Merge pull request #1461 from balena-io/add-scoped-api-keys

Implement scoped Supervisor API keys

package-lock.json

@@ -2910,12 +2910,13 @@
       "dev": true
     },
     "d": {
-      "version": "1.0.0",
+      "version": "1.0.1",
-      "resolved": "http://registry.npmjs.org/d/-/d-1.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/d/-/d-1.0.1.tgz",
-      "integrity": "sha1-dUu1v+VUUdpppYuU1F9MWwRi1Y8=",
+      "integrity": "sha512-m62ShEObQ39CfralilEQRjH6oAMtNCV1xJyEx5LpRYUVN+EviphDgUc/F3hnYbADmkiNs67Y+3ylmlG7Lnu+FA==",
       "dev": true,
       "requires": {
-        "es5-ext": "^0.10.9"
+        "es5-ext": "^0.10.50",
+        "type": "^1.0.1"
       }
     },
     "dashdash": {
@@ -3613,14 +3614,22 @@
       }
     },
     "es5-ext": {
-      "version": "0.10.46",
+      "version": "0.10.53",
-      "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.46.tgz",
+      "resolved": "https://registry.npmjs.org/es5-ext/-/es5-ext-0.10.53.tgz",
-      "integrity": "sha512-24XxRvJXNFwEMpJb3nOkiRJKRoupmjYmOPVlI65Qy2SrtxwOTB+g6ODjBKOtwEHbYrhWRty9xxOWLNdClT2djw==",
+      "integrity": "sha512-Xs2Stw6NiNHWypzRTY1MtaG/uJlwCk8kH81920ma8mvN8Xq1gsfhZvpkImLQArw8AHnv8MT2I45J3c0R8slE+Q==",
       "dev": true,
       "requires": {
         "es6-iterator": "~2.0.3",
-        "es6-symbol": "~3.1.1",
+        "es6-symbol": "~3.1.3",
-        "next-tick": "1"
+        "next-tick": "~1.0.0"
+      },
+      "dependencies": {
+        "next-tick": {
+          "version": "1.0.0",
+          "resolved": "https://registry.npmjs.org/next-tick/-/next-tick-1.0.0.tgz",
+          "integrity": "sha1-yobR/ogoFpsBICCOPchCS524NCw=",
+          "dev": true
+        }
       }
     },
     "es6-iterator": {
@@ -3650,24 +3659,24 @@
       }
     },
     "es6-symbol": {
-      "version": "3.1.1",
+      "version": "3.1.3",
-      "resolved": "https://registry.npmjs.org/es6-symbol/-/es6-symbol-3.1.1.tgz",
+      "resolved": "https://registry.npmjs.org/es6-symbol/-/es6-symbol-3.1.3.tgz",
-      "integrity": "sha1-vwDvT9q2uhtG7Le2KbTH7VcVzHc=",
+      "integrity": "sha512-NJ6Yn3FuDinBaBRWl/q5X/s4koRHBrgKAu+yGI6JCBeiu3qrcbJhwT2GeR/EXVfylRk8dpQVJoLEFhK+Mu31NA==",
       "dev": true,
       "requires": {
-        "d": "1",
+        "d": "^1.0.1",
-        "es5-ext": "~0.10.14"
+        "ext": "^1.1.2"
       }
     },
     "es6-weak-map": {
-      "version": "2.0.2",
+      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/es6-weak-map/-/es6-weak-map-2.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/es6-weak-map/-/es6-weak-map-2.0.3.tgz",
-      "integrity": "sha1-XjqzIlH/0VOKH45f+hNXdy+S2W8=",
+      "integrity": "sha512-p5um32HOTO1kP+w7PRnB+5lQ43Z6muuMuIMffvDN8ZB4GcnjLBV6zGStpbASIMk4DCAvEaamhe2zhyCb/QXXsA==",
       "dev": true,
       "requires": {
         "d": "1",
-        "es5-ext": "^0.10.14",
+        "es5-ext": "^0.10.46",
-        "es6-iterator": "^2.0.1",
+        "es6-iterator": "^2.0.3",
         "es6-symbol": "^3.1.1"
       }
     },
@@ -3911,6 +3920,23 @@
         }
       }
     },
+    "ext": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/ext/-/ext-1.4.0.tgz",
+      "integrity": "sha512-Key5NIsUxdqKg3vIsdw9dSuXpPCQ297y6wBjL30edxwPgt2E44WcWBZey/ZvUc6sERLTxKdyCu4gZFmUbk1Q7A==",
+      "dev": true,
+      "requires": {
+        "type": "^2.0.0"
+      },
+      "dependencies": {
+        "type": {
+          "version": "2.1.0",
+          "resolved": "https://registry.npmjs.org/type/-/type-2.1.0.tgz",
+          "integrity": "sha512-G9absDWvhAWCV2gmF1zKud3OyC61nZDwWvBL2DApaVFogI07CprggiQAOOjvp2NRjYWFzPyu7vwtDrQFq8jeSA==",
+          "dev": true
+        }
+      }
+    },
     "extend": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
@@ -5363,9 +5389,9 @@
       }
     },
     "is-promise": {
-      "version": "2.1.0",
+      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-2.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-2.2.2.tgz",
-      "integrity": "sha1-eaKp7OfwlugPNtKy87wWwf9L8/o=",
+      "integrity": "sha512-+lP4/6lKUBfQjZ2pdxThZvLUAafmZb8OAxFb8XXtiQmS35INgr85hdOGoEs124ez1FCnZJt6jau/T+alh58QFQ==",
       "dev": true
     },
     "is-regexp": {
@@ -6750,9 +6776,9 @@
       }
     },
     "next-tick": {
-      "version": "1.0.0",
+      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/next-tick/-/next-tick-1.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/next-tick/-/next-tick-1.1.0.tgz",
-      "integrity": "sha1-yobR/ogoFpsBICCOPchCS524NCw=",
+      "integrity": "sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==",
       "dev": true
     },
     "nice-try": {
@@ -9463,6 +9489,12 @@
       "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz",
       "integrity": "sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q="
     },
+    "type": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/type/-/type-1.2.0.tgz",
+      "integrity": "sha512-+5nt5AAniqsCnu2cEQQdpzCAh33kVx8n0VoFidKpB1dVVLAN/F+bgVOqOJqOnEnrhp222clB5p3vUlD+1QAnfg==",
+      "dev": true
+    },
     "type-detect": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/type-detect/-/type-detect-1.0.0.tgz",

src/compose/app.ts

@@ -775,8 +775,9 @@ export class App {
 						imageInfo,
 						serviceName: svc.serviceName,
 					};
+
 					// FIXME: Typings for DeviceMetadata
-					return Service.fromComposeObject(
+					return await Service.fromComposeObject(
 						svc,
 						(thisSvcOpts as unknown) as DeviceMetadata,
 					);

src/compose/service.ts

@@ -100,10 +100,10 @@ export class Service {
 
 	// The type here is actually ServiceComposeConfig, except that the
 	// keys must be camelCase'd first
-	public static fromComposeObject(
+	public static async fromComposeObject(
 		appConfig: ConfigMap,
 		options: DeviceMetadata,
-	): Service {
+	): Promise<Service> {
 		const service = new Service();
 
 		appConfig = ComposeUtils.camelCaseConfig(appConfig);
@@ -443,7 +443,7 @@ export class Service {
 		}
 
 		// Mutate service with extra features
-		ComposeUtils.addFeaturesFromLabels(service, options);
+		await ComposeUtils.addFeaturesFromLabels(service, options);
 
 		return service;
 	}

src/compose/utils.ts

@@ -18,6 +18,8 @@ import {
 
 import log from '../lib/supervisor-console';
 
+import * as apiKeys from '../lib/api-keys';
+
 export function camelCaseConfig(
 	literalConfig: ConfigMap,
 ): ServiceComposeConfig {
@@ -316,10 +318,10 @@ export function dockerDeviceToStr(device: DockerDevice): string {
 // TODO: Export these strings to a constant lib, to
 // enable changing them easily
 // Mutates service
-export function addFeaturesFromLabels(
+export async function addFeaturesFromLabels(
 	service: Service,
 	options: DeviceMetadata,
-): void {
+): Promise<void> {
 	const setEnvVariables = function (key: string, val: string) {
 		service.config.environment[`RESIN_${key}`] = val;
 		service.config.environment[`BALENA_${key}`] = val;
@@ -356,18 +358,24 @@ export function addFeaturesFromLabels(
 			setEnvVariables('API_KEY', options.deviceApiKey);
 			setEnvVariables('API_URL', options.apiEndpoint);
 		},
-		'io.balena.features.supervisor-api': () => {
+		'io.balena.features.supervisor-api': async () => {
+			// create a app/service specific API secret
+			const apiSecret = await apiKeys.generateScopedKey(
+				service.appId,
+				service.serviceId,
+			);
+
+			const host = (() => {
+				if (service.config.networkMode === 'host') {
+					return '127.0.0.1';
+				} else {
+					service.config.networks[constants.supervisorNetworkInterface] = {};
+					return options.supervisorApiHost;
+				}
+			})();
+
+			setEnvVariables('SUPERVISOR_API_KEY', apiSecret);
 			setEnvVariables('SUPERVISOR_PORT', options.listenPort.toString());
-			setEnvVariables('SUPERVISOR_API_KEY', options.apiSecret);
-
-			let host: string;
-
-			if (service.config.networkMode === 'host') {
-				host = '127.0.0.1';
-			} else {
-				host = options.supervisorApiHost;
-				service.config.networks[constants.supervisorNetworkInterface] = {};
-			}
 			setEnvVariables('SUPERVISOR_HOST', host);
 			setEnvVariables(
 				'SUPERVISOR_ADDRESS',
@@ -388,11 +396,12 @@ export function addFeaturesFromLabels(
 			} as Dockerode.DeviceRequest),
 	};
 
-	_.each(features, (fn, label) => {
+	for (const feature of Object.keys(features) as [keyof typeof features]) {
-		if (checkTruthy(service.config.labels[label])) {
+		const fn = features[feature];
-			fn();
+		if (checkTruthy(service.config.labels[feature])) {
+			await fn();
 		}
-	});
+	}
 
 	// This is a special case, and folding it into the
 	// structure above would unnecessarily complicate things.

