From 5343e07ec2d081e5e58c39a3e1d4f3c5825df61d Mon Sep 17 00:00:00 2001
From: nnandigam <nnandigam@microsoft.com>
Date: Thu, 20 Jul 2023 13:56:52 -0700
Subject: [PATCH 1/4] don't allow downgrades for self-update

---
 azurelinuxagent/ga/agent_update_handler.py | 16 ++++++++++++++++
 tests/ga/test_agent_update_handler.py      |  8 ++++++++
 2 files changed, 24 insertions(+)

diff --git a/azurelinuxagent/ga/agent_update_handler.py b/azurelinuxagent/ga/agent_update_handler.py
index 47a8fa27dd..61893b9906 100644
--- a/azurelinuxagent/ga/agent_update_handler.py
+++ b/azurelinuxagent/ga/agent_update_handler.py
@@ -261,6 +261,19 @@ def __get_all_agents_on_disk():
         path = os.path.join(conf.get_lib_dir(), "{0}-*".format(AGENT_NAME))
         return [GuestAgent.from_installed_agent(path=agent_dir) for agent_dir in glob.iglob(path) if os.path.isdir(agent_dir)]
 
+    def __check_if_downgrade_is_requested_and_allowed(self, requested_version):
+        """
+        Don't allow downgrades for self-update version
+        Note: The intention of this check is to keep the original behavior of self-update as it is.
+        """
+        if not self._is_requested_version_update:
+            if requested_version < CURRENT_VERSION:
+                msg = "Downgrade requested in the GoalState, but the self-update is not configured to allow downgrades, " \
+                      "skipping agent update"
+                logger.verbose(msg)
+                return False
+        return True
+
     @staticmethod
     def __log_event(level, msg, success=True):
         if level == LogLevel.INFO:
@@ -303,6 +316,9 @@ def run(self, goal_state):
             if requested_version == CURRENT_VERSION:
                 return
 
+            if not self.__check_if_downgrade_is_requested_and_allowed(requested_version):
+                return
+
             # Check if an update is allowed
             if not self.__should_update_agent(requested_version):
                 return
diff --git a/tests/ga/test_agent_update_handler.py b/tests/ga/test_agent_update_handler.py
index 62dfd6488d..35ec714264 100644
--- a/tests/ga/test_agent_update_handler.py
+++ b/tests/ga/test_agent_update_handler.py
@@ -148,6 +148,14 @@ def test_it_should_update_to_largest_version_if_time_window_elapsed(self):
                         self.__assert_agent_directories_exist_and_others_dont_exist(versions=[str(CURRENT_VERSION), "99999.0.0.0"])
                         self.assertIn("Agent update found, exiting current process", ustr(context.exception.reason))
 
+    def test_it_should_not_allow_update_if_largest_version_below_current_version(self):
+        self.prepare_agents(count=1)
+        data_file = DATA_FILE.copy()
+        data_file["ga_manifest"] = "wire/ga_manifest_no_upgrade.xml"
+        with self.__get_agent_update_handler(test_data=data_file) as (agent_update_handler, _):
+            agent_update_handler.run(agent_update_handler._protocol.get_goal_state())
+            self.__assert_agent_directories_exist_and_others_dont_exist(versions=[str(CURRENT_VERSION)])
+
     def test_it_should_not_agent_update_if_last_attempted_update_time_not_elapsed(self):
         self.prepare_agents(count=1)
         data_file = DATA_FILE.copy()

From e7ad3949eeccedb39cc0523fdaa520baf1b068bf Mon Sep 17 00:00:00 2001
From: Nageswara Nandigam <nnandigam@microsoft.com>
Date: Mon, 24 Jul 2023 18:02:09 -0700
Subject: [PATCH 2/4] address comments

---
 azurelinuxagent/ga/agent_update_handler.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/azurelinuxagent/ga/agent_update_handler.py b/azurelinuxagent/ga/agent_update_handler.py
index 61893b9906..2267fe620f 100644
--- a/azurelinuxagent/ga/agent_update_handler.py
+++ b/azurelinuxagent/ga/agent_update_handler.py
@@ -58,7 +58,12 @@ def __should_update_agent(self, requested_version):
         largest version update(self-update):
             update is allowed once per (as specified in the conf.get_hotfix_upgrade_frequency() or conf.get_normal_upgrade_frequency())
             return false when we don't allow updates.
+        Note: Downgrades are not allowed for self-update.
         """
+
+        if not self.__check_if_downgrade_is_requested_and_allowed(requested_version):
+            return False
+
         now = datetime.datetime.now()
 
         if self._is_requested_version_update:
@@ -268,7 +273,7 @@ def __check_if_downgrade_is_requested_and_allowed(self, requested_version):
         """
         if not self._is_requested_version_update:
             if requested_version < CURRENT_VERSION:
-                msg = "Downgrade requested in the GoalState, but the self-update is not configured to allow downgrades, " \
+                msg = "Downgrade requested in the GoalState, but downgrades not supported for self-update version, " \
                       "skipping agent update"
                 logger.verbose(msg)
                 return False
@@ -316,9 +321,6 @@ def run(self, goal_state):
             if requested_version == CURRENT_VERSION:
                 return
 
-            if not self.__check_if_downgrade_is_requested_and_allowed(requested_version):
-                return
-
             # Check if an update is allowed
             if not self.__should_update_agent(requested_version):
                 return

From 9cbd68ddde9fcad8bfdd327a138da97f97df5ee1 Mon Sep 17 00:00:00 2001
From: Nageswara Nandigam <nnandigam@microsoft.com>
Date: Tue, 25 Jul 2023 16:08:34 -0700
Subject: [PATCH 3/4] update comment

---
 azurelinuxagent/ga/agent_update_handler.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/azurelinuxagent/ga/agent_update_handler.py b/azurelinuxagent/ga/agent_update_handler.py
index 2267fe620f..cfb6ce2154 100644
--- a/azurelinuxagent/ga/agent_update_handler.py
+++ b/azurelinuxagent/ga/agent_update_handler.py
@@ -273,8 +273,8 @@ def __check_if_downgrade_is_requested_and_allowed(self, requested_version):
         """
         if not self._is_requested_version_update:
             if requested_version < CURRENT_VERSION:
-                msg = "Downgrade requested in the GoalState, but downgrades not supported for self-update version, " \
-                      "skipping agent update"
+                msg = "Downgrade requested in the GoalState, but downgrades are not supported for self-update version:{0}, " \
+                      "skipping agent update".format(requested_version)
                 logger.verbose(msg)
                 return False
         return True

From fbac0a7bda2399b04413ebfdf51fe5e78f9a1f93 Mon Sep 17 00:00:00 2001
From: Nageswara Nandigam <nnandigam@microsoft.com>
Date: Wed, 26 Jul 2023 11:18:28 -0700
Subject: [PATCH 4/4] add logger

---
 azurelinuxagent/ga/agent_update_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/azurelinuxagent/ga/agent_update_handler.py b/azurelinuxagent/ga/agent_update_handler.py
index cfb6ce2154..212ca1f945 100644
--- a/azurelinuxagent/ga/agent_update_handler.py
+++ b/azurelinuxagent/ga/agent_update_handler.py
@@ -275,7 +275,7 @@ def __check_if_downgrade_is_requested_and_allowed(self, requested_version):
             if requested_version < CURRENT_VERSION:
                 msg = "Downgrade requested in the GoalState, but downgrades are not supported for self-update version:{0}, " \
                       "skipping agent update".format(requested_version)
-                logger.verbose(msg)
+                self.__log_event(LogLevel.INFO, msg)
                 return False
         return True