common/releases: rewrite release version contract + use native dapps

common/versions/version.sol

@@ -1,152 +0,0 @@
-// Copyright 2015 The go-ethereum Authors
-// This file is part of the go-ethereum library.
-//
-// The go-ethereum library is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Lesser General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// The go-ethereum library is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Lesser General Public License for more details.
-//
-// You should have received a copy of the GNU Lesser General Public License
-// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
-
-// WARNING: WORK IN PROGRESS & UNTESTED
-// 
-// contract tracking versions added by designated signers.
-// designed to track versions of geth (go-ethereum) recommended by the
-// go-ethereum team. geth client interfaces with contract through ABI by simply
-// reading the full state and then deciding on recommended version based on
-// some logic (e.g. version date & number of signers).
-//
-// to keep things simple, the contract does not use FSM for multisig
-// but rather allows any designated signer to add a version or vote for an
-// existing version. this avoids need to track voting-in-progress states and
-// also provides history of all past versions.
-//
-
-contract Versions {
-    struct V {
-        bytes32 v;
-        uint64 ts;
-        address[] signers;
-    }
-
-    address[] public parties; // owners/signers
-    address[] public deleteAcks; // votes to suicide contract
-    uint public deleteAcksReq; // number of votes needed
-    V[] public versions;
- 
-    modifier canAccess(address addr) {
-        bool access = false;
-        for (uint i = 0; i < parties.length; i++) {
-            if (parties[i] == addr) {
-                access = true;
-                break;
-            }
-        }
-        if (access == false) {
-            throw;
-        }
-        _
-    }
-	
-	function Versions(address[] addrs) {
-        if (addrs.length < 2) {
-            throw;
-        }
-        
-        parties = addrs;
-        deleteAcksReq = (addrs.length / 2) + 1;
-    }
-
-    // TODO: use dynamic array when solidity adds proper support for returning them
-    function GetVersions() returns (bytes32[10], uint64[10], uint[10]) {
-        bytes32[10] memory vs;
-        uint64[10] memory ts;
-        uint[10] memory ss;
-        for (uint i = 0; i < versions.length; i++) {
-            vs[i] = versions[i].v;
-            ts[i] = versions[i].ts;
-            ss[i] = versions[i].signers.length;
-        }
-        return (vs, ts, ss);
-    }
-
-    // either submit a new version or acknowledge an existing one
-    function AckVersion(bytes32 ver)
-        canAccess(msg.sender)
-    {
-        for (uint i = 0; i < versions.length; i++) {
-            if (versions[i].v == ver) {
-                for (uint j = 0; j < versions[i].signers.length; j++) {
-                    if (versions[i].signers[j] == msg.sender) {
-                        // already signed
-                        throw;
-                    }
-                }
-                // add sender as signer of existing version
-                versions[i].signers.push(msg.sender);
-                return;
-            }
-        }
-     
-        // version is new, add it
-        // due to dynamic array, push it first then set values
-        V memory v;
-        versions.push(v);
-        versions[versions.length - 1].v = ver;
-        // signers is dynamic array; have to extend size manually
-        versions[versions.length - 1].signers.length++;
-        versions[versions.length - 1].signers[0] = msg.sender;
-        versions[versions.length - 1].ts = uint64(block.timestamp);
-    }
-    
-     // remove vote for a version, if present
-    function NackVersion(bytes32 ver)
-        canAccess(msg.sender)
-    {
-        for (uint i = 0; i < versions.length; i++) {
-            if (versions[i].v == ver) {
-                for (uint j = 0; j < versions[i].signers.length; j++) {
-                    if (versions[i].signers[j] == msg.sender) {
-                        delete versions[i].signers[j];
-                    }
-                }
-            }
-        }
-    }
-    
-    // delete-this-contract vote, suicide if enough votes
-    function AckDelete()
-        canAccess(msg.sender)
-    {
-        for (uint i = 0; i < deleteAcks.length; i++) {
-            if (deleteAcks[i] == msg.sender) {
-                throw; // already acked delete
-            }
-        }
-        deleteAcks.push(msg.sender);
-        if (deleteAcks.length >= deleteAcksReq) {
-            suicide(msg.sender);
-        }
-    }
-    
-    // remove sender's delete-this-contract vote, if present
-    function NackDelete()
-        canAccess(msg.sender)
-    {
-        uint len = deleteAcks.length;
-        for (uint i = 0; i < len; i++) {
-            if (deleteAcks[i] == msg.sender) {
-                if (len > 1) {
-                    deleteAcks[i] = deleteAcks[len-1];
-                }
-                deleteAcks.length -= 1;
-            }
-        }
-    }
-}

common/versions/versions.go

@@ -1,215 +0,0 @@
-// Copyright 2015 The go-ethereum Authors
-// This file is part of the go-ethereum library.