src/config/functions.ts

@@ -97,7 +97,6 @@ export const fnSchema = {
 			'uuid',
 			'listenPort',
 			'name',
-			'apiSecret',
 			'apiEndpoint',
 			'deviceApiKey',
 			'version',

src/config/index.ts

@@ -281,14 +281,13 @@ function validateConfigMap<T extends SchemaTypeKey>(
 }
 
 export async function generateRequiredFields() {
-	return getMany(['uuid', 'deviceApiKey', 'apiSecret', 'unmanaged']).then(
+	return getMany(['uuid', 'deviceApiKey', 'unmanaged']).then(
-		({ uuid, deviceApiKey, apiSecret, unmanaged }) => {
+		({ uuid, deviceApiKey, unmanaged }) => {
 			// These fields need to be set regardless
-			if (uuid == null || apiSecret == null) {
+			if (uuid == null) {
 				uuid = uuid || newUniqueKey();
-				apiSecret = apiSecret || newUniqueKey();
 			}
-			return set({ uuid, apiSecret }).then(() => {
+			return set({ uuid }).then(() => {
 				if (unmanaged) {
 					return;
 				}

src/config/schema-type.ts

@@ -88,10 +88,6 @@ export const schemaTypes = {
 	},
 
 	// Database types
-	apiSecret: {
-		type: t.string,
-		default: NullOrUndefined,
-	},
 	name: {
 		type: t.string,
 		default: 'local',
@@ -231,7 +227,6 @@ export const schemaTypes = {
 			uuid: t.union([t.string, NullOrUndefined]),
 			listenPort: PermissiveNumber,
 			name: t.string,
-			apiSecret: t.union([t.string, NullOrUndefined]),
 			deviceApiKey: t.string,
 			apiEndpoint: t.string,
 			version: t.string,

src/config/schema.ts

@@ -85,11 +85,6 @@ export const schema = {
 		removeIfNull: false,
 	},
 
-	apiSecret: {
-		source: 'db',
-		mutable: true,
-		removeIfNull: false,
-	},
 	name: {
 		source: 'db',
 		mutable: true,

src/device-api/v1.ts

@@ -1,4 +1,5 @@
 import * as Promise from 'bluebird';
+import * as express from 'express';
 import * as _ from 'lodash';
 
 import * as eventTracker from '../event-tracker';
@@ -8,21 +9,37 @@ import { doRestart, doPurge } from './common';
 
 import * as applicationManager from '../compose/application-manager';
 import { generateStep } from '../compose/composition-steps';
+import { AuthorizedRequest } from '../lib/api-keys';
 
-export const createV1Api = function (router) {
+export function createV1Api(router: express.Router) {
-	router.post('/v1/restart', function (req, res, next) {
+	router.post('/v1/restart', (req: AuthorizedRequest, res, next) => {
 		const appId = checkInt(req.body.appId);
 		const force = checkTruthy(req.body.force) ?? false;
 		eventTracker.track('Restart container (v1)', { appId });
 		if (appId == null) {
 			return res.status(400).send('Missing app id');
 		}
+
+		// handle the case where the appId is out of scope
+		if (!req.auth.isScoped({ apps: [appId] })) {
+			res.status(401).json({
+				status: 'failed',
+				message: 'Application is not available',
+			});
+			return;
+		}
+
 		return doRestart(appId, force)
 			.then(() => res.status(200).send('OK'))
 			.catch(next);
 	});
 
-	const v1StopOrStart = function (req, res, next, action) {
+	const v1StopOrStart = (
+		req: AuthorizedRequest,
+		res: express.Response,
+		next: express.NextFunction,
+		action: 'start' | 'stop',
+	) => {
 		const appId = checkInt(req.params.appId);
 		const force = checkTruthy(req.body.force) ?? false;
 		if (appId == null) {
@@ -47,13 +64,21 @@ export const createV1Api = function (router) {
 							'Some v1 endpoints are only allowed on single-container apps',
 						);
 				}
+
+				// check that the request is scoped to cover this application
+				if (!req.auth.isScoped({ apps: [app.appId] })) {
+					return res.status(401).send('Unauthorized');
+				}
+
 				applicationManager.setTargetVolatileForService(service.imageId, {
 					running: action !== 'stop',
 				});
+
+				const stopOpts = { wait: true };
+				const step = generateStep(action, { current: service, ...stopOpts });
+
 				return applicationManager
-					.executeStep(generateStep(action, { current: service, wait: true }), {
+					.executeStep(step, { force })
-						force,
-					})
 					.then(function () {
 						if (action === 'stop') {
 							return service;
@@ -75,13 +100,13 @@ export const createV1Api = function (router) {
 			.catch(next);
 	};
 
-	const createV1StopOrStartHandler = (action) =>
+	const createV1StopOrStartHandler = (action: 'start' | 'stop') =>
 		_.partial(v1StopOrStart, _, _, _, action);
 
 	router.post('/v1/apps/:appId/stop', createV1StopOrStartHandler('stop'));
 	router.post('/v1/apps/:appId/start', createV1StopOrStartHandler('start'));
 
-	router.get('/v1/apps/:appId', function (req, res, next) {
+	router.get('/v1/apps/:appId', (req: AuthorizedRequest, res, next) => {
 		const appId = checkInt(req.params.appId);
 		eventTracker.track('GET app (v1)', { appId });
 		if (appId == null) {
@@ -96,6 +121,7 @@ export const createV1Api = function (router) {
 				if (service == null) {
 					return res.status(400).send('App not found');
 				}
+
 				if (app.services.length > 1) {
 					return res
 						.status(400)
@@ -103,31 +129,50 @@ export const createV1Api = function (router) {
 							'Some v1 endpoints are only allowed on single-container apps',
 						);
 				}
+
+				// handle the case where the appId is out of scope
+				if (!req.auth.isScoped({ apps: [app.appId] })) {
+					res.status(401).json({
+						status: 'failed',
+						message: 'Application is not available',
+					});
+					return;
+				}
+
 				// Don't return data that will be of no use to the user
 				const appToSend = {
 					appId,
+					commit: status.commit!,
 					containerId: service.containerId,
 					env: _.omit(service.config.environment, constants.privateAppEnvVars),
-					releaseId: service.releaseId,
 					imageId: service.config.image,
+					releaseId: service.releaseId,
 				};
-				if (status.commit != null) {
+
-					appToSend.commit = status.commit;
-				}
 				return res.json(appToSend);
 			},
 		).catch(next);
 	});
 
-	router.post('/v1/purge', function (req, res, next) {
+	router.post('/v1/purge', (req: AuthorizedRequest, res, next) => {
 		const appId = checkInt(req.body.appId);
 		const force = checkTruthy(req.body.force) ?? false;
 		if (appId == null) {
 			const errMsg = 'Invalid or missing appId';
 			return res.status(400).send(errMsg);
 		}
+
+		// handle the case where the appId is out of scope
+		if (!req.auth.isScoped({ apps: [appId] })) {
+			res.status(401).json({
+				status: 'failed',
+				message: 'Application is not available',
+			});
+			return;
+		}
+
 		return doPurge(appId, force)
 			.then(() => res.status(200).json({ Data: 'OK', Error: '' }))
 			.catch(next);
 	});
-};
+}

src/device-api/v2.ts

@@ -1,5 +1,5 @@
 import * as Bluebird from 'bluebird';
-import { NextFunction, Request, Response, Router } from 'express';
+import { NextFunction, Response, Router } from 'express';
 import * as _ from 'lodash';
 
 import * as deviceState from '../device-state';
@@ -30,10 +30,11 @@ import supervisorVersion = require('../lib/supervisor-version');
 import { checkInt, checkTruthy } from '../lib/validation';
 import { isVPNActive } from '../network';
 import { doPurge, doRestart, safeStateClone } from './common';
+import { AuthorizedRequest } from '../lib/api-keys';
 
 export function createV2Api(router: Router) {
 	const handleServiceAction = (
-		req: Request,
+		req: AuthorizedRequest,
 		res: Response,
 		next: NextFunction,
 		action: CompositionStepAction,
@@ -48,6 +49,15 @@ export function createV2Api(router: Router) {
 			return;
 		}
 
+		// handle the case where the appId is out of scope
+		if (!req.auth.isScoped({ apps: [appId] })) {
+			res.status(401).json({
+				status: 'failed',
+				message: 'Application is not available',
+			});
+			return;
+		}
+
 		return applicationManager.lockingIfNecessary(appId, { force }, () => {
 			return Promise.all([applicationManager.getCurrentApps(), getApp(appId)])
 				.then(([apps, targetApp]) => {
@@ -115,7 +125,7 @@ export function createV2Api(router: Router) {
 
 	router.post(
 		'/v2/applications/:appId/purge',
-		(req: Request, res: Response, next: NextFunction) => {
+		(req: AuthorizedRequest, res: Response, next: NextFunction) => {
 			const { force } = req.body;
 			const appId = checkInt(req.params.appId);
 			if (!appId) {
@@ -125,6 +135,15 @@ export function createV2Api(router: Router) {
 				});
 			}
 
+			// handle the case where the application is out of scope
+			if (!req.auth.isScoped({ apps: [appId] })) {
+				res.status(401).json({
+					status: 'failed',
+					message: 'Application is not available',
+				});
+				return;
+			}
+
 			return doPurge(appId, force)
 				.then(() => {
 					res.status(200).send('OK');
@@ -150,7 +169,7 @@ export function createV2Api(router: Router) {
 
 	router.post(
 		'/v2/applications/:appId/restart',
-		(req: Request, res: Response, next: NextFunction) => {
+		(req: AuthorizedRequest, res: Response, next: NextFunction) => {
 			const { force } = req.body;
 			const appId = checkInt(req.params.appId);
 			if (!appId) {
@@ -160,6 +179,15 @@ export function createV2Api(router: Router) {
 				});
 			}
 
+			// handle the case where the appId is out of scope
+			if (!req.auth.isScoped({ apps: [appId] })) {
+				res.status(401).json({
+					status: 'failed',
+					message: 'Application is not available',
+				});
+				return;
+			}
+
 			return doRestart(appId, force)
 				.then(() => {
 					res.status(200).send('OK');
@@ -171,7 +199,7 @@ export function createV2Api(router: Router) {
 	// TODO: Support dependent applications when this feature is complete
 	router.get(
 		'/v2/applications/state',
-		async (_req: Request, res: Response, next: NextFunction) => {
+		async (req: AuthorizedRequest, res: Response, next: NextFunction) => {
 			// It's kinda hacky to access the services and db via the application manager
 			// maybe refactor this code
 			Bluebird.join(
@@ -200,44 +228,52 @@ export function createV2Api(router: Router) {
 
 					const appNameById: { [id: number]: string } = {};
 
-					apps.forEach((app) => {
+					// only access scoped apps
-						const appId = parseInt(app.appId, 10);
+					apps
-						response[app.name] = {
+						.filter((app) =>
-							appId,
+							req.auth.isScoped({ apps: [parseInt(app.appId, 10)] }),
-							commit: app.commit,
+						)
-							services: {},
+						.forEach((app) => {
-						};
+							const appId = parseInt(app.appId, 10);
+							response[app.name] = {
+								appId,
+								commit: app.commit,
+								services: {},
+							};
 
-						appNameById[appId] = app.name;
+							appNameById[appId] = app.name;
-					});
-
-					imgs.forEach((img) => {
-						const appName = appNameById[img.appId];
-						if (appName == null) {
-							log.warn(
-								`Image found for unknown application!\nImage: ${JSON.stringify(
-									img,
-								)}`,
-							);
-							return;
-						}
-
-						const svc = _.find(services, (service: Service) => {
-							return service.imageId === img.imageId;
 						});
 
