oxidecomputer · plotnick · Mar 6, 2025 · Jan 15, 2025 · Jan 20, 2025 · Jan 22, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/common/src/api/external/mod.rs b/common/src/api/external/mod.rs
@@ -3091,10 +3091,10 @@ pub enum BfdMode {
 /// A description of an uploaded TUF repository.
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
 pub struct TufRepoDescription {
-    // Information about the repository.
+    /// Information about the repository.
     pub repo: TufRepoMeta,
 
-    // Information about the artifacts present in the repository.
+    /// Information about the artifacts present in the repository.
     pub artifacts: Vec<TufArtifactMeta>,
 }
 
@@ -3107,7 +3107,7 @@ impl TufRepoDescription {
 
 /// Metadata about a TUF repository.
 ///
-/// Found within a [`TufRepoDescription`].
+/// Found within a `TufRepoDescription`.
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
 pub struct TufRepoMeta {
     /// The hash of the repository.
@@ -3136,7 +3136,7 @@ pub struct TufRepoMeta {
 
 /// Metadata about an individual TUF artifact.
 ///
-/// Found within a [`TufRepoDescription`].
+/// Found within a `TufRepoDescription`.
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
 pub struct TufArtifactMeta {
     /// The artifact ID.
@@ -3162,7 +3162,7 @@ pub struct TufRepoInsertResponse {
 
 /// Status of a TUF repo import.
 ///
-/// Part of [`TufRepoInsertResponse`].
+/// Part of `TufRepoInsertResponse`.
 #[derive(
     Debug, Clone, Copy, PartialEq, Eq, Deserialize, Serialize, JsonSchema,
 )]

diff --git a/nexus/auth/src/authz/api_resources.rs b/nexus/auth/src/authz/api_resources.rs
@@ -668,6 +668,49 @@ impl AuthorizedResource for SiloUserList {
     }
 }
 
+/// System software target version configuration
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub struct TargetReleaseConfig;
+
+pub const TARGET_RELEASE_CONFIG: TargetReleaseConfig = TargetReleaseConfig;
+
+impl oso::PolarClass for TargetReleaseConfig {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        oso::Class::builder()
+            .with_equality_check()
+            .add_attribute_getter("fleet", |_: &TargetReleaseConfig| FLEET)
+    }
+}
+
+impl AuthorizedResource for TargetReleaseConfig {
+    fn load_roles<'fut>(
+        &'fut self,
+        opctx: &'fut OpContext,
+        authn: &'fut authn::Context,
+        roleset: &'fut mut RoleSet,
+    ) -> futures::future::BoxFuture<'fut, Result<(), Error>> {
+        // There are no roles on the TargetReleaseConfig, only permissions. But we
+        // still need to load the Fleet-related roles to verify that the actor
+        // has the "admin" role on the Fleet (possibly conferred from a Silo
+        // role).
+        load_roles_for_resource_tree(&FLEET, opctx, authn, roleset).boxed()
+    }
+
+    fn on_unauthorized(
+        &self,
+        _: &Authz,
+        error: Error,
+        _: AnyActor,
+        _: Action,
+    ) -> Error {
+        error
+    }
+
+    fn polar_class(&self) -> oso::Class {
+        Self::get_polar_class()
+    }
+}
+
 // Main resource hierarchy: Projects and their resources
 
 authz_resource! {

diff --git a/nexus/auth/src/authz/omicron.polar b/nexus/auth/src/authz/omicron.polar
@@ -383,6 +383,20 @@ resource BlueprintConfig {
 has_relation(fleet: Fleet, "parent_fleet", list: BlueprintConfig)
 	if list.fleet = fleet;
 
+# Describes the policy for accessing blueprints
+resource TargetReleaseConfig {
+	permissions = [
+	    "read",          # read the current target release
+	    "modify",        # change the current target release
+	];
+
+	relations = { parent_fleet: Fleet };
+	"read" if "viewer" on "parent_fleet";
+	"modify" if "admin" on "parent_fleet";
+}
+has_relation(fleet: Fleet, "parent_fleet", resource: TargetReleaseConfig)
+	if resource.fleet = fleet;
+
 # Describes the policy for reading and modifying low-level inventory
 resource Inventory {
 	permissions = [ "read", "modify" ];

diff --git a/nexus/auth/src/authz/oso_generic.rs b/nexus/auth/src/authz/oso_generic.rs
@@ -114,6 +114,7 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         SiloCertificateList::get_polar_class(),
         SiloIdentityProviderList::get_polar_class(),
         SiloUserList::get_polar_class(),
+        TargetReleaseConfig::get_polar_class(),
     ];
     for c in classes {
         oso_builder = oso_builder.register_class(c)?;

