Ignore build metadata when comparing system versions (#9072)

jgallagher · web-flow · commit 475353579115 · 2025-09-25T13:01:56.000Z
See #9071 for context; this is the short/medium-term fix proposed in that issue.
diff --git a/nexus/src/external_api/http_entrypoints.rs b/nexus/src/external_api/http_entrypoints.rs
@@ -6850,7 +6850,10 @@ impl NexusExternalApi for NexusExternalApiImpl {
                 .await?
                 .release_source
             {
-                if version > system_version {
+                if !is_new_target_release_version_allowed(
+                    &version,
+                    &system_version,
+                ) {
                     return Err(HttpError::for_bad_request(
                         None,
                         format!(
@@ -8814,3 +8817,61 @@ impl NexusExternalApi for NexusExternalApiImpl {
             .await
     }
 }
+
+fn is_new_target_release_version_allowed(
+    current_version: &semver::Version,
+    proposed_new_version: &semver::Version,
+) -> bool {
+    let mut current_version = current_version.clone();
+    let mut proposed_new_version = proposed_new_version.clone();
+
+    // Strip out the build metadata; this allows upgrading from one commit on
+    // the same major/minor/release/patch to another. This isn't always right -
+    // we shouldn't allow downgrading to an earlier commit - but we don't have
+    // enough information in the version strings today to determine that. See
+    // <https://github.com/oxidecomputer/omicron/issues/9071>.
+    current_version.build = semver::BuildMetadata::EMPTY;
+    proposed_new_version.build = semver::BuildMetadata::EMPTY;
+
+    proposed_new_version >= current_version
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_is_new_target_release_version_allowed() {
+        // Updating between versions that differ only in build metadata should
+        // be allowed in both directions.
+        let v1: semver::Version = "16.0.0-0.ci+git544f608e05a".parse().unwrap();
+        let v2: semver::Version = "16.0.0-0.ci+git8571be38c0b".parse().unwrap();
+        assert!(is_new_target_release_version_allowed(&v1, &v2));
+        assert!(is_new_target_release_version_allowed(&v2, &v1));
+
+        // Updating from a version to itself is always allowed. (This is
+        // important for clearing mupdate overrides.)
+        assert!(is_new_target_release_version_allowed(&v1, &v1));
+        assert!(is_new_target_release_version_allowed(&v2, &v2));
+
+        // We should be able to upgrade but not downgrade if the versions differ
+        // in major/minor/patch/prerelease.
+        for (v1, v2) in [
+            ("15.0.0-0.ci+git12345", "16.0.0-0.ci+git12345"),
+            ("16.0.0-0.ci+git12345", "16.1.0-0.ci+git12345"),
+            ("16.1.0-0.ci+git12345", "16.1.1-0.ci+git12345"),
+            ("16.1.1-0.ci+git12345", "16.1.1-1.ci+git12345"),
+        ] {
+            let v1: semver::Version = v1.parse().unwrap();
+            let v2: semver::Version = v2.parse().unwrap();
+            assert!(
+                is_new_target_release_version_allowed(&v1, &v2),
+                "should be allowed to upgrade from {v1} to {v2}"
+            );
+            assert!(
+                !is_new_target_release_version_allowed(&v2, &v1),
+                "should not be allowed to upgrade from {v1} to {v2}"
+            );
+        }
+    }
+}