-						let status: string | undefined;
+					// only access scoped images
-						if (svc == null) {
+					imgs
-							status = img.status;
+						.filter((img) => req.auth.isScoped({ apps: [img.appId] }))
-						} else {
+						.forEach((img) => {
-							status = svc.status || img.status;
+							const appName = appNameById[img.appId];
-						}
+							if (appName == null) {
-						response[appName].services[img.serviceName] = {
+								log.warn(
-							status,
+									`Image found for unknown application!\nImage: ${JSON.stringify(
-							releaseId: img.releaseId,
+										img,
-							downloadProgress: img.downloadProgress || null,
+									)}`,
-						};
+								);
-					});
+								return;
+							}
+
+							const svc = _.find(services, (service: Service) => {
+								return service.imageId === img.imageId;
+							});
+
+							let status: string | undefined;
+							if (svc == null) {
+								status = img.status;
+							} else {
+								status = svc.status || img.status;
+							}
+							response[appName].services[img.serviceName] = {
+								status,
+								releaseId: img.releaseId,
+								downloadProgress: img.downloadProgress || null,
+							};
+						});
 
 					res.status(200).json(response);
 				},
@@ -247,7 +283,7 @@ export function createV2Api(router: Router) {
 
 	router.get(
 		'/v2/applications/:appId/state',
-		async (req: Request, res: Response) => {
+		async (req: AuthorizedRequest, res: Response) => {
 			// Check application ID provided is valid
 			const appId = checkInt(req.params.appId);
 			if (!appId) {
@@ -256,6 +292,7 @@ export function createV2Api(router: Router) {
 					message: `Invalid application ID: ${req.params.appId}`,
 				});
 			}
+
 			// Query device for all applications
 			let apps: any;
 			try {
@@ -268,12 +305,22 @@ export function createV2Api(router: Router) {
 				});
 			}
 			// Check if the application exists
-			if (!(appId in apps.local)) {
+			if (!(appId in apps.local) || !req.auth.isScoped({ apps: [appId] })) {
 				return res.status(409).json({
 					status: 'failed',
 					message: `Application ID does not exist: ${appId}`,
 				});
 			}
+
+			// handle the case where the appId is out of scope
+			if (!req.auth.isScoped({ apps: [appId] })) {
+				res.status(401).json({
+					status: 'failed',
+					message: 'Application is not available',
+				});
+				return;
+			}
+
 			// Filter applications we do not want
 			for (const app in apps.local) {
 				if (app !== appId.toString()) {
@@ -380,8 +427,10 @@ export function createV2Api(router: Router) {
 		});
 	});
 
-	router.get('/v2/containerId', async (req, res) => {
+	router.get('/v2/containerId', async (req: AuthorizedRequest, res) => {
-		const services = await serviceManager.getAll();
+		const services = (await serviceManager.getAll()).filter((service) =>
+			req.auth.isScoped({ apps: [service.appId] }),
+		);
 
 		if (req.query.serviceName != null || req.query.service != null) {
 			const serviceName = req.query.serviceName || req.query.service;
@@ -411,41 +460,45 @@ export function createV2Api(router: Router) {
 		}
 	});
 
-	router.get('/v2/state/status', async (_req, res) => {
+	router.get('/v2/state/status', async (req: AuthorizedRequest, res) => {
 		const currentRelease = await config.get('currentCommit');
 
 		const pending = deviceState.isApplyInProgress();
-		const containerStates = (await serviceManager.getAll()).map((svc) =>
+		const containerStates = (await serviceManager.getAll())
-			_.pick(
+			.filter((service) => req.auth.isScoped({ apps: [service.appId] }))
-				svc,
+			.map((svc) =>
-				'status',
+				_.pick(
-				'serviceName',
+					svc,
-				'appId',
+					'status',
-				'imageId',
+					'serviceName',
-				'serviceId',
+					'appId',
-				'containerId',
+					'imageId',
-				'createdAt',
+					'serviceId',
-			),
+					'containerId',
-		);
+					'createdAt',
+				),
+			);
 
 		let downloadProgressTotal = 0;
 		let downloads = 0;
-		const imagesStates = (await images.getStatus()).map((img) => {
+		const imagesStates = (await images.getStatus())
-			if (img.downloadProgress != null) {
+			.filter((img) => req.auth.isScoped({ apps: [img.appId] }))
-				downloadProgressTotal += img.downloadProgress;
+			.map((img) => {
-				downloads += 1;
+				if (img.downloadProgress != null) {
-			}
+					downloadProgressTotal += img.downloadProgress;
-			return _.pick(
+					downloads += 1;
-				img,
+				}
-				'name',
+				return _.pick(
-				'appId',
+					img,
-				'serviceName',
+					'name',
-				'imageId',
+					'appId',
-				'dockerImageId',
+					'serviceName',
-				'status',
+					'imageId',
-				'downloadProgress',
+					'dockerImageId',
-			);
+					'status',
-		});
+					'downloadProgress',
+				);
+			});
 
 		let overallDownloadProgress: number | null = null;
 		if (downloads > 0) {
@@ -500,10 +553,15 @@ export function createV2Api(router: Router) {
 		});
 	});
 
-	router.get('/v2/cleanup-volumes', async (_req, res) => {
+	router.get('/v2/cleanup-volumes', async (req: AuthorizedRequest, res) => {
 		const targetState = await applicationManager.getTargetApps();
 		const referencedVolumes: string[] = [];
 		_.each(targetState, (app, appId) => {
+			// if this app isn't in scope of the request, do not cleanup it's volumes
+			if (!req.auth.isScoped({ apps: [parseInt(appId, 10)] })) {
+				return;
+			}
+
 			_.each(app.volumes, (_volume, volumeName) => {
 				referencedVolumes.push(
 					Volume.generateDockerName(parseInt(appId, 10), volumeName),

src/device-state.ts

@@ -38,6 +38,7 @@ import {
 	InstancedAppState,
 } from './types/state';
 import * as dbFormat from './device-state/db-format';
+import * as apiKeys from './lib/api-keys';
 
 function validateLocalState(state: any): asserts state is TargetState['local'] {
 	if (state.name != null) {
@@ -265,9 +266,7 @@ export const initialized = (async () => {
 		if (changedConfig.loggingEnabled != null) {
 			logger.enable(changedConfig.loggingEnabled);
 		}
-		if (changedConfig.apiSecret != null) {
+
-			reportCurrentState({ api_secret: changedConfig.apiSecret });
-		}
 		if (changedConfig.appUpdatePollInterval != null) {
 			maxPollTime = changedConfig.appUpdatePollInterval;
 		}
@@ -346,11 +345,11 @@ async function saveInitialConfig() {
 
 export async function loadInitialState() {
 	await applicationManager.initialized;
+	await apiKeys.initialized;
 
 	const conf = await config.getMany([
 		'initialConfigSaved',
 		'listenPort',
-		'apiSecret',
 		'osVersion',
 		'osVariant',
 		'macAddress',
@@ -374,7 +373,7 @@ export async function loadInitialState() {
 	log.info('Reporting initial state, supervisor version and API info');
 	reportCurrentState({
 		api_port: conf.listenPort,
-		api_secret: conf.apiSecret,
+		api_secret: apiKeys.cloudApiKey,
 		os_version: conf.osVersion,
 		os_variant: conf.osVariant,
 		mac_address: conf.macAddress,

