From 7229840bed39351fbb9fad188484629db4faaca1 Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Thu, 23 May 2024 12:36:26 -0700
Subject: [PATCH] add release asset test

---
 .github/workflows/tests.yml |  13 +++++
 docker-compose.yml          |   3 +-
 docs/getting-started.md     |   7 +--
 src/balena-tests/Dockerfile |   2 +-
 src/balena-tests/balena.sh  | 105 ++++++++++++++++++++----------------
 5 files changed, 79 insertions(+), 51 deletions(-)

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 94981aaaae..667efa473b 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -242,6 +242,9 @@ jobs:
         with_backoff balena env add REGISTRY2_S3_REGION_ENDPOINT 's3.${{ env.SUBDOMAIN }}.${{ inputs.dns_tld }}' \
           --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'
 
+        with_backoff balena env add WEBRESOURCES_S3_HOST 's3.${{ env.SUBDOMAIN }}.${{ inputs.dns_tld }}' \
+          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'
+
         # https://github.com/balena-io/cert-manager/blob/master/entry.sh#L255-L278
         # cert-manager will restore the last wildcard certificate from AWS/S3 to avoid
         # being rate limited by LetsEncrypt/ACME
@@ -259,6 +262,16 @@ jobs:
         with_backoff balena env add ORG_UNIT openBalena \
           --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'
 
+
+        # unstable/unsupported functionality
+        with_backoff balena env add HIDE_UNVERSIONED_ENDPOINT 'false' \
+          --service api \
+          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'
+
+        with_backoff balena env add RELEASE_ASSETS_TEST 'true' \
+          --service sut \
+          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'
+
     - name: configure test device secrets
       if: ${{ github.event_name == 'pull_request' && github.event.action != 'closed'}}
       run: |
diff --git a/docker-compose.yml b/docker-compose.yml
index 0071389906..b7396896d6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -79,7 +79,7 @@ services:
       *with-default-privileges,
       *with-default-volumes,
     ]
-    image: balena/open-balena-api:v22.2.0
+    image: balena/open-balena-api:v22.2.2
     depends_on:
       - db
       - redis
@@ -111,7 +111,6 @@ services:
       VPN_PORT: 443
       WEBRESOURCES_S3_BUCKET: web-resources
       WEBRESOURCES_S3_REGION: "us-east-1"  # this is required for minio
-      HIDE_UNVERSIONED_ENDPOINT: "false"
 
   # https://github.com/balena-io/open-balena-registry
   registry:
diff --git a/docs/getting-started.md b/docs/getting-started.md
index 4d5e68fd08..9cbf94f93a 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -186,8 +186,8 @@ Start-Service -Name Docker
 
 ### SSL Configuration
 
-opeBalena server supports automatic SSL configuration via ACME protocol using **one** of
-the following DNS providers:
+opeBalena server now uses automatic SSL configuration via ACME [DNS-01] challenge. Support
+for the following DNS providers is currently implemented:
 
 * Cloudflare
 * Gandi
@@ -221,7 +221,7 @@ make verify
 
 openBalena server also supports custom/manual TLS configuration. You must supply your own
 SSL certificate, private key and a full certificate signing chain. A wildcard SSL
-certificate covering the while domain is recommended.
+certificate covering the whole domain is recommended.
 
 1. After obtaining your certificate, run the following commands on openBalena server:
 
@@ -476,3 +476,4 @@ Enjoy Balenafying All the Things!
 [Docker Engine]: https://docs.docker.com/engine/install
 [Change cgroup version]: https://docs.docker.com/config/containers/runmetrics/#changing-cgroup-version
 [composition]: https://github.com/balena-io/open-balena/blob/master/docker-compose.yml
+[DNS-01]: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
diff --git a/src/balena-tests/Dockerfile b/src/balena-tests/Dockerfile
index 84bf60e2da..c1308ac082 100644
--- a/src/balena-tests/Dockerfile
+++ b/src/balena-tests/Dockerfile
@@ -1,7 +1,7 @@
 FROM ubuntu:22.04
 
