Add queries for getting and setting the current blueprint target

nexus/db-model/src/deployment.rs

@@ -9,11 +9,12 @@ use crate::inventory::ZoneType;
 use crate::omicron_zone_config::{OmicronZone, OmicronZoneNic};
 use crate::schema::{
     blueprint, bp_omicron_zone, bp_omicron_zone_nic,
-    bp_omicron_zones_not_in_service, bp_sled_omicron_zones,
+    bp_omicron_zones_not_in_service, bp_sled_omicron_zones, bp_target,
 };
 use crate::{ipv6, Generation, MacAddr, Name, SqlU16, SqlU32, SqlU8};
 use chrono::{DateTime, Utc};
 use ipnetwork::IpNetwork;
+use nexus_types::deployment::BlueprintTarget;
 use uuid::Uuid;
 
 /// See [`nexus_types::deployment::Blueprint`].
@@ -39,6 +40,37 @@ impl From<&'_ nexus_types::deployment::Blueprint> for Blueprint {
     }
 }
 
+/// See [`nexus_types::deployment::BlueprintTarget`].
+#[derive(Queryable, Clone, Debug, Selectable, Insertable)]
+#[diesel(table_name = bp_target)]
+pub struct BpTarget {
+    pub version: i64, // i64 only for db serialization; should never be negative
+    pub blueprint_id: Uuid,
+    pub enabled: bool,
+    pub time_made_target: DateTime<Utc>,
+}
+
+impl BpTarget {
+    pub fn new(version: i64, target: BlueprintTarget) -> Self {
+        Self {
+            version,
+            blueprint_id: target.target_id,
+            enabled: target.enabled,
+            time_made_target: target.time_set,
+        }
+    }
+}
+
+impl From<BpTarget> for nexus_types::deployment::BlueprintTarget {
+    fn from(value: BpTarget) -> Self {
+        Self {
+            target_id: value.blueprint_id,
+            enabled: value.enabled,
+            time_set: value.time_made_target,
+        }
+    }
+}
+
 /// See [`nexus_types::deployment::OmicronZonesConfig`].
 #[derive(Queryable, Clone, Debug, Selectable, Insertable)]
 #[diesel(table_name = bp_sled_omicron_zones)]

nexus/db-model/src/schema.rs

@@ -1428,6 +1428,17 @@ table! {
     }
 }
 
+table! {
+    bp_target (version) {
+        version -> Int8,
+
+        blueprint_id -> Uuid,
+
+        enabled -> Bool,
+        time_made_target -> Timestamptz,
+    }
+}
+
 table! {
     bp_sled_omicron_zones (blueprint_id, sled_id) {
         blueprint_id -> Uuid,

nexus/db-queries/src/authz/api_resources.rs

@@ -578,61 +578,6 @@ impl AuthorizedResource for Inventory {
     }
 }
 
-/// Synthetic resource used for modeling access to deployment configuration
-/// data (e.g., blueprints and policy)
-#[derive(Clone, Copy, Debug, Eq, PartialEq)]
-pub struct DeploymentConfig;
-pub const DEPLOYMENT_CONFIG: DeploymentConfig = DeploymentConfig {};
-
-impl oso::PolarClass for DeploymentConfig {
-    fn get_polar_class_builder() -> oso::ClassBuilder<Self> {
-        // Roles are not directly attached to DeploymentConfig
-        oso::Class::builder()
-            .with_equality_check()
-            .add_method(
-                "has_role",
-                |_: &DeploymentConfig,
-                 _actor: AuthenticatedActor,
-                 _role: String| { false },
-            )
-            .add_attribute_getter("fleet", |_| FLEET)
-    }
-}
-
-impl AuthorizedResource for DeploymentConfig {
-    fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(
-        &'a self,
-        opctx: &'b OpContext,
-        datastore: &'c DataStore,
-        authn: &'d authn::Context,
-        roleset: &'e mut RoleSet,
-    ) -> futures::future::BoxFuture<'f, Result<(), Error>>
-    where
-        'a: 'f,
-        'b: 'f,
-        'c: 'f,
-        'd: 'f,
-        'e: 'f,
-    {
-        load_roles_for_resource_tree(&FLEET, opctx, datastore, authn, roleset)
-            .boxed()
-    }
-
-    fn on_unauthorized(
-        &self,
-        _: &Authz,
-        error: Error,
-        _: AnyActor,
-        _: Action,
-    ) -> Error {
-        error
-    }
-
-    fn polar_class(&self) -> oso::Class {
-        Self::get_polar_class()
-    }
-}
-
 /// Synthetic resource describing the list of Certificates associated with a
 /// Silo
 #[derive(Clone, Debug, Eq, PartialEq)]

nexus/db-queries/src/authz/omicron.polar

@@ -393,17 +393,6 @@ resource Inventory {
 has_relation(fleet: Fleet, "parent_fleet", inventory: Inventory)
 	if inventory.fleet = fleet;
 
-# Describes the policy for reading and modifying deployment configuration and
-# policy
-resource DeploymentConfig {
-	permissions = [ "read", "modify" ];
-	relations = { parent_fleet: Fleet };
-	"read" if "viewer" on "parent_fleet";
-	"modify" if "admin" on "parent_fleet";
-}
-has_relation(fleet: Fleet, "parent_fleet", deployment_config: DeploymentConfig)
-	if deployment_config.fleet = fleet;
-
 # Describes the policy for accessing "/v1/system/ip-pools" in the API
 resource IpPoolList {
 	permissions = [

nexus/db-queries/src/authz/oso_generic.rs

@@ -105,7 +105,6 @@ pub fn make_omicron_oso(log: &slog::Logger) -> Result<OsoInit, anyhow::Error> {
         AuthenticatedActor::get_polar_class(),
         BlueprintConfig::get_polar_class(),
         Database::get_polar_class(),
-        DeploymentConfig::get_polar_class(),
         DnsConfig::get_polar_class(),
         Fleet::get_polar_class(),
         Inventory::get_polar_class(),

nexus/db-queries/src/authz/policy_test/resource_builder.rs

@@ -245,7 +245,6 @@ macro_rules! impl_dyn_authorized_resource_for_global {
 impl_dyn_authorized_resource_for_global!(authz::oso_generic::Database);
 impl_dyn_authorized_resource_for_global!(authz::BlueprintConfig);
 impl_dyn_authorized_resource_for_global!(authz::ConsoleSessionList);
-impl_dyn_authorized_resource_for_global!(authz::DeploymentConfig);
 impl_dyn_authorized_resource_for_global!(authz::DeviceAuthRequestList);
 impl_dyn_authorized_resource_for_global!(authz::DnsConfig);
 impl_dyn_authorized_resource_for_global!(authz::IpPoolList);

nexus/db-queries/src/authz/policy_test/resources.rs

@@ -66,9 +66,8 @@ pub async fn make_resources(
     builder.new_resource_with_users(authz::FLEET).await;
     builder.new_resource(authz::BLUEPRINT_CONFIG);
     builder.new_resource(authz::CONSOLE_SESSION_LIST);
-    builder.new_resource(authz::DEPLOYMENT_CONFIG);
-    builder.new_resource(authz::DEVICE_AUTH_REQUEST_LIST);
     builder.new_resource(authz::DNS_CONFIG);
+    builder.new_resource(authz::DEVICE_AUTH_REQUEST_LIST);
     builder.new_resource(authz::INVENTORY);
     builder.new_resource(authz::IP_POOL_LIST);