src/lib/api-keys.ts

@@ -0,0 +1,359 @@
+import * as _ from 'lodash';
+import * as express from 'express';
+import * as memoizee from 'memoizee';
+
+import * as config from '../config';
+import * as db from '../db';
+
+import { generateUniqueKey } from './register-device';
+
+export class KeyNotFoundError extends Error {}
+
+/**
+ * The schema for the `apiSecret` table in the database
+ */
+interface DbApiSecret {
+	id: number;
+	appId: number;
+	serviceId: number;
+	scopes: string;
+	key: string;
+}
+
+export type Scope = SerializableScope<ScopeTypeKey>;
+type ScopeTypeKey = keyof ScopeTypes;
+type SerializableScope<T extends ScopeTypeKey> = {
+	type: T;
+} & ScopeTypes[T];
+type ScopeCheck<T extends ScopeTypeKey> = (
+	resources: Partial<ScopedResources>,
+	scope: ScopeTypes[T],
+) => Resolvable<boolean>;
+type ScopeCheckCollection = {
+	[K in ScopeTypeKey]: ScopeCheck<K>;
+};
+
+/**
+ * The scopes which a key can cover.
+ */
+type ScopeTypes = {
+	global: {};
+	app: {
+		appId: number;
+	};
+};
+
+/**
+ * The resources which can be protected with scopes.
+ */
+interface ScopedResources {
+	apps: number[];
+}
+
+/**
+ * The checks when determining if a key is scoped for a resource.
+ */
+const scopeChecks: ScopeCheckCollection = {
+	global: () => true,
+	app: (resources, { appId }) =>
+		resources.apps != null && resources.apps.includes(appId),
+};
+
+export function serialiseScopes(scopes: Scope[]): string {
+	return JSON.stringify(scopes);
+}
+
+export function deserialiseScopes(json: string): Scope[] {
+	return JSON.parse(json);
+}
+
+export const isScoped = (
+	resources: Partial<ScopedResources>,
+	scopes: Scope[],
+) =>
+	scopes.some((scope) =>
+		scopeChecks[scope.type](resources, (scope as unknown) as any),
+	);
+
+export type AuthorizedRequest = express.Request & {
+	auth: {
+		isScoped: (resources: Partial<ScopedResources>) => boolean;
+		apiKey: string;
+		scopes: Scope[];
+	};
+};
+export type AuthorizedRequestHandler = (
+	req: AuthorizedRequest,
+	res: express.Response,
+	next: express.NextFunction,
+) => void;
+
+// empty until populated in `initialized`
+export let cloudApiKey: string = '';
+
+// should be called before trying to use this singleton
+export const initialized = (async () => {
+	await db.initialized;
+
+	// make sure we have an API key which the cloud will use to call us
+	await generateCloudKey();
+})();
+
+/**
+ * This middleware will extract an API key used to make a call, and then expand it out to provide
+ * access to the scopes it has. The `req` will be updated to include this `auth` data.
+ *
+ * E.g. `req.auth.scopes: []`
+ *
+ * @param req
+ * @param res
+ * @param next
+ */
+export const authMiddleware: AuthorizedRequestHandler = async (
+	req,
+	res,
+	next,
+) => {
+	// grab the API key used for the request
+	const apiKey = getApiKeyFromRequest(req) ?? '';
+
+	// store the key in the request, and an empty scopes array to populate after resolving the key scopes
+	req.auth = {
+		apiKey,
+		scopes: [],
+		isScoped: () => false,
+	};
+
+	try {
+		const conf = await config.getMany(['localMode', 'unmanaged', 'osVariant']);
+
+		// we only need to check the API key if a) unmanaged and on a production image, or b) managed and not in local mode
+		const needsAuth = conf.unmanaged
+			? conf.osVariant === 'prod'
+			: !conf.localMode;
+
+		// no need to authenticate, shortcut
+		if (!needsAuth) {
+			return next();
+		}
+
+		// if we have a key, find the scopes and add them to the request
+		if (apiKey && apiKey !== '') {
+			await initialized;
+			const scopes = await getScopesForKey(apiKey);
+
+			if (scopes != null) {
+				// keep the scopes for later incase they're desired
+				req.auth.scopes.push(...scopes);
+
+				// which resources are scoped...
+				req.auth.isScoped = (resources) => isScoped(resources, req.auth.scopes);
+
+				return next();
+			}
+		}
+
+		// we do not have a valid key...
+		return res.sendStatus(401);
+	} catch (err) {
+		console.error(err);
+		res.status(503).send(`Unexpected error: ${err}`);
+	}
+};
+
+function isEqualScope(a: Scope, b: Scope): boolean {
+	return _.isEqual(a, b);
+}
+
+function getApiKeyFromRequest(req: express.Request): string | undefined {
+	// Check query for key
+	if (req.query.apikey) {
+		return req.query.apikey;
+	}
+
+	// Get Authorization header to search for key
+	const authHeader = req.get('Authorization');
+
+	// Check header for key
+	if (!authHeader) {
+		return undefined;
+	}
+
+	// Check authHeader with various schemes
+	const match = authHeader.match(/^(?:ApiKey|Bearer) (\w+)$/i);
+
+	// Return key from match or undefined
+	return match?.[1];
+}
+
+export type GenerateKeyOptions = { force: boolean; scopes: Scope[] };
+
+export async function getScopesForKey(key: string): Promise<Scope[] | null> {
+	const apiKey = await getApiKeyByKey(key);
+
+	// null means the key wasn't known...
+	if (apiKey == null) {
+		return null;
+	}
+
+	return deserialiseScopes(apiKey.scopes);
+}
+
+export async function generateScopedKey(
+	appId: number,
+	serviceId: number,
+	options?: Partial<GenerateKeyOptions>,
+): Promise<string> {
+	await initialized;
+	return await generateKey(appId, serviceId, options);
+}
+
+export async function generateCloudKey(
+	force: boolean = false,
+): Promise<string> {
+	cloudApiKey = await generateKey(0, 0, {
+		force,
+		scopes: [{ type: 'global' }],
+	});
+	return cloudApiKey;
+}
+
+export async function refreshKey(key: string): Promise<string> {
+	const apiKey = await getApiKeyByKey(key);
+
+	if (apiKey == null) {
+		throw new KeyNotFoundError();
+	}
+
+	const { appId, serviceId, scopes } = apiKey;
+
+	// if this is a cloud key that is being refreshed
+	if (appId === 0 && serviceId === 0) {
+		return await generateCloudKey(true);
+	}
+
+	// generate a new key, expiring the old one...
+	const newKey = await generateScopedKey(appId, serviceId, {
+		force: true,
+		scopes: deserialiseScopes(scopes),
+	});
+
+	// return the regenerated key
+	return newKey;
+}
+
+/**
+ * A cached lookup of the database key
+ */
+const getApiKeyForService = memoizee(
+	async (appId: number, serviceId: number): Promise<DbApiSecret[]> => {
+		await db.initialized;
+
+		return await db.models('apiSecret').where({ appId, serviceId }).select();
+	},
+	{
+		promise: true,
+		maxAge: 60000, // 1 minute
+		normalizer: ([appId, serviceId]) => `${appId}-${serviceId}`,
+	},
+);
+
+/**
+ * A cached lookup of the database key for a given application/service pair
+ */
+const getApiKeyByKey = memoizee(
+	async (key: string): Promise<DbApiSecret> => {
+		await db.initialized;
+
+		const [apiKey] = await db.models('apiSecret').where({ key }).select();
+		return apiKey;
+	},
+	{
+		promise: true,
+		maxAge: 60000, // 1 minute
+	},
+);
+
+/**
+ * All key generate logic should come though this method. It handles cache clearing.
+ *
+ * @param appId
+ * @param serviceId
+ * @param options
+ */
+async function generateKey(
+	appId: number,
+	serviceId: number,
+	options?: Partial<GenerateKeyOptions>,
+): Promise<string> {
+	// set default options
+	const { force, scopes }: GenerateKeyOptions = {
+		force: false,
+		scopes: [{ type: 'app', appId }],
+		...options,
+	};
+
+	// grab the existing API key info
+	const secrets = await getApiKeyForService(appId, serviceId);
+
+	// if we need a new key
+	if (secrets.length === 0 || force) {
+		// are forcing a new key?
+		if (force) {
+			await db.models('apiSecret').where({ appId, serviceId }).del();
+		}
+
+		// remove the cached lookup for the key
+		const [apiKey] = secrets;
+		if (apiKey != null) {
+			getApiKeyByKey.clear(apiKey.key);
+		}
+
+		// remove the cached value for this lookup
+		getApiKeyForService.clear(appId, serviceId);
+
+		// return a new API key
+		return await createNewKey(appId, serviceId, scopes);
+	}
+
+	// grab the current secret and scopes
+	const [currentSecret] = secrets;
+	const currentScopes: Scope[] = JSON.parse(currentSecret.scopes);
+
+	const scopesWeAlreadyHave = scopes.filter((desiredScope) =>
+		currentScopes.some((currentScope) =>
+			isEqualScope(desiredScope, currentScope),
+		),
+	);
+
+	// if we have the correct scopes, then return our existing key...
+	if (
+		scopes.length === currentScopes.length &&
+		scopesWeAlreadyHave.length === currentScopes.length
+	) {
+		return currentSecret.key;
+	}
+
+	// forcibly get a new key...
+	return await generateKey(appId, serviceId, { ...options, force: true });
+}
+
+/**
+ * Generates a new key value and inserts it into the DB.
+ *
+ * @param appId
+ * @param serviceId
+ * @param scopes
+ */
+async function createNewKey(appId: number, serviceId: number, scopes: Scope[]) {
+	const key = generateUniqueKey();
+	await db.models('apiSecret').insert({
+		appId,
+		serviceId,
+		key,
+		scopes: serialiseScopes(scopes),
+	});
+
+	// return the new key
+	return key;
+}

src/migrations/M00005.js

@@ -0,0 +1,32 @@
+import { generateScopedKey } from '../lib/api-keys';
+
+export async function up(knex) {
+	// Create a new table to hold the api keys
+	await knex.schema.createTable('apiSecret', (table) => {
+		table.increments('id').primary();
+		table.integer('appId');
+		table.integer('serviceId');
+		table.string('key');
+		table.string('scopes');
+		table.unique(['appId', 'serviceId']);
+	});
+
+	// Delete any existing API secrets
+	await knex('config').where({ key: 'apiSecret' }).del();
+
+	// Add an api secret per service in the db
+	const apps = await knex('app');
+
+	for (const app of apps) {
+		const appId = app.appId;
+		const services = JSON.parse(app.services);
+		for (const service of services) {
+			const serviceId = service.id;
+			await generateScopedKey(appId, serviceId);
+		}
+	}
+}
+
+export function down() {
+	return Promise.reject(new Error('Not Implemented'));
+}

src/supervisor-api.ts

@@ -4,59 +4,12 @@ import { Server } from 'http';
 import * as _ from 'lodash';
 import * as morgan from 'morgan';
 
-import * as config from './config';
 import * as eventTracker from './event-tracker';
 import blink = require('./lib/blink');
 
 import log from './lib/supervisor-console';
-
+import * as apiKeys from './lib/api-keys';
-function getKeyFromReq(req: express.Request): string | undefined {
+import * as deviceState from './device-state';
-	// Check query for key
-	if (req.query.apikey) {
-		return req.query.apikey;
-	}
-	// Get Authorization header to search for key
-	const authHeader = req.get('Authorization');
-	// Check header for key
-	if (!authHeader) {
-		return undefined;
-	}
-	// Check authHeader with various schemes
-	const match = authHeader.match(/^(?:ApiKey|Bearer) (\w+)$/i);
-	// Return key from match or undefined
-	return match?.[1];
-}
-
-function authenticate(): express.RequestHandler {
-	return async (req, res, next) => {
-		try {
-			const conf = await config.getMany([
-				'apiSecret',
-				'localMode',
-				'unmanaged',
-				'osVariant',
-			]);
-
-			const needsAuth = conf.unmanaged
-				? conf.osVariant === 'prod'
-				: !conf.localMode;
-
-			if (needsAuth) {
-				// Only get the key if we need it
-				const key = getKeyFromReq(req);
-				if (key && conf.apiSecret && key === conf.apiSecret) {
-					return next();
-				} else {
-					return res.sendStatus(401);
-				}
-			} else {
-				return next();
-			}
-		} catch (err) {
-			res.status(503).send(`Unexpected error: ${err}`);
-		}
-	};
-}
 
 const expressLogger = morgan(
 	(tokens, req, res) =>
@@ -112,7 +65,7 @@ export class SupervisorAPI {
 
 		this.api.get('/ping', (_req, res) => res.send('OK'));
 
-		this.api.use(authenticate());
+		this.api.use(apiKeys.authMiddleware);
 
 		this.api.post('/v1/blink', (_req, res) => {
 			eventTracker.track('Device blink');
@@ -123,11 +76,30 @@ export class SupervisorAPI {
 
 		// Expires the supervisor's API key and generates a new one.
 		// It also communicates the new key to the balena API.
-		this.api.post('/v1/regenerate-api-key', async (_req, res) => {
+		this.api.post(
-			const secret = config.newUniqueKey();
+			'/v1/regenerate-api-key',
-			await config.set({ apiSecret: secret });
+			async (req: apiKeys.AuthorizedRequest, res) => {
-			res.status(200).send(secret);
+				await deviceState.initialized;
-		});
+				await apiKeys.initialized;
+
+				// check if we're updating the cloud API key
+				const updateCloudKey = req.auth.apiKey === apiKeys.cloudApiKey;
+
+				// regenerate the key...
+				const newKey = await apiKeys.refreshKey(req.auth.apiKey);
+
+				// if we need to update the cloud API with our new key
+				if (updateCloudKey) {
+					// report the new key to the cloud API
+					deviceState.reportCurrentState({
+						api_secret: apiKeys.cloudApiKey,
+					});
+				}
+
+				// return the value of the new key to the caller
+				res.status(200).send(newKey);
+			},
+		);
 
 		// And assign all external routers
 		for (const router of this.routers) {
@@ -135,7 +107,6 @@ export class SupervisorAPI {
 		}
 
 		// Error handling.
-
 		const messageFromError = (err?: Error | string | null): string => {
 			let message = 'Unknown error';
 			if (err != null) {

src/supervisor.ts

@@ -19,7 +19,6 @@ const startupConfigFields: config.ConfigKey[] = [
 	'uuid',
 	'listenPort',
 	'apiEndpoint',
-	'apiSecret',
 	'apiTimeout',
 	'unmanaged',
 	'deviceApiKey',

test/03-config.spec.ts

@@ -64,12 +64,6 @@ describe('Config', () => {
 		});
 	});
 
-	it('allows removing a db key', async () => {
-		await conf.remove('apiSecret');
-		const secret = await conf.get('apiSecret');
-		return expect(secret).to.be.undefined;
-	});
-
 	it('allows deleting a config.json key and returns a default value if none is set', async () => {
 		await conf.remove('appUpdatePollInterval');
 		const poll = await conf.get('appUpdatePollInterval');

test/04-service.spec.ts

@@ -28,7 +28,7 @@ const configs = {
 };
 
 describe('compose/service', () => {
-	it('extends environment variables properly', () => {
+	it('extends environment variables properly', async () => {
 		const extendEnvVarsOpts = {
 			uuid: '1234',
 			appName: 'awesomeApp',
@@ -50,7 +50,10 @@ describe('compose/service', () => {
 				A_VARIABLE: 'ITS_VALUE',
 			},
 		};
-		const s = Service.fromComposeObject(service, extendEnvVarsOpts as any);
+		const s = await Service.fromComposeObject(
+			service,
+			extendEnvVarsOpts as any,
+		);
 
 		expect(s.config.environment).to.deep.equal({
 			FOO: 'bar',
@@ -81,8 +84,8 @@ describe('compose/service', () => {
 		});
 	});
 