-//
-// The go-ethereum library is free software: you can redistribute it and/or modify
-// it under the terms of the GNU Lesser General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// The go-ethereum library is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU Lesser General Public License for more details.
-//
-// You should have received a copy of the GNU Lesser General Public License
-// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
-
-package versions
-
-import (
-	"fmt"
-	"math/big"
-	"strconv"
-	"time"
-
-	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/core"
-	"github.com/ethereum/go-ethereum/core/state"
-	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/eth"
-	"github.com/ethereum/go-ethereum/logger"
-	"github.com/ethereum/go-ethereum/logger/glog"
-	"github.com/ethereum/go-ethereum/node"
-	"github.com/ethereum/go-ethereum/p2p"
-	"github.com/ethereum/go-ethereum/rpc"
-)
-
-var (
-	jsonlogger = logger.NewJsonLogger()
-	// TODO: add Frontier address
-	GlobalVersionsAddr   = common.HexToAddress("0x40bebcadbb4456db23fda39f261f3b2509096e9e") // test
-	dummySender          = common.HexToAddress("0x16db48070243bc37a1c59cd5bb977ad7047618be") // test
-	getVersionsSignature = "GetVersions()"
-	firstCheckTime       = time.Second * 4
-	continousCheckTime   = time.Second * 600
-)
-
-type VersionCheck struct {
-	serverName string
-	timer      *time.Timer
-	e          *eth.Ethereum
-	stop       chan bool
-}
-
-// Boilerplate to satisfy node.Service interface
-func (v *VersionCheck) Protocols() []p2p.Protocol {
-	return []p2p.Protocol{}
-}
-
-func (v *VersionCheck) APIs() []rpc.API {
-	return []rpc.API{}
-}
-
-func (v *VersionCheck) Start(server *p2p.Server) error {
-	v.serverName = server.Name
-	// Check version first time after a few seconds so it shows after
-	// other startup messages
-	t := time.NewTimer(firstCheckTime)
-	v.timer = t
-	v.stop = make(chan bool)
-	versionCheck := func() {
-		for {
-			select {
-			case <-v.stop:
-				close(v.stop)
-				return
-			case <-v.timer.C:
-				_, err := get(v.e, v.serverName)
-				if err != nil {
-					glog.V(logger.Error).Infof("Could not query geth version contract: %s", err)
-				}
-				v.timer.Reset(continousCheckTime)
-			}
-		}
-	}
-	go versionCheck()
-	return nil
-}
-
-func (v *VersionCheck) Stop() error {
-	v.stop <- true
-	select {
-	case <-v.stop:
-	}
-	return nil
-}
-
-func NewVersionCheck(ctx *node.ServiceContext) (node.Service, error) {
-	var v VersionCheck
-	var e *eth.Ethereum
-	// sets e to the Ethereum instance previously started
-	// expects double pointer
-	ctx.Service(&e)
-	v.e = e
-	return &v, nil
-}
-
-// query versions list from the (custom) accessor in the versions contract
-func get(e *eth.Ethereum, clientVersion string) (string, error) {
-	// TODO: move common/registrar abiSignature to some util package
-	abi := crypto.Sha3([]byte(getVersionsSignature))[:4]
-	res, _, err := simulateCall(
-		e,
-		&dummySender,
-		&GlobalVersionsAddr,
-		big.NewInt(3000000), // gasLimit
-		big.NewInt(1),       // gasPrice
-		big.NewInt(0),       // value
-		abi)
-	if err != nil {
-		return "", err
-	}
-
-	// TODO: we use static arrays of size versionCount as workaround
