Update Rust crate tough to 0.20.0 [SECURITY] (#7889)

Author: oxide-renovate[bot]

Cargo.lock

@@ -678,7 +678,7 @@ tokio-tungstenite = "0.23.1"
 tokio-util = { version = "0.7.13", features = ["io", "io-util"] }
 toml = "0.8.20"
 toml_edit = "0.22.24"
-tough = { version = "0.19.0", features = [ "http" ] }
+tough = { version = "0.20.0", features = [ "http" ] }
 transceiver-controller = { git = "https://github.com/oxidecomputer/transceiver-control", features = [ "api-traits" ] }
 trybuild = "1.0.103"
 tufaceous = { git = "https://github.com/oxidecomputer/tufaceous", branch = "main" }

Cargo.toml

@@ -21,4 +21,3 @@ uuid.workspace = true
 omicron-uuid-kinds.workspace = true
 omicron-workspace-hack.workspace = true
 oxnet.workspace = true
-semver.workspace = true

clients/bootstrap-agent-client/Cargo.toml

@@ -27,12 +27,6 @@ progenitor::generate_api!(
         TypedUuidForRackInitKind = omicron_uuid_kinds::RackInitUuid,
         TypedUuidForRackResetKind = omicron_uuid_kinds::RackResetUuid,
     },
-    convert = {
-        {
-            type = "string",
-            pattern = r"^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$",
-        } = semver::Version,
-    }
 );
 
 impl omicron_common::api::external::ClientError for types::Error {

clients/bootstrap-agent-client/src/lib.rs

@@ -203,6 +203,11 @@
           }
         ]
       },
+      "ArtifactVersion": {
+        "description": "An artifact version.\n\nThis is a freeform identifier with some basic validation. It may be the serialized form of a semver version, or a custom identifier that uses the same character set as a semver, plus `_`.\n\nThe exact pattern accepted is `^[a-zA-Z0-9._+-]{1,63}$`.\n\n# Ord implementation\n\n`ArtifactVersion`s are not intended to be sorted, just compared for equality. `ArtifactVersion` implements `Ord` only for storage within sorted collections.",
+        "type": "string",
+        "pattern": "^[a-zA-Z0-9._+-]{1,63}$"
+      },
       "Baseboard": {
         "description": "Describes properties that should uniquely identify a Gimlet.",
         "oneOf": [
@@ -559,8 +564,7 @@
             "type": "string"
           },
           "version": {
-            "type": "string",
-            "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"
+            "$ref": "#/components/schemas/ArtifactVersion"
           }
         },
         "required": [

openapi/bootstrap-agent.json

@@ -74,7 +74,6 @@ repo-depot-api.workspace = true
 repo-depot-client.workspace = true
 reqwest = { workspace = true, features = ["rustls-tls", "stream"] }
 schemars = { workspace = true, features = ["chrono", "uuid1"] }
-semver.workspace = true
 serde.workspace = true
 serde_human_bytes.workspace = true
 serde_json = { workspace = true, features = ["raw_value"] }
@@ -101,6 +100,8 @@ tokio = { workspace = true, features = ["full"] }
 tokio-stream.workspace = true
 tokio-util.workspace = true
 toml.workspace = true
+tufaceous-artifact.workspace = true
+tufaceous-brand-metadata.workspace = true
 usdt.workspace = true
 uuid.workspace = true
 zeroize.workspace = true
@@ -110,7 +111,6 @@ omicron-workspace-hack.workspace = true
 slog-error-chain.workspace = true
 walkdir.workspace = true
 zip.workspace = true
-tufaceous-brand-metadata.workspace = true
 