-	it('returns the correct default bind mounts', () => {
+	it('returns the correct default bind mounts', async () => {
-		const s = Service.fromComposeObject(
+		const s = await Service.fromComposeObject(
 			{
 				appId: '1234',
 				serviceName: 'foo',
@@ -99,8 +102,8 @@ describe('compose/service', () => {
 		]);
 	});
 
-	it('produces the correct port bindings and exposed ports', () => {
+	it('produces the correct port bindings and exposed ports', async () => {
-		const s = Service.fromComposeObject(
+		const s = await Service.fromComposeObject(
 			{
 				appId: '1234',
 				serviceName: 'foo',
@@ -155,8 +158,8 @@ describe('compose/service', () => {
 		});
 	});
 
-	it('correctly handles port ranges', () => {
+	it('correctly handles port ranges', async () => {
-		const s = Service.fromComposeObject(
+		const s = await Service.fromComposeObject(
 			{
 				appId: '1234',
 				serviceName: 'foo',
@@ -207,9 +210,9 @@ describe('compose/service', () => {
 		});
 	});
 
-	it('should correctly handle large port ranges', function () {
+	it('should correctly handle large port ranges', async function () {
 		this.timeout(60000);
-		const s = Service.fromComposeObject(
+		const s = await Service.fromComposeObject(
 			{
 				appId: '1234',
 				serviceName: 'foo',
@@ -224,8 +227,8 @@ describe('compose/service', () => {
 		expect((s as any).generateExposeAndPorts()).to.not.throw;
 	});
 
-	it('should correctly report implied exposed ports from portMappings', () => {
+	it('should correctly report implied exposed ports from portMappings', async () => {
-		const service = Service.fromComposeObject(
+		const service = await Service.fromComposeObject(
 			{
 				appId: 123456,
 				serviceId: 123456,
@@ -240,8 +243,8 @@ describe('compose/service', () => {
 			.that.deep.equals(['80/tcp', '100/tcp']);
 	});
 
-	it('should correctly handle spaces in volume definitions', () => {
+	it('should correctly handle spaces in volume definitions', async () => {
-		const service = Service.fromComposeObject(
+		const service = await Service.fromComposeObject(
 			{
 				appId: 123,
 				serviceId: 123,
@@ -270,8 +273,8 @@ describe('compose/service', () => {
 	});
 
 	describe('Ordered array parameters', () => {
-		it('Should correctly compare ordered array parameters', () => {
+		it('Should correctly compare ordered array parameters', async () => {
-			const svc1 = Service.fromComposeObject(
+			const svc1 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -280,7 +283,7 @@ describe('compose/service', () => {
 				},
 				{ appName: 'test' } as any,
 			);
-			let svc2 = Service.fromComposeObject(
+			let svc2 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -291,7 +294,7 @@ describe('compose/service', () => {
 			);
 			assert(svc1.isEqualConfig(svc2, {}));
 
-			svc2 = Service.fromComposeObject(
+			svc2 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -303,8 +306,8 @@ describe('compose/service', () => {
 			assert(!svc1.isEqualConfig(svc2, {}));
 		});
 
-		it('should correctly compare non-ordered array parameters', () => {
+		it('should correctly compare non-ordered array parameters', async () => {
-			const svc1 = Service.fromComposeObject(
+			const svc1 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -313,7 +316,7 @@ describe('compose/service', () => {
 				},
 				{ appName: 'test' } as any,
 			);
-			let svc2 = Service.fromComposeObject(
+			let svc2 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -324,7 +327,7 @@ describe('compose/service', () => {
 			);
 			assert(svc1.isEqualConfig(svc2, {}));
 
-			svc2 = Service.fromComposeObject(
+			svc2 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -336,8 +339,8 @@ describe('compose/service', () => {
 			assert(svc1.isEqualConfig(svc2, {}));
 		});
 
-		it('should correctly compare both ordered and non-ordered array parameters', () => {
+		it('should correctly compare both ordered and non-ordered array parameters', async () => {
-			const svc1 = Service.fromComposeObject(
+			const svc1 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -347,7 +350,7 @@ describe('compose/service', () => {
 				},
 				{ appName: 'test' } as any,
 			);
-			const svc2 = Service.fromComposeObject(
+			const svc2 = await Service.fromComposeObject(
 				{
 					appId: 1,
 					serviceId: 1,
@@ -362,8 +365,8 @@ describe('compose/service', () => {
 	});
 
 	describe('parseMemoryNumber()', () => {
-		const makeComposeServiceWithLimit = (memLimit?: string | number) =>
+		const makeComposeServiceWithLimit = async (memLimit?: string | number) =>
-			Service.fromComposeObject(
+			await Service.fromComposeObject(
 				{
 					appId: 123456,
 					serviceId: 123456,
@@ -373,74 +376,82 @@ describe('compose/service', () => {
 				{ appName: 'test' } as any,
 			);
 
-		it('should correctly parse memory number strings without a unit', () =>
+		it('should correctly parse memory number strings without a unit', async () =>
-			expect(makeComposeServiceWithLimit('64').config.memLimit).to.equal(64));
+			expect(
+				(await makeComposeServiceWithLimit('64')).config.memLimit,
+			).to.equal(64));
 
-		it('should correctly apply the default value', () =>
+		it('should correctly apply the default value', async () =>
-			expect(makeComposeServiceWithLimit(undefined).config.memLimit).to.equal(
+			expect(
-				0,
+				(await makeComposeServiceWithLimit(undefined)).config.memLimit,
+			).to.equal(0));
+
+		it('should correctly support parsing numbers as memory limits', async () =>
+			expect((await makeComposeServiceWithLimit(64)).config.memLimit).to.equal(
+				64,
 			));
 
-		it('should correctly support parsing numbers as memory limits', () =>
+		it('should correctly parse memory number strings that use a byte unit', async () => {
-			expect(makeComposeServiceWithLimit(64).config.memLimit).to.equal(64));
+			expect(
-
+				(await makeComposeServiceWithLimit('64b')).config.memLimit,
-		it('should correctly parse memory number strings that use a byte unit', () => {
+			).to.equal(64);
-			expect(makeComposeServiceWithLimit('64b').config.memLimit).to.equal(64);
+			expect(
-			expect(makeComposeServiceWithLimit('64B').config.memLimit).to.equal(64);
+				(await makeComposeServiceWithLimit('64B')).config.memLimit,
+			).to.equal(64);
 		});
 
-		it('should correctly parse memory number strings that use a kilobyte unit', () => {
+		it('should correctly parse memory number strings that use a kilobyte unit', async () => {
-			expect(makeComposeServiceWithLimit('64k').config.memLimit).to.equal(
+			expect(
-				65536,
+				(await makeComposeServiceWithLimit('64k')).config.memLimit,
-			);
+			).to.equal(65536);
-			expect(makeComposeServiceWithLimit('64K').config.memLimit).to.equal(
+			expect(
-				65536,
+				(await makeComposeServiceWithLimit('64K')).config.memLimit,
-			);
+			).to.equal(65536);
 
-			expect(makeComposeServiceWithLimit('64kb').config.memLimit).to.equal(
+			expect(
-				65536,
+				(await makeComposeServiceWithLimit('64kb')).config.memLimit,
-			);
+			).to.equal(65536);
-			expect(makeComposeServiceWithLimit('64Kb').config.memLimit).to.equal(
+			expect(
-				65536,
+				(await makeComposeServiceWithLimit('64Kb')).config.memLimit,
-			);
+			).to.equal(65536);
 		});
 
-		it('should correctly parse memory number strings that use a megabyte unit', () => {
+		it('should correctly parse memory number strings that use a megabyte unit', async () => {
-			expect(makeComposeServiceWithLimit('64m').config.memLimit).to.equal(
+			expect(
-				67108864,
+				(await makeComposeServiceWithLimit('64m')).config.memLimit,
-			);
+			).to.equal(67108864);
-			expect(makeComposeServiceWithLimit('64M').config.memLimit).to.equal(
+			expect(
-				67108864,
+				(await makeComposeServiceWithLimit('64M')).config.memLimit,
-			);
+			).to.equal(67108864);
 
-			expect(makeComposeServiceWithLimit('64mb').config.memLimit).to.equal(
+			expect(
-				67108864,
+				(await makeComposeServiceWithLimit('64mb')).config.memLimit,
-			);
+			).to.equal(67108864);
-			expect(makeComposeServiceWithLimit('64Mb').config.memLimit).to.equal(
+			expect(
-				67108864,
+				(await makeComposeServiceWithLimit('64Mb')).config.memLimit,
-			);
+			).to.equal(67108864);
 		});
 
-		it('should correctly parse memory number strings that use a gigabyte unit', () => {
+		it('should correctly parse memory number strings that use a gigabyte unit', async () => {
-			expect(makeComposeServiceWithLimit('64g').config.memLimit).to.equal(
+			expect(
-				68719476736,
+				(await makeComposeServiceWithLimit('64g')).config.memLimit,
-			);
+			).to.equal(68719476736);
-			expect(makeComposeServiceWithLimit('64G').config.memLimit).to.equal(
+			expect(
-				68719476736,
+				(await makeComposeServiceWithLimit('64G')).config.memLimit,
-			);
+			).to.equal(68719476736);
 
-			expect(makeComposeServiceWithLimit('64gb').config.memLimit).to.equal(
+			expect(
-				68719476736,
+				(await makeComposeServiceWithLimit('64gb')).config.memLimit,
-			);
+			).to.equal(68719476736);
-			expect(makeComposeServiceWithLimit('64Gb').config.memLimit).to.equal(
+			expect(
-				68719476736,
+				(await makeComposeServiceWithLimit('64Gb')).config.memLimit,
-			);
+			).to.equal(68719476736);
 		});
 	});
 
 	describe('getWorkingDir', () => {
-		const makeComposeServiceWithWorkdir = (workdir?: string) =>
+		const makeComposeServiceWithWorkdir = async (workdir?: string) =>
-			Service.fromComposeObject(
+			await Service.fromComposeObject(
 				{
 					appId: 123456,
 					serviceId: 123456,
@@ -450,17 +461,20 @@ describe('compose/service', () => {
 				{ appName: 'test' } as any,
 			);
 
-		it('should remove a trailing slash', () => {
+		it('should remove a trailing slash', async () => {
 			expect(
-				makeComposeServiceWithWorkdir('/usr/src/app/').config.workingDir,
+				(await makeComposeServiceWithWorkdir('/usr/src/app/')).config
+					.workingDir,
 			).to.equal('/usr/src/app');
-			expect(makeComposeServiceWithWorkdir('/').config.workingDir).to.equal(
-				'/',
-			);
 			expect(
-				makeComposeServiceWithWorkdir('/usr/src/app').config.workingDir,
+				(await makeComposeServiceWithWorkdir('/')).config.workingDir,
+			).to.equal('/');
+			expect(
+				(await makeComposeServiceWithWorkdir('/usr/src/app')).config.workingDir,
 			).to.equal('/usr/src/app');
-			expect(makeComposeServiceWithWorkdir('').config.workingDir).to.equal('');
+			expect(
+				(await makeComposeServiceWithWorkdir('')).config.workingDir,
+			).to.equal('');
 		});
 	});
 