-	// until solidity has proper support for returning dynamic arrays
-	versionCount := 10
-
-	if len(res) != 2+(64*versionCount*3) { // 0x + three 32-byte fields per version
-		return "", fmt.Errorf("unexpected result length from GetVersions")
-	}
-
-	// TODO: use ABI (after solidity supports returning arrays of arrays and/or structs)
-	var versions []string
-	var timestamps []uint64
-	var signerCounts []uint64
-
-	// trim 0x
-	res = res[2:]
-
-	// parse res
-	for i := 0; i < versionCount; i++ {
-		bytes := common.FromHex(res[:64])
-		versions = append(versions, string(bytes))
-		res = res[64:]
-	}
-
-	for i := 0; i < versionCount; i++ {
-		ts, err := strconv.ParseUint(res[:64], 16, 64)
-		if err != nil {
-			return "", err
-		}
-		timestamps = append(timestamps, ts)
-		res = res[64:]
-	}
-
-	for i := 0; i < versionCount; i++ {
-		sc, err := strconv.ParseUint(res[:64], 16, 64)
-		if err != nil {
-			return "", err
-		}
-		signerCounts = append(signerCounts, sc)
-		res = res[64:]
-	}
-
-	// TODO: version matching logic (e.g. most votes / most recent)
-	if versions[0] != clientVersion {
-		glog.V(logger.Info).Infof("geth version %s does not match recommended version %s", clientVersion, versions[0])
-	}
-
-	return res, nil
-}
-
-func simulateCall(e *eth.Ethereum, from0, to *common.Address, gas, gasPrice, value *big.Int, data []byte) (string, *big.Int, error) {
-	stateCopy, err := e.BlockChain().State()
-	if err != nil {
-		return "", nil, err
-	}
-	from := stateCopy.GetOrNewStateObject(*from0)
-	from.SetBalance(common.MaxBig)
-
-	msg := callmsg{
-		from:     from,
-		to:       to,
-		gas:      gas,
-		gasPrice: gasPrice,
-		value:    value,
-		data:     data,
-	}
-
-	// Execute the call and return
-	vmenv := core.NewEnv(stateCopy, e.BlockChain(), msg, e.BlockChain().CurrentHeader())
-	gp := new(core.GasPool).AddGas(common.MaxBig)
-
-	res, gas, err := core.ApplyMessage(vmenv, msg, gp)
-	return common.ToHex(res), gas, err
-
-}
-
-// TODO: consider moving to package common or accounts/abi as it's useful for anyone
-// simulating EVM CALL
-type callmsg struct {
-	from          *state.StateObject
-	to            *common.Address
-	gas, gasPrice *big.Int
-	value         *big.Int
-	data          []byte
-}
-
-// accessor boilerplate to implement core.Message
-func (m callmsg) From() (common.Address, error) { return m.from.Address(), nil }
-func (m callmsg) Nonce() uint64                 { return m.from.Nonce() }
-func (m callmsg) To() *common.Address           { return m.to }
-func (m callmsg) GasPrice() *big.Int            { return m.gasPrice }
-func (m callmsg) Gas() *big.Int                 { return m.gas }
-func (m callmsg) Value() *big.Int               { return m.value }
-func (m callmsg) Data() []byte                  { return m.data }

contracts/release/contract.sol

@@ -0,0 +1,240 @@
+// Copyright 2016 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+// ReleaseOracle is an Ethereum contract to store the current and previous
+// versions of the go-ethereum implementation. Its goal is to allow Geth to
+// check for new releases automatically without the need to consult a central
+// repository.
