[v2] TUF integration in Nexus + update artifact fetching by sled-agent

.gitignore

@@ -8,3 +8,4 @@ tools/clickhouse*
 tools/cockroach*
 clickhouse/
 cockroachdb/
+smf/nexus/root.json

common/src/api/internal/nexus.rs

@@ -8,6 +8,7 @@ use crate::api::external::{
     ByteCount, DiskState, Generation, InstanceCpuCount, InstanceState,
 };
 use chrono::{DateTime, Utc};
+use parse_display::Display;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use std::net::SocketAddr;
@@ -77,3 +78,22 @@ impl ProducerEndpoint {
         format!("{}/{}", &self.base_route, &self.id)
     }
 }
+
+/// Description of a single update artifact.
+#[derive(Clone, Debug, Deserialize, Serialize, JsonSchema)]
+pub struct UpdateArtifact {
+    pub name: String,
+    pub version: i64,
+    pub kind: UpdateArtifactKind,
+}
+
+/// Kinds of update artifacts, as used by Nexus to determine what updates are available and by
+/// sled-agent to determine how to apply an update when asked.
+#[derive(
+    Clone, Copy, Debug, PartialEq, Display, Deserialize, Serialize, JsonSchema,
+)]
+#[display(style = "kebab-case")]
+#[serde(rename_all = "kebab-case")]
+pub enum UpdateArtifactKind {
+    Zone,
+}

common/src/sql/dbinit.sql

@@ -46,7 +46,10 @@ CREATE TABLE omicron.public.rack (
     /* Identity metadata (asset) */
     id UUID PRIMARY KEY,
     time_created TIMESTAMPTZ NOT NULL,
-    time_modified TIMESTAMPTZ NOT NULL
+    time_modified TIMESTAMPTZ NOT NULL,
+
+    /* Used to configure the updates service URL */
+    tuf_base_url STRING(512)
 );
 
 /*
@@ -692,6 +695,31 @@ CREATE INDEX ON omicron.public.console_session (
 
 /*******************************************************************/
 
+CREATE TYPE omicron.public.update_artifact_kind AS ENUM (
+    'zone'
+);
+
+CREATE TABLE omicron.public.update_available_artifact (
+    name STRING(40) NOT NULL,
+    version INT NOT NULL,
+    kind omicron.public.update_artifact_kind NOT NULL,
+
+    /* the version of the targets.json role this came from */
+    targets_role_version INT NOT NULL,
+
+    /* when the metadata this artifact was cached from expires */
+    valid_until TIMESTAMPTZ NOT NULL,
+
+    /* data about the target from the targets.json role */
+    target_name STRING(512) NOT NULL,
+    target_sha256 STRING(64) NOT NULL,
+    target_length INT NOT NULL,
+
+    PRIMARY KEY (name, version, kind)
+);
+
+/*******************************************************************/
+
 /*
  * Identity and Access Management (IAM)
  *

nexus-client/src/lib.rs

@@ -227,6 +227,20 @@ impl From<&omicron_common::api::internal::nexus::ProducerEndpoint>
     }
 }
 
+impl From<omicron_common::api::internal::nexus::UpdateArtifactKind>
+    for types::UpdateArtifactKind
+{
+    fn from(
+        s: omicron_common::api::internal::nexus::UpdateArtifactKind,
+    ) -> Self {
+        use omicron_common::api::internal::nexus::UpdateArtifactKind;
+
+        match s {
+            UpdateArtifactKind::Zone => types::UpdateArtifactKind::Zone,
+        }
+    }
+}
+
 impl From<std::time::Duration> for types::Duration {
     fn from(s: std::time::Duration) -> Self {
         Self { secs: s.as_secs(), nanos: s.subsec_nanos() }

nexus/Cargo.toml

@@ -37,14 +37,17 @@ pq-sys = "*"
 rand = "0.8.5"
 ref-cast = "1.0"
 reqwest = { version = "0.11.8", features = [ "json" ] }
+ring = "0.16"
 serde_json = "1.0"
 serde_urlencoded = "0.7.1"
 serde_with = "1.12.0"
 sled-agent-client = { path = "../sled-agent-client" }
 slog-dtrace = "0.2"
 structopt = "0.3"
+tempfile = "3.3"
 thiserror = "1.0"
 toml = "0.5.6"
+tough = { version = "0.12", features = [ "http" ] }
 usdt = "0.3.1"
 
 [dependencies.api_identity]

nexus/src/config.rs

@@ -41,6 +41,14 @@ pub struct ConsoleConfig {
     pub session_absolute_timeout_minutes: u32,
 }
 
+#[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
+pub struct UpdatesConfig {
+    /** Trusted root.json role for the TUF updates repository. */
+    pub trusted_root: PathBuf,
+    /** Default base URLs for the TUF repository. */
+    pub default_base_url: String,
+}
+
 /**
  * Configuration for the timeseries database.
  */
@@ -70,6 +78,10 @@ pub struct Config {
     pub authn: AuthnConfig,
     /** Timeseries database configuration. */
     pub timeseries_db: TimeseriesDbConfig,
+    /// Updates-related configuration. Updates APIs return 400 Bad Request when this is
+    /// unconfigured.
+    #[serde(default)]
+    pub updates: Option<UpdatesConfig>,
 }
 
 #[derive(Debug)]
@@ -175,7 +187,7 @@ impl Config {
 mod test {
     use super::{
         AuthnConfig, Config, ConsoleConfig, LoadError, LoadErrorKind,
-        SchemeName, TimeseriesDbConfig,
+        SchemeName, TimeseriesDbConfig, UpdatesConfig,
     };
     use crate::db;
     use dropshot::ConfigDropshot;
@@ -306,6 +318,9 @@ mod test {
             if_exists = "fail"
             [timeseries_db]
             address = "[::1]:8123"
+            [updates]
+            trusted_root = "/path/to/root.json"
+            default_base_url = "http://example.invalid/"
             "##,
         )
         .unwrap();
@@ -346,6 +361,10 @@ mod test {
                 timeseries_db: TimeseriesDbConfig {
                     address: "[::1]:8123".parse().unwrap()
                 },
+                updates: Some(UpdatesConfig {
+                    trusted_root: PathBuf::from("/path/to/root.json"),
+                    default_base_url: "http://example.invalid/".into(),
+                }),
             }
         );
 

nexus/src/context.rs

@@ -75,7 +75,7 @@ impl ServerContext {
      * underlying nexus as well.
      */
     pub fn new(
-        rack_id: &Uuid,
+        rack_id: Uuid,
         log: Logger,
         pool: db::Pool,
         config: &config::Config,