@@ -469,8 +483,8 @@ describe('compose/service', () => {
 			Count: 1,
 			Capabilities: [['gpu']],
 		};
-		it('should succeed from compose object', () => {
+		it('should succeed from compose object', async () => {
-			const s = Service.fromComposeObject(
+			const s = await Service.fromComposeObject(
 				{
 					appId: 123,
 					serviceId: 123,
@@ -504,8 +518,8 @@ describe('compose/service', () => {
 		const omitConfigForComparison = (config: ServiceConfig) =>
 			_.omit(config, ['running', 'networks']);
 
-		it('should be identical when converting a simple service', () => {
+		it('should be identical when converting a simple service', async () => {
-			const composeSvc = Service.fromComposeObject(
+			const composeSvc = await Service.fromComposeObject(
 				configs.simple.compose,
 				configs.simple.imageInfo,
 			);
@@ -518,8 +532,8 @@ describe('compose/service', () => {
 			expect(dockerSvc.isEqualConfig(composeSvc, {})).to.be.true;
 		});
 
-		it('should correctly convert formats with a null entrypoint', () => {
+		it('should correctly convert formats with a null entrypoint', async () => {
-			const composeSvc = Service.fromComposeObject(
+			const composeSvc = await Service.fromComposeObject(
 				configs.entrypoint.compose,
 				configs.entrypoint.imageInfo,
 			);
@@ -533,11 +547,11 @@ describe('compose/service', () => {
 		});
 
 		describe('Networks', () => {
-			it('should correctly convert networks from compose to docker format', () => {
+			it('should correctly convert networks from compose to docker format', async () => {
-				const makeComposeServiceWithNetwork = (
+				const makeComposeServiceWithNetwork = async (
 					networks: ServiceComposeConfig['networks'],
 				) =>
-					Service.fromComposeObject(
+					await Service.fromComposeObject(
 						{
 							appId: 123456,
 							serviceId: 123456,
@@ -548,11 +562,13 @@ describe('compose/service', () => {
 					);
 
 				expect(
-					makeComposeServiceWithNetwork({
+					(
-						balena: {
+						await makeComposeServiceWithNetwork({
-							ipv4Address: '1.2.3.4',
+							balena: {
-						},
+								ipv4Address: '1.2.3.4',
-					}).toDockerContainer({ deviceName: 'foo' } as any).NetworkingConfig,
+							},
+						})
+					).toDockerContainer({ deviceName: 'foo' } as any).NetworkingConfig,
 				).to.deep.equal({
 					EndpointsConfig: {
 						'123456_balena': {
@@ -565,14 +581,16 @@ describe('compose/service', () => {
 				});
 
 				expect(
-					makeComposeServiceWithNetwork({
+					(
-						balena: {
+						await makeComposeServiceWithNetwork({
-							aliases: ['test', '1123'],
+							balena: {
-							ipv4Address: '1.2.3.4',
+								aliases: ['test', '1123'],
-							ipv6Address: '5.6.7.8',
+								ipv4Address: '1.2.3.4',
-							linkLocalIps: ['123.123.123'],
+								ipv6Address: '5.6.7.8',
-						},
+								linkLocalIps: ['123.123.123'],
-					}).toDockerContainer({ deviceName: 'foo' } as any).NetworkingConfig,
+							},
+						})
+					).toDockerContainer({ deviceName: 'foo' } as any).NetworkingConfig,
 				).to.deep.equal({
 					EndpointsConfig: {
 						'123456_balena': {
@@ -638,8 +656,8 @@ describe('compose/service', () => {
 		});
 
 		return describe('Network mode=service:', () => {
-			it('should correctly add a depends_on entry for the service', () => {
+			it('should correctly add a depends_on entry for the service', async () => {
-				let s = Service.fromComposeObject(
+				let s = await Service.fromComposeObject(
 					{
 						appId: '1234',
 						serviceName: 'foo',
@@ -653,7 +671,7 @@ describe('compose/service', () => {
 
 				expect(s.dependsOn).to.deep.equal(['test']);
 
-				s = Service.fromComposeObject(
+				s = await Service.fromComposeObject(
 					{
 						appId: '1234',
 						serviceName: 'foo',
@@ -669,8 +687,8 @@ describe('compose/service', () => {
 				expect(s.dependsOn).to.deep.equal(['another_service', 'test']);
 			});
 
-			it('should correctly convert a network_mode service: to a container:', () => {
+			it('should correctly convert a network_mode service: to a container:', async () => {
-				const s = Service.fromComposeObject(
+				const s = await Service.fromComposeObject(
 					{
 						appId: '1234',
 						serviceName: 'foo',
@@ -692,8 +710,8 @@ describe('compose/service', () => {
 					.that.equals('container:abcdef');
 			});
 
-			it('should not cause a container restart if a service: container has not changed', () => {
+			it('should not cause a container restart if a service: container has not changed', async () => {
-				const composeSvc = Service.fromComposeObject(
+				const composeSvc = await Service.fromComposeObject(
 					configs.networkModeService.compose,
 					configs.networkModeService.imageInfo,
 				);
@@ -709,8 +727,8 @@ describe('compose/service', () => {
 					.true;
 			});
 
-			it('should restart a container when its dependent network mode container changes', () => {
+			it('should restart a container when its dependent network mode container changes', async () => {
-				const composeSvc = Service.fromComposeObject(
+				const composeSvc = await Service.fromComposeObject(
 					configs.networkModeService.compose,
 					configs.networkModeService.imageInfo,
 				);

test/05-device-state.spec.ts

@@ -313,7 +313,9 @@ describe('deviceState', () => {
 			service.image = imageName;
 			(service as any).imageName = imageName;
 			services.push(
-				Service.fromComposeObject(service, { appName: 'supertest' } as any),
+				await Service.fromComposeObject(service, {
+					appName: 'supertest',
+				} as any),
 			);
 		}
 

test/21-supervisor-api.spec.ts

@@ -12,13 +12,14 @@ import mockedAPI = require('./lib/mocked-device-api');
 import * as applicationManager from '../src/compose/application-manager';
 import { InstancedAppState } from '../src/types/state';
 
+import * as apiKeys from '../src/lib/api-keys';
+import * as db from '../src/db';
+
 const mockedOptions = {
 	listenPort: 54321,
 	timeout: 30000,
 };
 
-const VALID_SECRET = mockedAPI.STUBBED_VALUES.config.apiSecret;
-
 describe('SupervisorAPI', () => {
 	let api: SupervisorAPI;
 	let healthCheckStubs: SinonStub[];
@@ -40,6 +41,10 @@ describe('SupervisorAPI', () => {
 
 		// Start test API
 		await api.listen(mockedOptions.listenPort, mockedOptions.timeout);
+
+		// Create a scoped key
+		await apiKeys.initialized;
+		await apiKeys.generateCloudKey();
 	});
 
 	after(async () => {
@@ -56,6 +61,104 @@ describe('SupervisorAPI', () => {
 		await mockedAPI.cleanUp();
 	});
 
+	describe('API Key Scope', () => {
+		it('should generate a key which is scoped for a single application', async () => {
+			// single app scoped key...
+			const appScopedKey = await apiKeys.generateScopedKey(1, 1);
+
+			await request
+				.get('/v2/applications/1/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${appScopedKey}`)
+				.expect(200);
+		});
+		it('should generate a key which is scoped for multiple applications', async () => {
+			// multi-app scoped key...
+			const multiAppScopedKey = await apiKeys.generateScopedKey(1, 2, {
+				scopes: [1, 2].map((appId) => {
+					return { type: 'app', appId };
+				}),
+			});
+
+			await request
+				.get('/v2/applications/1/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${multiAppScopedKey}`)
+				.expect(200);
+
+			await request
+				.get('/v2/applications/2/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${multiAppScopedKey}`)
+				.expect(200);
+		});
+		it('should generate a key which is scoped for all applications', async () => {
+			await request
+				.get('/v2/applications/1/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
+				.expect(200);
+
+			await request
+				.get('/v2/applications/2/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
+				.expect(200);
+		});
+		it('should have a cached lookup of the key scopes to save DB loading', async () => {
+			const scopes = await apiKeys.getScopesForKey(apiKeys.cloudApiKey);
+
+			const key = 'not-a-normal-key';
+			await db.initialized;
+			await db
+				.models('apiSecret')
+				.update({
+					key,
+				})
+				.where({
+					key: apiKeys.cloudApiKey,
+				});
+
+			// the key we had is now gone, but the cache should return values
+			const cachedScopes = await apiKeys.getScopesForKey(apiKeys.cloudApiKey);
+			expect(cachedScopes).to.deep.equal(scopes);
+
+			// this should bust the cache...
+			await apiKeys.generateCloudKey(true);
+
+			// the key we changed should be gone now, and the new key should have the cloud scopes
+			const missingScopes = await apiKeys.getScopesForKey(key);
+			const freshScopes = await apiKeys.getScopesForKey(apiKeys.cloudApiKey);
+
+			expect(missingScopes).to.be.null;
+			expect(freshScopes).to.deep.equal(scopes);
+		});
+		it('should regenerate a key and invalidate the old one', async () => {
+			// single app scoped key...
+			const appScopedKey = await apiKeys.generateScopedKey(1, 1);
+
+			await request
+				.get('/v2/applications/1/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${appScopedKey}`)
+				.expect(200);
+
+			const newScopedKey = await apiKeys.refreshKey(appScopedKey);
+
+			await request
+				.get('/v2/applications/1/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${appScopedKey}`)
+				.expect(401);
+
+			await request
+				.get('/v2/applications/1/state')
+				.set('Accept', 'application/json')
+				.set('Authorization', `Bearer ${newScopedKey}`)
+				.expect(200);
+		});
+	});
+
 	describe('/ping', () => {
 		it('responds with OK (without auth)', async () => {
 			await request.get('/ping').set('Accept', 'application/json').expect(200);
@@ -64,7 +167,7 @@ describe('SupervisorAPI', () => {
 			await request
 				.get('/ping')
 				.set('Accept', 'application/json')
-				.set('Authorization', `Bearer ${VALID_SECRET}`)
+				.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
 				.expect(200);
 		});
 	});
@@ -77,7 +180,7 @@ describe('SupervisorAPI', () => {
 				await request
 					.get('/v1/healthy')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
 					.expect(sampleResponses.V1.GET['/healthy'].statusCode)
 					.then((response) => {
 						expect(response.body).to.deep.equal(
@@ -138,7 +241,7 @@ describe('SupervisorAPI', () => {
 				await request
 					.get('/v1/apps/2')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
 					.expect(sampleResponses.V1.GET['/apps/2'].statusCode)
 					.expect('Content-Type', /json/)
 					.then((response) => {
@@ -154,7 +257,7 @@ describe('SupervisorAPI', () => {
 				await request
 					.post('/v1/apps/2/stop')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
 					.expect(sampleResponses.V1.GET['/apps/2/stop'].statusCode)
 					.expect('Content-Type', /json/)
 					.then((response) => {
@@ -170,7 +273,7 @@ describe('SupervisorAPI', () => {
 				const response = await request
 					.get('/v1/device')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
 					.expect(200);
 