+//
+// The contract takes a vote based approach on both assigning authorized signers
+// as well as signing off on new Geth releases.
+//
+// Note, when a signer is demoted, the currently pending release is auto-nuked.
+// The reason is to prevent suprises where a demotion actually tilts the votes
+// in favor of one voter party and pushing out a new release as a consequence of
+// a simple demotion.
+contract ReleaseOracle {
+  // Votes is an internal data structure to count votes on a specific proposal
+  struct Votes {
+    address[] pass; // List of signers voting to pass a proposal
+    address[] fail; // List of signers voting to fail a proposal
+  }
+
+  // Version is the version details of a particular Geth release
+  struct Version {
+    uint32  major;  // Major version component of the release
+    uint32  minor;  // Minor version component of the release
+    uint32  patch;  // Patch version component of the release
+    bytes20 commit; // Git SHA1 commit hash of the release
+
+    uint64  time;  // Timestamp of the release approval
+    Votes   votes; // Votes that passed this release
+  }
+
+  // Oracle authorization details
+  mapping(address => bool) authorized; // Set of accounts allowed to vote on updating the contract
+  address[]                signers;    // List of addresses currently accepted as signers
+
+  // Various proposals being voted on
+  mapping(address => Votes) authProps; // Currently running user authorization proposals
+  address[]                 authPend;  // List of addresses being voted on (map indexes)
+
+  Version   verProp;  // Currently proposed release being voted on
+  Version[] releases; // All the positively voted releases
+
+  // isSigner is a modifier to authorize contract transactions.
+  modifier isSigner() {
+    if (authorized[msg.sender]) {
+      _
+    }
+  }
+
+  // Constructor to assign the creator as the sole valid signer.
+  function ReleaseOracle() {
+    authorized[msg.sender] = true;
+    signers.push(msg.sender);
+  }
+
+  // Signers is an accessor method to retrieve all te signers (public accessor
+  // generates an indexed one, not a retreive-all version).
+  function Signers() constant returns(address[]) {
+    return signers;
+  }
+
+  // AuthProposals retrieves the list of addresses that authorization proposals
+  // are currently being voted on.
+  function AuthProposals() constant returns(address[]) {
+    return authPend;
+  }
+
+  // AuthVotes retrieves the current authorization votes for a particular user
+  // to promote him into the list of signers, or demote him from there.
+  function AuthVotes(address user) constant returns(address[] promote, address[] demote) {
+    return (authProps[user].pass, authProps[user].fail);
+  }
+
+  // CurrentVersion retrieves the semantic version, commit hash and release time
+  // of the currently votec active release.
+  function CurrentVersion() constant returns (uint32 major, uint32 minor, uint32 patch, bytes20 commit, uint time) {
+    if (releases.length == 0) {
+      return (0, 0, 0, 0, 0);
+    }
+    var release = releases[releases.length - 1];
+
+    return (release.major, release.minor, release.patch, release.commit, release.time);
+  }
+
+  // ProposedVersion retrieves the semantic version, commit hash and the current
+  // votes for the next proposed release.
+  function ProposedVersion() constant returns (uint32 major, uint32 minor, uint32 patch, bytes20 commit, address[] pass, address[] fail) {
+    return (verProp.major, verProp.minor, verProp.patch, verProp.commit, verProp.votes.pass, verProp.votes.fail);
+  }
+
+  // Promote pitches in on a voting campaign to promote a new user to a signer
+  // position.
+  function Promote(address user) {
+    updateSigner(user, true);
+  }
+
+  // Demote pitches in on a voting campaign to demote an authorized user from
+  // its signer position.
+  function Demote(address user) {
+    updateSigner(user, false);
+  }
+
+  // Release votes for a particular version to be included as the next release.
