move the TUF trust store to the database (#8488)

Closes #3578
Depends on oxidecomputer/tufaceous#30

This removes the `[updates]` section of the Nexus config, instead opting
to allow operators to configure which TUF root roles they trust via the
API. See [RFD 447](https://rfd.shared.oxide.computer/rfd/447).

This deliberately punts on a few choices: any identifying information
about the roots themselves; which trusted root was used to verify a
repository is not recorded; deleting a trusted root does not impact any
uploaded repositories; synchronizing the Nexus trust store to Wicket;
whether to automatically add new versions of roots to the trust store
(or possibly replace the older version, to allow for a real key rotation
scenario). A future RFD and implementation PR should cover these.

Author: iliana

Cargo.lock

@@ -979,6 +979,7 @@ pub enum ResourceType {
     RoleBuiltin,
     TufRepo,
     TufArtifact,
+    TufTrustRoot,
     SwitchPort,
     UserBuiltin,
     Zpool,

common/src/api/external/mod.rs

@@ -66,7 +66,9 @@ use tufaceous_artifact::ArtifactHash;
 use tufaceous_artifact::ArtifactVersion;
 use tufaceous_artifact::ArtifactVersionError;
 use tufaceous_lib::assemble::ArtifactManifest;
-use update_common::artifacts::{ArtifactsWithPlan, ControlPlaneZonesMode};
+use update_common::artifacts::{
+    ArtifactsWithPlan, ControlPlaneZonesMode, VerificationMode,
+};
 
 mod log_capture;
 
@@ -2195,6 +2197,7 @@ fn extract_tuf_repo_description(
             None,
             repo_hash,
             ControlPlaneZonesMode::Split,
+            VerificationMode::BlindlyTrustAnything,
             log,
         )
         .await

dev-tools/reconfigurator-cli/src/lib.rs

@@ -238,12 +238,6 @@ pub struct ConsoleConfig {
     pub session_absolute_timeout_minutes: u32,
 }
 
-#[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
-pub struct UpdatesConfig {
-    /// Trusted root.json role for the TUF updates repository.
-    pub trusted_root: Utf8PathBuf,
-}
-
 /// Options to tweak database schema changes.
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
 pub struct SchemaConfig {
@@ -841,10 +835,6 @@ pub struct PackageConfig {
     /// Timeseries database configuration.
     #[serde(default)]
     pub timeseries_db: TimeseriesDbConfig,
-    /// Updates-related configuration. Updates APIs return 400 Bad Request when
-    /// this is unconfigured.
-    #[serde(default)]
-    pub updates: Option<UpdatesConfig>,
     /// Describes how to handle and perform schema changes.
     #[serde(default)]
     pub schema: Option<SchemaConfig>,
@@ -1036,8 +1026,6 @@ mod test {
             if_exists = "fail"
             [timeseries_db]
             address = "[::1]:9000"
-            [updates]
-            trusted_root = "/path/to/root.json"
             [tunables]
             max_vpc_ipv4_subnet_prefix = 27
             [deployment]
@@ -1179,9 +1167,6 @@ mod test {
                             0,
                         ))),
                     },
-                    updates: Some(UpdatesConfig {
-                        trusted_root: Utf8PathBuf::from("/path/to/root.json"),
-                    }),
                     schema: None,
                     tunables: Tunables {
                         max_vpc_ipv4_subnet_prefix: 27,
@@ -1511,9 +1496,6 @@ mod test {
             if_exists = "fail"
             [timeseries_db]
             address = "[::1]:9000"
-            [updates]
-            trusted_root = "/path/to/root.json"
-            default_base_url = "http://example.invalid/"
             [tunables]
             max_vpc_ipv4_subnet_prefix = 100
             [deployment]