 				expect(response.body).to.have.property('mac_address').that.is.not.empty;
@@ -184,7 +287,7 @@ describe('SupervisorAPI', () => {
 				await request
 					.get('/v2/device/vpn')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
 					.expect('Content-Type', /json/)
 					.expect(sampleResponses.V2.GET['/device/vpn'].statusCode)
 					.then((response) => {
@@ -200,9 +303,9 @@ describe('SupervisorAPI', () => {
 				await request
 					.get('/v2/applications/1/state')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
-					.expect('Content-Type', /json/)
 					.expect(sampleResponses.V2.GET['/applications/1/state'].statusCode)
+					.expect('Content-Type', /json/)
 					.then((response) => {
 						expect(response.body).to.deep.equal(
 							sampleResponses.V2.GET['/applications/1/state'].body,
@@ -214,7 +317,7 @@ describe('SupervisorAPI', () => {
 				await request
 					.get('/v2/applications/123invalid/state')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
 					.expect('Content-Type', /json/)
 					.expect(
 						sampleResponses.V2.GET['/applications/123invalid/state'].statusCode,
@@ -230,8 +333,7 @@ describe('SupervisorAPI', () => {
 				await request
 					.get('/v2/applications/9000/state')
 					.set('Accept', 'application/json')
-					.set('Authorization', `Bearer ${VALID_SECRET}`)
+					.set('Authorization', `Bearer ${apiKeys.cloudApiKey}`)
-					.expect('Content-Type', /json/)
 					.expect(sampleResponses.V2.GET['/applications/9000/state'].statusCode)
 					.then((response) => {
 						expect(response.body).to.deep.equal(
@@ -239,6 +341,17 @@ describe('SupervisorAPI', () => {
 						);
 					});
 			});
+
+			describe('Scoped API Keys', () => {
+				it('returns 409 because app is out of scope of the key', async () => {
+					const apiKey = await apiKeys.generateScopedKey(3, 1);
+					await request
+						.get('/v2/applications/2/state')
+						.set('Accept', 'application/json')
+						.set('Authorization', `Bearer ${apiKey}`)
+						.expect(409);
+				});
+			});
 		});
 
 		// TODO: add tests for rest of V2 endpoints

test/26-supervisor-api-auth.spec.ts

@@ -2,13 +2,13 @@ import * as supertest from 'supertest';
 
 import SupervisorAPI from '../src/supervisor-api';
 import mockedAPI = require('./lib/mocked-device-api');
+import { cloudApiKey } from '../src/lib/api-keys';
 
 const mockedOptions = {
 	listenPort: 12345,
 	timeout: 30000,
 };
 
-const VALID_SECRET = mockedAPI.STUBBED_VALUES.config.apiSecret;
 const INVALID_SECRET = 'bad_api_secret';
 
 describe('SupervisorAPI authentication', () => {
@@ -39,20 +39,20 @@ describe('SupervisorAPI authentication', () => {
 	});
 
 	it('finds apiKey from query', async () => {
-		return request.post(`/v1/blink?apikey=${VALID_SECRET}`).expect(200);
+		return request.post(`/v1/blink?apikey=${cloudApiKey}`).expect(200);
 	});
 
 	it('finds apiKey from Authorization header (ApiKey scheme)', async () => {
 		return request
 			.post('/v1/blink')
-			.set('Authorization', `ApiKey ${VALID_SECRET}`)
+			.set('Authorization', `ApiKey ${cloudApiKey}`)
 			.expect(200);
 	});
 
 	it('finds apiKey from Authorization header (Bearer scheme)', async () => {
 		return request
 			.post('/v1/blink')
-			.set('Authorization', `Bearer ${VALID_SECRET}`)
+			.set('Authorization', `Bearer ${cloudApiKey}`)
 			.expect(200);
 	});
 
@@ -70,7 +70,7 @@ describe('SupervisorAPI authentication', () => {
 		for (const scheme of randomCases) {
 			return request
 				.post('/v1/blink')
-				.set('Authorization', `${scheme} ${VALID_SECRET}`)
+				.set('Authorization', `${scheme} ${cloudApiKey}`)
 				.expect(200);
 		}
 	});

test/34-compose-app.ts

@@ -45,7 +45,7 @@ function createApp(
 	);
 }
 
-function createService(
+async function createService(
 	conf: Partial<ServiceComposeConfig>,
 	appId = 1,
 	serviceName = 'test',
@@ -54,7 +54,7 @@ function createService(
 	imageId = 4,
 	extraState?: Partial<Service>,
 ) {
-	const svc = Service.fromComposeObject(
+	const svc = await Service.fromComposeObject(
 		{
 			appId,
 			serviceName,
@@ -265,15 +265,15 @@ describe('compose/app', () => {
 			.that.deep.equals({ 'io.balena.supervised': 'true', test: 'test' });
 	});
 
-	it('should kill dependencies of a volume before changing config', () => {
+	it('should kill dependencies of a volume before changing config', async () => {
 		const current = createApp(
-			[createService({ volumes: ['test-volume'] })],
+			[await createService({ volumes: ['test-volume'] })],
 			[],
 			[Volume.fromComposeObject('test-volume', 1, {})],
 			false,
 		);
 		const target = createApp(
-			[createService({ volumes: ['test-volume'] })],
+			[await createService({ volumes: ['test-volume'] })],
 			[],
 			[
 				Volume.fromComposeObject('test-volume', 1, {
@@ -381,14 +381,14 @@ describe('compose/app', () => {
 			.that.equals('test-network');
 	});
 
-	it('should kill dependencies of networks before removing', () => {
+	it('should kill dependencies of networks before removing', async () => {
 		const current = createApp(
-			[createService({ networks: { 'test-network': {} } })],
+			[await createService({ networks: { 'test-network': {} } })],
 			[Network.fromComposeObject('test-network', 1, {})],
 			[],
 			false,
 		);
-		const target = createApp([createService({})], [], [], true);
+		const target = createApp([await createService({})], [], [], true);
 
 		const steps = current.nextStepsForAppUpdate(defaultContext, target);
 		const idx = expectStep('kill', steps);
@@ -398,15 +398,15 @@ describe('compose/app', () => {
 			.that.equals('test');
 	});
 
-	it('should kill dependencies of networks before changing config', () => {
+	it('should kill dependencies of networks before changing config', async () => {
 		const current = createApp(
-			[createService({ networks: { 'test-network': {} } })],
+			[await createService({ networks: { 'test-network': {} } })],
 			[Network.fromComposeObject('test-network', 1, {})],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({ networks: { 'test-network': {} } })],
+			[await createService({ networks: { 'test-network': {} } })],
 			[
 				Network.fromComposeObject('test-network', 1, {
 					labels: { test: 'test' },
@@ -426,8 +426,8 @@ describe('compose/app', () => {
 		expect(() => expectStep('removeNetwork', steps)).to.throw();
 	});
 
-	it('should not output a kill step for a service which is already stopping when changing a volume', () => {
+	it('should not output a kill step for a service which is already stopping when changing a volume', async () => {
-		const service = createService({ volumes: ['test-volume'] });
+		const service = await createService({ volumes: ['test-volume'] });
 		service.status = 'Stopping';
 		const current = createApp(
 			[service],
@@ -464,13 +464,16 @@ describe('compose/app', () => {
 
 	it('should create a kill step for service which is no longer referenced', async () => {
 		const current = createApp(
-			[createService({}, 1, 'main', 1, 1), createService({}, 1, 'aux', 1, 2)],
+			[
+				await createService({}, 1, 'main', 1, 1),
+				await createService({}, 1, 'aux', 1, 2),
+			],
 			[Network.fromComposeObject('test-network', 1, {})],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({}, 1, 'main', 2, 1)],
+			[await createService({}, 1, 'main', 2, 1)],
 			[Network.fromComposeObject('test-network', 1, {})],
 			[],
 			true,
@@ -486,7 +489,7 @@ describe('compose/app', () => {
 
 	it('should emit a noop when a service which is no longer referenced is already stopping', async () => {
 		const current = createApp(
-			[createService({}, 1, 'main', 1, 1, 1, { status: 'Stopping' })],
+			[await createService({}, 1, 'main', 1, 1, 1, { status: 'Stopping' })],
 			[],
 			[],
 			false,
@@ -497,15 +500,15 @@ describe('compose/app', () => {
 		expectStep('noop', steps);
 	});
 
-	it('should remove a dead container that is still referenced in the target state', () => {
+	it('should remove a dead container that is still referenced in the target state', async () => {
 		const current = createApp(
-			[createService({}, 1, 'main', 1, 1, 1, { status: 'Dead' })],
+			[await createService({}, 1, 'main', 1, 1, 1, { status: 'Dead' })],
 			[],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({}, 1, 'main', 1, 1, 1)],
+			[await createService({}, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			true,
@@ -515,9 +518,9 @@ describe('compose/app', () => {
 		expectStep('remove', steps);
 	});
 
-	it('should remove a dead container that is not referenced in the target state', () => {
+	it('should remove a dead container that is not referenced in the target state', async () => {
 		const current = createApp(
-			[createService({}, 1, 'main', 1, 1, 1, { status: 'Dead' })],
+			[await createService({}, 1, 'main', 1, 1, 1, { status: 'Dead' })],
 			[],
 			[],
 			false,
@@ -528,10 +531,10 @@ describe('compose/app', () => {
 		expectStep('remove', steps);
 	});
 
-	it('should emit a noop when a service has an image downloading', () => {
+	it('should emit a noop when a service has an image downloading', async () => {
 		const current = createApp([], [], [], false);
 		const target = createApp(
-			[createService({}, 1, 'main', 1, 1, 1)],
+			[await createService({}, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			true,
@@ -544,15 +547,15 @@ describe('compose/app', () => {
 		expectStep('noop', steps);
 	});
 
-	it('should emit an updateMetadata step when a service has not changed but the release has', () => {
+	it('should emit an updateMetadata step when a service has not changed but the release has', async () => {
 		const current = createApp(
-			[createService({}, 1, 'main', 1, 1, 1)],
+			[await createService({}, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({}, 1, 'main', 2, 1, 1)],
+			[await createService({}, 1, 'main', 2, 1, 1)],
 			[],
 			[],
 			true,
@@ -562,15 +565,15 @@ describe('compose/app', () => {
 		expectStep('updateMetadata', steps);
 	});
 
-	it('should stop a container which has stoppped as its target', () => {
+	it('should stop a container which has stoppped as its target', async () => {
 		const current = createApp(
-			[createService({}, 1, 'main', 1, 1, 1)],
+			[await createService({}, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({ running: false }, 1, 'main', 1, 1, 1)],
+			[await createService({ running: false }, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			true,
@@ -580,7 +583,7 @@ describe('compose/app', () => {
 		expectStep('stop', steps);
 	});
 