 # renovate: datasource=github-releases depName=balena-io/balena-cli
-ARG BALENA_CLI_VERSION=v18.2.0
+ARG BALENA_CLI_VERSION=v18.2.2
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
 	bash \
diff --git a/src/balena-tests/balena.sh b/src/balena-tests/balena.sh
index 29feffefaf..815a4c06ed 100755
--- a/src/balena-tests/balena.sh
+++ b/src/balena-tests/balena.sh
@@ -3,7 +3,13 @@
 # shellcheck disable=SC2154,SC2034,SC1090
 set -ae
 
-[[ $VERBOSE =~ on|On|Yes|yes|true|True ]] && set -x
+curl_opts="--retry 3 --fail"
+if [[ $VERBOSE =~ on|On|Yes|yes|true|True ]]; then
+    set -x
+    curl_opts="${curl_opts} --verbose"
+else
+    curl_opts="${curl_opts} --silent"
+fi
 
 source /usr/sbin/functions
 
@@ -20,6 +26,7 @@ function remove_update_lock() {
 }
 
 function cleanup() {
+   shutdown_dut
    remove_test_assets
    remove_update_lock
 
@@ -28,14 +35,22 @@ function cleanup() {
 }
 trap 'cleanup' EXIT
 
+function shutdown_dut() {
+    local balena_device_uuid
+    balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
+
+    if [[ -n $balena_device_uuid ]]; then
+        with_backoff balena device "${balena_device_uuid}"
+        balena device shutdown -f "${balena_device_uuid}" || true
+    fi
+}
+
 function set_update_lock {
     if [[ -n "$BALENA_SUPERVISOR_ADDRESS" ]] && [[ -n "$BALENA_SUPERVISOR_API_KEY" ]]; then
-        while [[ $(curl --silent --retry "${ATTEMPTS}" --fail \
-          "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
+        while [[ $(curl ${curl_opts} "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
           -H "Content-Type: application/json" | jq -r '.update_pending') == 'true' ]]; do
 
-            curl --silent --retry "${ATTEMPTS}" --fail \
-              "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
+            curl ${curl_opts} "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
               -H "Content-Type: application/json" | jq -r
 
             sleep "$(( (RANDOM % 3) + 3 ))s"
@@ -72,7 +87,7 @@ function update_ca_certificates() {
 }
 
 function wait_for_api() {
-    while ! curl --silent --fail "https://api.${DNS_TLD}/ping"; do
+    while ! curl ${curl_opts} "https://api.${DNS_TLD}/ping"; do
         sleep "$(( (RANDOM % 5) + 5 ))s"
     done
 }
@@ -139,20 +154,20 @@ function configure_virtual_device() {
 }
 
 function check_device_status() {
-	if [[ -e /balena/config.json ]]; then
-		balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
-
-		if [[ -n $balena_device_uuid ]]; then
-			is_online="$(balena devices --json --fleet "${TEST_FLEET}" \
-			  | jq -r --arg uuid "${balena_device_uuid}" '.[] | select(.uuid==$uuid).is_online == true')"
-
-			if [[ $is_online =~ true ]]; then
-				return 0
-			else
-				return 1
-			fi
-		fi
-	fi
+    if [[ -e /balena/config.json ]]; then
+        balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
+
+        if [[ -n $balena_device_uuid ]]; then
+            is_online="$(balena devices --json --fleet "${TEST_FLEET}" \
+              | jq -r --arg uuid "${balena_device_uuid}" '.[] | select(.uuid==$uuid).is_online == true')"
+
+            if [[ $is_online =~ true ]]; then
+                return 0
+            else
+                return 1
+            fi
+        fi
+    fi
 }
 
 function wait_for_device() {
@@ -206,14 +221,14 @@ function get_release_id() {
 }
 
 function supervisor_update_target_state() {
+    local balena_device_uuid
     balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
 
     if [[ -n $balena_device_uuid ]]; then
-        while ! curl -X POST --silent --fail \
+        while ! curl ${curl_opts} "https://api.${DNS_TLD}/supervisor/v1/update" \
           --header "Content-Type: application/json" \
           --header "Authorization: Bearer $(cat <~/.balena/token)" \
-          --data "{\"uuid\": \"${balena_device_uuid}\", \"data\": {\"force\": true}}" \
-          "https://api.${DNS_TLD}/supervisor/v1/update"; do
+          --data "{\"uuid\": \"${balena_device_uuid}\", \"data\": {\"force\": true}}"; do
 
             sleep "$(( (RANDOM % 5) + 5 ))s"
         done
@@ -221,10 +236,15 @@ function supervisor_update_target_state() {
 }
 
 function check_running_release() {
+    local balena_device_uuid
     balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"
 