+  function Release(uint32 major, uint32 minor, uint32 patch, bytes20 commit) {
+    updateRelease(major, minor, patch, commit, true);
+  }
+
+  // Nuke votes for the currently proposed version to not be included as the next
+  // release. Nuking doesn't require a specific version number for simplicity.
+  function Nuke() {
+    updateRelease(0, 0, 0, 0, false);
+  }
+
+  // updateSigner marks a vote for changing the status of an Ethereum user, either
+  // for or against the user being an authorized signer.
+  function updateSigner(address user, bool authorize) isSigner {
+    // Gather the current votes and ensure we don't double vote
+    Votes votes = authProps[user];
+    for (uint i = 0; i < votes.pass.length; i++) {
+      if (votes.pass[i] == msg.sender) {
+        return;
+      }
+    }
+    for (i = 0; i < votes.fail.length; i++) {
+      if (votes.fail[i] == msg.sender) {
+        return;
+      }
+    }
+    // If no authorization proposal is open, add the user to the index for later lookups
+    if (votes.pass.length == 0 && votes.fail.length == 0) {
+      authPend.push(user);
+    }
+    // Cast the vote and return if the proposal cannot be resolved yet
+    if (authorize) {
+      votes.pass.push(msg.sender);
+      if (votes.pass.length <= signers.length / 2) {
+        return;
+      }
+    } else {
+      votes.fail.push(msg.sender);
+      if (votes.fail.length <= signers.length / 2) {
+        return;
+      }
+    }
+    // Proposal resolved in our favor, execute whatever we voted on
+    if (authorize && !authorized[user]) {
+      authorized[user] = true;
+      signers.push(user);
+    } else if (!authorize && authorized[user]) {
+      authorized[user] = false;
+
+      for (i = 0; i < signers.length; i++) {
+        if (signers[i] == user) {
+          signers[i] = signers[signers.length - 1];
+          signers.length--;
+
+          delete verProp; // Nuke any version proposal (no suprise releases!)
+          break;
+        }
+      }
+    }
+    // Finally delete the resolved proposal, index and garbage collect
+    delete authProps[user];
+
+    for (i = 0; i < authPend.length; i++) {
+      if (authPend[i] == user) {
+        authPend[i] = authPend[authPend.length - 1];
+        authPend.length--;
+        break;
+      }
+    }
+  }
+
+  // updateRelease votes for a particular version to be included as the next release,
+  // or for the currently proposed release to be nuked out.
+  function updateRelease(uint32 major, uint32 minor, uint32 patch, bytes20 commit, bool release) isSigner {
+    // Skip nuke votes if no proposal is pending
+    if (!release && verProp.votes.pass.length == 0) {
+      return;
+    }
+    // Mark a new release if no proposal is pending
+    if (verProp.votes.pass.length == 0) {
+      verProp.major  = major;
+      verProp.minor  = minor;
+      verProp.patch  = patch;
+      verProp.commit = commit;
+    }
+    // Make sure positive votes match the current proposal
+    if (release && (verProp.major != major || verProp.minor != minor || verProp.patch != patch || verProp.commit != commit)) {
+      return;
+    }
+    // Gather the current votes and ensure we don't double vote
+    Votes votes = verProp.votes;
+    for (uint i = 0; i < votes.pass.length; i++) {
+      if (votes.pass[i] == msg.sender) {
+        return;
+      }
+    }
+    for (i = 0; i < votes.fail.length; i++) {
+      if (votes.fail[i] == msg.sender) {
+        return;
+      }
+    }
+    // Cast the vote and return if the proposal cannot be resolved yet
+    if (release) {
+      votes.pass.push(msg.sender);
+      if (votes.pass.length <= signers.length / 2) {
+        return;
+      }
+    } else {
+      votes.fail.push(msg.sender);
+      if (votes.fail.length <= signers.length / 2) {
+        return;
+      }
+    }
+    // Proposal resolved in our favor, execute whatever we voted on
+    if (release) {
+      verProp.time = uint64(now);
+      releases.push(verProp);
+      delete verProp;
+    } else {
+      delete verProp;
+    }
+  }
+}

contracts/release/contract_test.go

@@ -0,0 +1,374 @@
+// Copyright 2016 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+package release
+
+import (
+	"crypto/ecdsa"
+	"math/big"
+	"testing"
+
+	"github.com/ethereum/go-ethereum/accounts/abi/bind"
+	"github.com/ethereum/go-ethereum/accounts/abi/bind/backends"
+	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/core"
+	"github.com/ethereum/go-ethereum/crypto"
+)
+
+// setupReleaseTest creates a blockchain simulator and deploys a version oracle
+// contract for testing.