-	it('should recreate a container if the target configuration changes', () => {
+	it('should recreate a container if the target configuration changes', async () => {
 		const contextWithImages = {
 			...defaultContext,
 			...{
@@ -598,13 +601,13 @@ describe('compose/app', () => {
 			},
 		};
 		let current = createApp(
-			[createService({}, 1, 'main', 1, 1, 1, {})],
+			[await createService({}, 1, 'main', 1, 1, 1, {})],
 			[defaultNetwork],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({ privileged: true }, 1, 'main', 1, 1, 1, {})],
+			[await createService({ privileged: true }, 1, 'main', 1, 1, 1, {})],
 			[defaultNetwork],
 			[],
 			true,
@@ -624,7 +627,7 @@ describe('compose/app', () => {
 			.forTarget((t) => t.serviceName === 'main').to.exist;
 	});
 
-	it('should not start a container when it depends on a service which is being installed', () => {
+	it('should not start a container when it depends on a service which is being installed', async () => {
 		const mainImage: Image = {
 			appId: 1,
 			dependent: 0,
@@ -651,7 +654,7 @@ describe('compose/app', () => {
 		try {
 			let current = createApp(
 				[
-					createService({ running: false }, 1, 'dep', 1, 2, 2, {
+					await createService({ running: false }, 1, 'dep', 1, 2, 2, {
 						status: 'Installing',
 						containerId: 'id',
 					}),
@@ -662,8 +665,8 @@ describe('compose/app', () => {
 			);
 			const target = createApp(
 				[
-					createService({}, 1, 'main', 1, 1, 1, { dependsOn: ['dep'] }),
+					await createService({}, 1, 'main', 1, 1, 1, { dependsOn: ['dep'] }),
-					createService({}, 1, 'dep', 1, 2, 2),
+					await createService({}, 1, 'dep', 1, 2, 2),
 				],
 				[defaultNetwork],
 				[],
@@ -681,7 +684,7 @@ describe('compose/app', () => {
 
 			// we now make our current state have the 'dep' service as started...
 			current = createApp(
-				[createService({}, 1, 'dep', 1, 2, 2, { containerId: 'id' })],
+				[await createService({}, 1, 'dep', 1, 2, 2, { containerId: 'id' })],
 				[defaultNetwork],
 				[],
 				false,
@@ -704,10 +707,10 @@ describe('compose/app', () => {
 		}
 	});
 
-	it('should emit a fetch step when an image has not been downloaded for a service', () => {
+	it('should emit a fetch step when an image has not been downloaded for a service', async () => {
 		const current = createApp([], [], [], false);
 		const target = createApp(
-			[createService({}, 1, 'main', 1, 1, 1)],
+			[await createService({}, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			true,
@@ -717,15 +720,15 @@ describe('compose/app', () => {
 		withSteps(steps).expectStep('fetch').to.exist;
 	});
 
-	it('should stop a container which has stoppped as its target', () => {
+	it('should stop a container which has stoppped as its target', async () => {
 		const current = createApp(
-			[createService({}, 1, 'main', 1, 1, 1)],
+			[await createService({}, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({ running: false }, 1, 'main', 1, 1, 1)],
+			[await createService({ running: false }, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			true,
@@ -735,7 +738,7 @@ describe('compose/app', () => {
 		withSteps(steps).expectStep('stop');
 	});
 
-	it('should create a start step when all that changes is a running state', () => {
+	it('should create a start step when all that changes is a running state', async () => {
 		const contextWithImages = {
 			...defaultContext,
 			...{
@@ -753,13 +756,13 @@ describe('compose/app', () => {
 			},
 		};
 		const current = createApp(
-			[createService({ running: false }, 1, 'main', 1, 1, 1, {})],
+			[await createService({ running: false }, 1, 'main', 1, 1, 1, {})],
 			[defaultNetwork],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({}, 1, 'main', 1, 1, 1, {})],
+			[await createService({}, 1, 'main', 1, 1, 1, {})],
 			[defaultNetwork],
 			[],
 			true,
@@ -772,7 +775,7 @@ describe('compose/app', () => {
 			.forTarget((t) => t.serviceName === 'main').to.exist;
 	});
 
-	it('should not infer a fetch step when the download is already in progress', () => {
+	it('should not infer a fetch step when the download is already in progress', async () => {
 		const contextWithDownloading = {
 			...defaultContext,
 			...{
@@ -781,7 +784,7 @@ describe('compose/app', () => {
 		};
 		const current = createApp([], [], [], false);
 		const target = createApp(
-			[createService({}, 1, 'main', 1, 1, 1)],
+			[await createService({}, 1, 'main', 1, 1, 1)],
 			[],
 			[],
 			true,
@@ -791,7 +794,7 @@ describe('compose/app', () => {
 		withSteps(steps).expectStep('fetch').forTarget('main').to.not.exist;
 	});
 
-	it('should create a kill step when a service has to be updated but the strategy is kill-then-download', () => {
+	it('should create a kill step when a service has to be updated but the strategy is kill-then-download', async () => {
 		const contextWithImages = {
 			...defaultContext,
 			...{
@@ -814,14 +817,24 @@ describe('compose/app', () => {
 		};
 
 		const current = createApp(
-			[createService({ labels, image: 'main-image' }, 1, 'main', 1, 1, 1, {})],
+			[
+				await createService(
+					{ labels, image: 'main-image' },
+					1,
+					'main',
+					1,
+					1,
+					1,
+					{},
+				),
+			],
 			[defaultNetwork],
 			[],
 			false,
 		);
 		const target = createApp(
 			[
-				createService(
+				await createService(
 					{ labels, image: 'main-image-2' },
 					1,
 					'main',
@@ -854,7 +867,7 @@ describe('compose/app', () => {
 			.that.equals('main-image-2');
 	});
 
-	it('should not infer a kill step with the default strategy if a dependency is not downloaded', () => {
+	it('should not infer a kill step with the default strategy if a dependency is not downloaded', async () => {
 		const contextWithImages = {
 			...defaultContext,
 			...{
@@ -893,10 +906,10 @@ describe('compose/app', () => {
 
 		const current = createApp(
 			[
-				createService({ image: 'main-image' }, 1, 'main', 1, 1, 1, {
+				await createService({ image: 'main-image' }, 1, 'main', 1, 1, 1, {
 					dependsOn: ['dep'],
 				}),
-				createService({ image: 'dep-image' }, 1, 'dep', 1, 2, 2, {}),
+				await createService({ image: 'dep-image' }, 1, 'dep', 1, 2, 2, {}),
 			],
 			[defaultNetwork],
 			[],
@@ -904,10 +917,10 @@ describe('compose/app', () => {
 		);
 		const target = createApp(
 			[
-				createService({ image: 'main-image-2' }, 1, 'main', 2, 1, 3, {
+				await createService({ image: 'main-image-2' }, 1, 'main', 2, 1, 3, {
 					dependsOn: ['dep'],
 				}),
-				createService({ image: 'dep-image-2' }, 1, 'dep', 2, 2, 4, {}),
+				await createService({ image: 'dep-image-2' }, 1, 'dep', 2, 2, 4, {}),
 			],
 			[defaultNetwork],
 			[],
@@ -918,7 +931,7 @@ describe('compose/app', () => {
 		withSteps(steps).expectStep('kill').forCurrent('main').to.not.exist;
 	});
 
-	it('should create several kill steps as long as there is no unmet dependencies', () => {
+	it('should create several kill steps as long as there is no unmet dependencies', async () => {
 		const contextWithImages = {
 			...defaultContext,
 			...{
@@ -946,13 +959,13 @@ describe('compose/app', () => {
 		};
 
 		const current = createApp(
-			[createService({ image: 'main-image' }, 1, 'main', 1, 1, 1, {})],
+			[await createService({ image: 'main-image' }, 1, 'main', 1, 1, 1, {})],
 			[defaultNetwork],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({ image: 'main-image-2' }, 1, 'main', 2, 1, 2)],
+			[await createService({ image: 'main-image-2' }, 1, 'main', 2, 1, 2)],
 			[defaultNetwork],
 			[],
 			true,
@@ -966,14 +979,14 @@ describe('compose/app', () => {
 		withSteps(steps).expectStep('kill').forCurrent('main').to.exist;
 	});
 
-	it('should create a kill step when a service has to be updated but the strategy is kill-then-download', () => {
+	it('should create a kill step when a service has to be updated but the strategy is kill-then-download', async () => {
 		const labels = {
 			'io.balena.update.strategy': 'kill-then-download',
 		};
 
-		const current = createApp([createService({ labels })], [], [], false);
+		const current = createApp([await createService({ labels })], [], [], false);
 		const target = createApp(
-			[createService({ privileged: true })],
+			[await createService({ privileged: true })],
 			[],
 			[],
 			true,
@@ -983,15 +996,15 @@ describe('compose/app', () => {
 		withSteps(steps).expectStep('kill').forCurrent('main');
 	});
 
-	it('should not infer a kill step with the default strategy if a dependency is not downloaded', () => {
+	it('should not infer a kill step with the default strategy if a dependency is not downloaded', async () => {
 		const current = createApp(
-			[createService({ image: 'image1' })],
+			[await createService({ image: 'image1' })],
 			[],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({ image: 'image2' })],
+			[await createService({ image: 'image2' })],
 			[],
 			[],
 			true,
@@ -1002,19 +1015,19 @@ describe('compose/app', () => {
 		withSteps(steps).rejectStep('kill');
 	});
 
-	it('should create several kill steps as long as there is no unmet dependencies', () => {
+	it('should create several kill steps as long as there is no unmet dependencies', async () => {
 		const current = createApp(
 			[
-				createService({}, 1, 'one', 1, 2),
+				await createService({}, 1, 'one', 1, 2),
-				createService({}, 1, 'two', 1, 3),
+				await createService({}, 1, 'two', 1, 3),
-				createService({}, 1, 'three', 1, 4),
+				await createService({}, 1, 'three', 1, 4),
 			],
 			[],
 			[],
 			false,
 		);
 		const target = createApp(
-			[createService({}, 1, 'three', 1, 4)],
+			[await createService({}, 1, 'three', 1, 4)],
 			[],
 			[],
 			true,
@@ -1023,10 +1036,10 @@ describe('compose/app', () => {
 		const steps = current.nextStepsForAppUpdate(defaultContext, target);
 		withSteps(steps).expectStep('kill').to.have.length(2);
 	});
-	it('should not create a service when a network it depends on is not ready', () => {
+	it('should not create a service when a network it depends on is not ready', async () => {
 		const current = createApp([], [defaultNetwork], [], false);
 		const target = createApp(
-			[createService({ networks: ['test'] }, 1)],
+			[await createService({ networks: ['test'] }, 1)],
 			[defaultNetwork, Network.fromComposeObject('test', 1, {})],
 			[],
 			true,

test/lib/mocked-device-api.ts

@@ -18,7 +18,6 @@ const DB_PATH = './test/data/supervisor-api.sqlite';
 // Holds all values used for stubbing
 const STUBBED_VALUES = {
 	config: {
-		apiSecret: 'secure_api_secret',
 		currentCommit: '7fc9c5bea8e361acd49886fe6cc1e1cd',
 	},
 	services: [
@@ -109,10 +108,7 @@ async function createAPIOpts(): Promise<void> {
 async function initConfig(): Promise<void> {
 	// Initialize this config
 	await config.initialized;
-	// Set testing secret
+
-	await config.set({
-		apiSecret: STUBBED_VALUES.config.apiSecret,
-	});
 	// Set a currentCommit
 	await config.set({
 		currentCommit: STUBBED_VALUES.config.currentCommit,