 [target.'cfg(target_os = "illumos")'.dependencies]
 opte-ioctl.workspace = true
@@ -127,7 +127,6 @@ omicron-test-utils.workspace = true
 pretty_assertions.workspace = true
 rcgen.workspace = true
 reqwest = { workspace = true, features = ["blocking"] }
-semver.workspace = true
 subprocess.workspace = true
 slog-async.workspace = true
 slog-term.workspace = true

sled-agent/Cargo.toml

@@ -13,7 +13,7 @@ omicron-common.workspace = true
 omicron-uuid-kinds.workspace = true
 omicron-workspace-hack.workspace = true
 schemars.workspace = true
-semver.workspace = true
 serde.workspace = true
 sled-agent-types.workspace = true
 sled-hardware-types.workspace = true
+tufaceous-artifact.workspace = true

sled-agent/bootstrap-agent-api/Cargo.toml

@@ -13,12 +13,12 @@ use dropshot::{
 };
 use omicron_uuid_kinds::{RackInitUuid, RackResetUuid};
 use schemars::JsonSchema;
-use semver::Version;
 use serde::{Deserialize, Serialize};
 use sled_agent_types::{
     rack_init::RackInitializeRequest, rack_ops::RackOperationStatus,
 };
 use sled_hardware_types::Baseboard;
+use tufaceous_artifact::ArtifactVersion;
 
 #[dropshot::api_description]
 pub trait BootstrapAgentApi {
@@ -86,5 +86,5 @@ pub trait BootstrapAgentApi {
 #[derive(Clone, Debug, Deserialize, Serialize, JsonSchema, PartialEq)]
 pub struct Component {
     pub name: String,
-    pub version: Version,
+    pub version: ArtifactVersion,
 }

sled-agent/bootstrap-agent-api/src/lib.rs

@@ -7,6 +7,7 @@
 use bootstrap_agent_api::Component;
 use camino::{Utf8Path, Utf8PathBuf};
 use serde::{Deserialize, Serialize};
+use tufaceous_artifact::ArtifactVersionError;
 use tufaceous_brand_metadata::Metadata;
 
 #[derive(thiserror::Error, Debug)]
@@ -25,8 +26,12 @@ pub enum Error {
         err: std::io::Error,
     },
 
-    #[error("Cannot parse semver in {path}")]
-    Semver { path: Utf8PathBuf, err: semver::Error },
+    #[error("Cannot parse artifact version in {path}")]
+    ArtifactVersion {
+        path: Utf8PathBuf,
+        #[source]
+        err: ArtifactVersionError,
+    },
 }
 
 fn default_zone_artifact_path() -> Utf8PathBuf {
@@ -99,12 +104,13 @@ impl UpdateManager {
                     .await
                     .map_err(|err| io_err(&version_path, err))?;
 
-                // Extract the name and semver version
+                // Extract the name and artifact version
                 let name = "sled-agent".to_string();
-                let version = version.parse().map_err(|err| Error::Semver {
-                    path: version_path.to_path_buf(),
-                    err,
-                })?;
+                let version =
+                    version.parse().map_err(|err| Error::ArtifactVersion {
+                        path: version_path.to_path_buf(),
+                        err,
+                    })?;
 
                 components.push(crate::updates::Component { name, version });
             }
@@ -119,9 +125,9 @@ mod test {
     use super::*;
     use camino_tempfile::NamedUtf8TempFile;
     use flate2::write::GzEncoder;
-    use semver::Version;
     use std::io::Write;
     use tar::Builder;
+    use tufaceous_artifact::ArtifactVersion;
 
     #[tokio::test]
     async fn test_query_no_components() {
@@ -172,7 +178,7 @@ mod test {
             um.components_get().await.expect("Failed to get components");
         assert_eq!(components.len(), 1);
         assert_eq!(components[0].name, "test-pkg".to_string());
-        assert_eq!(components[0].version, Version::new(2, 0, 0));
+        assert_eq!(components[0].version, ArtifactVersion::new_const("2.0.0"));
     }
 
     #[tokio::test]
@@ -194,6 +200,6 @@ mod test {
             um.components_get().await.expect("Failed to get components");
         assert_eq!(components.len(), 1);
         assert_eq!(components[0].name, "sled-agent".to_string());
-        assert_eq!(components[0].version, Version::new(1, 2, 3));
+        assert_eq!(components[0].version, ArtifactVersion::new_const("1.2.3"));
     }
 }

sled-agent/src/updates.rs

@@ -214,7 +214,7 @@ impl ArtifactsWithPlan {
                 .repo()
                 .targets()
                 .signed
-                .find_target(&target_name)
+                .find_target(&target_name, false)
                 .map_err(|error| RepositoryError::TargetHashRead {
                     target: artifact.target.clone(),
                     error: Box::new(error),