_type=="final"))[0].commit'
+}
+
+function get_release_id() {
+      echo "$(get_releases)" | jq -re \
+        'select((.[].status=="success")
+        and (.[].is_invalidated==false)
+        and (.[].is_final==true)
+        and (.[].release_type=="final"))[0].id'
 }
 
 function supervisor_update_target_state() {
-    balena_device_uuid="$(cat < /balena/config.json | jq -r .uuid)"
+    balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
 
     if [[ -n $balena_device_uuid ]]; then
         while ! curl -X POST --silent --fail \
           --header "Content-Type: application/json" \
-          --header "Authorization: Bearer $(cat ~/.balena/token)" \
+          --header "Authorization: Bearer $(cat <~/.balena/token)" \
           --data "{\"uuid\": \"${balena_device_uuid}\", \"data\": {\"force\": true}}" \
           "https://api.${DNS_TLD}/supervisor/v1/update"; do
 
@@ -209,7 +221,7 @@ function supervisor_update_target_state() {
 }
 
 function check_running_release() {
-    balena_device_uuid="$(cat < /balena/config.json | jq -r .uuid)"
+    balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
 
     if [[ -n $balena_device_uuid ]] && [[ -n $1 ]]; then
         while ! [[ $(balena device "${balena_device_uuid}" | grep -E ^COMMIT | awk '{print $2}') =~ ${should_be_running_release_id} ]]; do
@@ -236,6 +248,17 @@ function get_os_version() {
     echo "${os_version}"
 }
 
+function upload_release_asset() {
+    local release_id
+    release_id=${1:-}
+
+	curl --silent --retry ${{ env.RETRY }} --fail "https://api.$DNS_TLD/resin/release_asset" \
+	  --header "Authorization: Bearer $(cat <~/.balena/token)" \
+	  --form 'asset=@logo.png' \
+	  --form "release=${release_id}" \
+	  --form "asset_key=logo-$((RANDOM)).png" | jq -re .asset.href \
+	  | xargs curl --retry ${{ env.RETRY }} -sfivo /tmp/logo-$((RANDOM)).png
+}
 
 # --- main
 if [[ "$PRODUCTION_MODE" =~ true ]]; then
@@ -283,5 +306,8 @@ remove_update_lock
 wait_for_device  # spin here until test-device comes online
 
 # .. and ensure the device is running our release
-should_be_running_release_id="$(get_last_release)"
+should_be_running_release_id="$(get_release_commit)"
 check_running_release "${should_be_running_release_id}"
+
+# finally see if we can upload an additional asset to a release
+upload_release_asset "$(get_release_id)"