diff --git a/nexus/db-model/src/lib.rs b/nexus/db-model/src/lib.rs
@@ -63,6 +63,7 @@ mod rendezvous_debug_dataset;
 mod semver_version;
 mod switch_interface;
 mod switch_port;
+mod target_release;
 mod v2p_mapping;
 mod vmm_state;
 // These actually represent subqueries, not real table.
@@ -211,6 +212,7 @@ pub use support_bundle::*;
 pub use switch::*;
 pub use switch_interface::*;
 pub use switch_port::*;
+pub use target_release::*;
 pub use tuf_repo::*;
 pub use typed_uuid::to_db_typed_uuid;
 pub use upstairs_repair::*;

diff --git a/nexus/db-model/src/schema.rs b/nexus/db-model/src/schema.rs
@@ -1411,6 +1411,15 @@ allow_tables_to_appear_in_same_query!(
 joinable!(tuf_repo_artifact -> tuf_repo (tuf_repo_id));
 joinable!(tuf_repo_artifact -> tuf_artifact (tuf_artifact_id));
 
+table! {
+    target_release (generation) {
+        generation -> Int8,
+        time_requested -> Timestamptz,
+        release_source -> crate::TargetReleaseSourceEnum,
+        tuf_repo_id -> Nullable<Uuid>,
+    }
+}
+
 table! {
     support_bundle {
         id -> Uuid,

diff --git a/nexus/db-model/src/schema_versions.rs b/nexus/db-model/src/schema_versions.rs
@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(128, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(129, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(129, "create-target-release"),
         KnownVersion::new(128, "sled-resource-for-vmm"),
         KnownVersion::new(127, "bp-disk-disposition-expunged-cleanup"),
         KnownVersion::new(126, "affinity"),

diff --git a/nexus/db-model/src/target_release.rs b/nexus/db-model/src/target_release.rs
@@ -0,0 +1,77 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+use super::{Generation, impl_enum_type};
+use crate::schema::target_release;
+use crate::typed_uuid::DbTypedUuid;
+use chrono::{DateTime, Utc};
+use nexus_types::external_api::views;
+use omicron_uuid_kinds::TufRepoKind;
+
+impl_enum_type!(
+    #[derive(SqlType, Debug, QueryId)]
+    #[diesel(postgres_type(name = "target_release_source", schema = "public"))]
+    pub struct TargetReleaseSourceEnum;
+
+    /// The source of the software release that should be deployed to the rack.
+    #[derive(Copy, Clone, Debug, AsExpression, FromSqlRow, PartialEq, Eq, Hash)]
+    #[diesel(sql_type = TargetReleaseSourceEnum)]
+    pub enum TargetReleaseSource;
+
+    Unspecified => b"unspecified"
+    SystemVersion => b"system_version"
+);
+
+/// Specify the target system software release.
+#[derive(Clone, Debug, Insertable, Queryable, Selectable)]
+#[diesel(table_name = target_release)]
+pub struct TargetRelease {
+    /// Each change to the target release is recorded as a row with
+    /// a monotonically increasing generation number. The row with
+    /// the largest generation is the current target release.
+    pub generation: Generation,
+
+    /// The time at which this target release was requested.
+    pub time_requested: DateTime<Utc>,
+
+    /// The source of the target release.
+    pub release_source: TargetReleaseSource,
+
+    /// The TUF repo containing the target release.
+    pub tuf_repo_id: Option<DbTypedUuid<TufRepoKind>>,
+}
+
+impl TargetRelease {
+    pub fn new_unspecified(prev: &TargetRelease) -> Self {
+        Self {
+            generation: Generation(prev.generation.next()),
+            time_requested: Utc::now(),
+            release_source: TargetReleaseSource::Unspecified,
+            tuf_repo_id: None,
+        }
+    }
+
+    pub fn new_system_version(
+        prev: &TargetRelease,
+        tuf_repo_id: DbTypedUuid<TufRepoKind>,
+    ) -> Self {
+        Self {
+            generation: Generation(prev.generation.next()),
+            time_requested: Utc::now(),
+            release_source: TargetReleaseSource::SystemVersion,
+            tuf_repo_id: Some(tuf_repo_id),
+        }
+    }
+
+    pub fn into_external(
+        &self,
+        release_source: views::TargetReleaseSource,
+    ) -> views::TargetRelease {
+        views::TargetRelease {
+            generation: (&self.generation.0).into(),
+            time_requested: self.time_requested,
+            release_source,
+        }
+    }
+}
diff --git a/nexus/db-queries/Cargo.toml b/nexus/db-queries/Cargo.toml
@@ -48,6 +48,7 @@ strum.workspace = true
 swrite.workspace = true
 thiserror.workspace = true
 tokio = { workspace = true, features = ["full"] }
+tufaceous-artifact.workspace = true
 url.workspace = true
 usdt.workspace = true
 uuid.workspace = true

diff --git a/nexus/db-queries/src/db/datastore/mod.rs b/nexus/db-queries/src/db/datastore/mod.rs
@@ -99,6 +99,7 @@ mod support_bundle;
 mod switch;
 mod switch_interface;
 mod switch_port;
+mod target_release;
 #[cfg(test)]
 pub(crate) mod test_utils;
 mod update;