-    if [[ -n $balena_device_uuid ]] && [[ -n $1 ]]; then
-        while ! [[ $(balena device "${balena_device_uuid}" | grep -E ^COMMIT | awk '{print $2}') =~ ${should_be_running_release_id} ]]; do
+    local should_be_running_release
+    should_be_running_release="$(get_release_commit)"
+    [[ -z $should_be_running_release ]] && false
+
+    if [[ -n $balena_device_uuid ]]; then
+        while ! [[ $(balena device "${balena_device_uuid}" | grep -E ^COMMIT | awk '{print $2}') =~ ${should_be_running_release} ]]; do
             running_release_id="$(balena device "${balena_device_uuid}" | grep -E ^COMMIT | awk '{print $2}')"
             printf 'please wait, device %s should be running %s, but is still running %s...\n' \
               "${balena_device_uuid}" \
@@ -233,9 +253,6 @@ function check_running_release() {
 
             sleep "$(( (RANDOM % 5) + 5 ))s"
         done
-
-        with_backoff balena device "${balena_device_uuid}"
-        with_backoff balena device shutdown -f "${balena_device_uuid}"
     fi
 }
 
@@ -249,15 +266,19 @@ function get_os_version() {
 }
 
 function upload_release_asset() {
-    local release_id
-    release_id=${1:-}
-
-	curl --silent --retry ${{ env.RETRY }} --fail "https://api.$DNS_TLD/resin/release_asset" \
-	  --header "Authorization: Bearer $(cat <~/.balena/token)" \
-	  --form 'asset=@logo.png' \
-	  --form "release=${release_id}" \
-	  --form "asset_key=logo-$((RANDOM)).png" | jq -re .asset.href \
-	  | xargs curl --retry ${{ env.RETRY }} -sfivo /tmp/logo-$((RANDOM)).png
+    if [[ "$RELEASE_ASSETS_TEST" =~ true ]]; then
+        local release_id
+        release_id=${1:-1}
+        release_asset="$(find / -type f -name '*.png' | head -n 1)"
+
+        curl ${curl_opts} "https://api.${DNS_TLD}/resin/release_asset" \
+          --header "Authorization: Bearer $(cat <~/.balena/token)" \
+          --form "asset=@${release_asset}" \
+          --form "release=${release_id}" \
+          --form "asset_key=$((RANDOM))-$(basename ${release_asset})" \
+          | jq -re .asset.href \
+          | xargs curl ${curl_opts} -o "/tmp/$((RANDOM))-$(basename ${release_asset})"
+    fi
 }
 
 # --- main
@@ -272,7 +293,6 @@ else
     TLD="${DNS_TLD}"
 fi
 
-ATTEMPTS=${ATTEMPTS:-3}
 BALENA_API_URL=${BALENA_API_URL:-https://api.balena-cloud.com}
 BALENARC_BALENA_URL="${DNS_TLD}"
 CERTS=${CERTS:-/certs}
@@ -300,14 +320,9 @@ set_update_lock
 download_os_image
 configure_virtual_device
 deploy_release
+upload_release_asset "$(get_release_id)"  # upload an additional asset to a release
 remove_update_lock
 # .. end
 
 wait_for_device  # spin here until test-device comes online
-
-# .. and ensure the device is running our release
-should_be_running_release_id="$(get_release_commit)"
-check_running_release "${should_be_running_release_id}"
-
-# finally see if we can upload an additional asset to a release
-upload_release_asset "$(get_release_id)"
+check_running_release  # .. and ensure the device is running our release