nexus-config/src/nexus_config.rs

@@ -668,6 +668,57 @@ impl AuthorizedResource for SiloUserList {
     }
 }
 
+#[derive(Clone, Copy, Debug)]
+pub struct UpdateTrustRootList;
+
+/// Singleton representing the [`UpdateTrustRootList`] itself for authz purposes
+pub const UPDATE_TRUST_ROOT_LIST: UpdateTrustRootList = UpdateTrustRootList;
+
+impl Eq for UpdateTrustRootList {}
+
+impl PartialEq for UpdateTrustRootList {
+    fn eq(&self, _: &Self) -> bool {
+        true
+    }
+}
+
+impl oso::PolarClass for UpdateTrustRootList {
+    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
+        oso::Class::builder()
+            .with_equality_check()
+            .add_attribute_getter("fleet", |_: &UpdateTrustRootList| FLEET)
+    }
+}
+
+impl AuthorizedResource for UpdateTrustRootList {
+    fn load_roles<'fut>(
+        &'fut self,
+        opctx: &'fut OpContext,
+        authn: &'fut authn::Context,
+        roleset: &'fut mut RoleSet,
+    ) -> futures::future::BoxFuture<'fut, Result<(), Error>> {
+        // There are no roles on the UpdateTrustRootList, only permissions.
+        // But we still need to load the Fleet-related roles to verify that the
+        // actor has the "admin" role on the Fleet (possibly conferred from a
+        // Silo role).
+        load_roles_for_resource_tree(&FLEET, opctx, authn, roleset).boxed()
+    }
+
+    fn on_unauthorized(
+        &self,
+        _: &Authz,
+        error: Error,
+        _: AnyActor,
+        _: Action,
+    ) -> Error {
+        error
+    }
+
+    fn polar_class(&self) -> oso::Class {
+        Self::get_polar_class()
+    }
+}
+
 /// System software target version configuration
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub struct TargetReleaseConfig;
@@ -1117,6 +1168,14 @@ authz_resource! {
     polar_snippet = FleetChild,
 }
 
+authz_resource! {
+    name = "TufTrustRoot",
+    parent = "Fleet",
+    primary_key = { uuid_kind = TufTrustRootKind },
+    roles_allowed = false,
+    polar_snippet = FleetChild,
+}
+
 authz_resource! {
     name = "Certificate",
     parent = "Silo",

nexus/auth/src/authz/api_resources.rs

@@ -383,6 +383,16 @@ resource BlueprintConfig {
 has_relation(fleet: Fleet, "parent_fleet", list: BlueprintConfig)
 	if list.fleet = fleet;
 
+# Describes the policy for accessing "/v1/system/update/trust-roots" in the API
+resource UpdateTrustRootList {
+	permissions = [ "list_children", "create_child" ];
+	relations = { parent_fleet: Fleet };
+	"list_children" if "viewer" on "parent_fleet";
+	"create_child" if "admin" on "parent_fleet";
+}
+has_relation(fleet: Fleet, "parent_fleet", collection: UpdateTrustRootList)
+	if collection.fleet = fleet;
+
 # Describes the policy for accessing blueprints
 resource TargetReleaseConfig {
 	permissions = [

nexus/auth/src/authz/omicron.polar

@@ -114,6 +114,7 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         SiloCertificateList::get_polar_class(),
         SiloIdentityProviderList::get_polar_class(),
         SiloUserList::get_polar_class(),
+        UpdateTrustRootList::get_polar_class(),
         TargetReleaseConfig::get_polar_class(),
         AlertClassList::get_polar_class(),
     ];
@@ -163,6 +164,7 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         Sled::init(),
         TufRepo::init(),
         TufArtifact::init(),
+        TufTrustRoot::init(),
         Alert::init(),
         AlertReceiver::init(),
         WebhookSecret::init(),

nexus/auth/src/authz/oso_generic.rs

@@ -34,6 +34,7 @@ use omicron_uuid_kinds::PhysicalDiskUuid;
 use omicron_uuid_kinds::SupportBundleUuid;
 use omicron_uuid_kinds::TufArtifactKind;
 use omicron_uuid_kinds::TufRepoKind;
+use omicron_uuid_kinds::TufTrustRootUuid;
 use omicron_uuid_kinds::TypedUuid;
 use omicron_uuid_kinds::WebhookSecretUuid;
 use slog::{error, trace};
@@ -300,6 +301,10 @@ impl<'a> LookupPath<'a> {
         SupportBundle::PrimaryKey(Root { lookup_root: self }, id)
     }
 
+    pub fn tuf_trust_root(self, id: TufTrustRootUuid) -> TufTrustRoot<'a> {
+        TufTrustRoot::PrimaryKey(Root { lookup_root: self }, id)
+    }
+
     pub fn silo_image_id(self, id: Uuid) -> SiloImage<'a> {
         SiloImage::PrimaryKey(Root { lookup_root: self }, id)
     }
@@ -823,6 +828,14 @@ lookup_resource! {
     primary_key_columns = [ { column_name = "id", uuid_kind = TufArtifactKind } ]
 }
 
+lookup_resource! {
+    name = "TufTrustRoot",
+    ancestors = [],
+    lookup_by_name = false,
+    soft_deletes = true,
+    primary_key_columns = [ { column_name = "id", uuid_kind = TufTrustRootKind } ]
+}
+
 lookup_resource! {
     name = "UserBuiltin",
     ancestors = [],

nexus/db-lookup/src/lookup.rs

@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(159, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(160, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(160, "tuf-trust-root"),
         KnownVersion::new(159, "sled-config-desired-host-phase-2"),
         KnownVersion::new(158, "drop-builtin-roles"),
         KnownVersion::new(157, "user-data-export"),