+func setupReleaseTest(t *testing.T, prefund ...*ecdsa.PrivateKey) (*ecdsa.PrivateKey, *ReleaseOracle, *backends.SimulatedBackend) {
+	// Generate a new random account and a funded simulator
+	key, _ := crypto.GenerateKey()
+	auth := bind.NewKeyedTransactor(key)
+
+	accounts := []core.GenesisAccount{{Address: auth.From, Balance: big.NewInt(10000000000)}}
+	for _, key := range prefund {
+		accounts = append(accounts, core.GenesisAccount{Address: crypto.PubkeyToAddress(key.PublicKey), Balance: big.NewInt(10000000000)})
+	}
+	sim := backends.NewSimulatedBackend(accounts...)
+
+	// Deploy a version oracle contract, commit and return
+	_, _, oracle, err := DeployReleaseOracle(auth, sim)
+	if err != nil {
+		t.Fatalf("Failed to deploy version contract: %v", err)
+	}
+	sim.Commit()
+
+	return key, oracle, sim
+}
+
+// Tests that the version contract can be deployed and the creator is assigned
+// the sole authorized signer.
+func TestContractCreation(t *testing.T) {
+	key, oracle, _ := setupReleaseTest(t)
+
+	owner := crypto.PubkeyToAddress(key.PublicKey)
+	signers, err := oracle.Signers(nil)
+	if err != nil {
+		t.Fatalf("Failed to retrieve list of signers: %v", err)
+	}
+	if len(signers) != 1 || signers[0] != owner {
+		t.Fatalf("Initial signer mismatch: have %v, want %v", signers, owner)
+	}
+}
+
+// Tests that subsequent signers can be promoted, each requiring half plus one
+// votes for it to pass through.
+func TestSignerPromotion(t *testing.T) {
+	// Prefund a few accounts to authorize with and create the oracle
+	keys := make([]*ecdsa.PrivateKey, 5)
+	for i := 0; i < len(keys); i++ {
+		keys[i], _ = crypto.GenerateKey()
+	}
+	key, oracle, sim := setupReleaseTest(t, keys...)
+
+	// Gradually promote the keys, until all are authorized
+	keys = append([]*ecdsa.PrivateKey{key}, keys...)
+	for i := 1; i < len(keys); i++ {
+		// Check that no votes are accepted from the not yet authed user
+		if _, err := oracle.Promote(bind.NewKeyedTransactor(keys[i]), common.Address{}); err != nil {
+			t.Fatalf("Iter #%d: failed invalid promotion attempt: %v", i, err)
+		}
+		sim.Commit()
+
+		pend, err := oracle.AuthProposals(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve active proposals: %v", i, err)
+		}
+		if len(pend) != 0 {
+			t.Fatalf("Iter #%d: proposal count mismatch: have %d, want 0", i, len(pend))
+		}
+		// Promote with half - 1 voters and check that the user's not yet authorized
+		for j := 0; j < i/2; j++ {
+			if _, err = oracle.Promote(bind.NewKeyedTransactor(keys[j]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+				t.Fatalf("Iter #%d: failed valid promotion attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+
+		signers, err := oracle.Signers(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve list of signers: %v", i, err)
+		}
+		if len(signers) != i {
+			t.Fatalf("Iter #%d: signer count mismatch: have %v, want %v", i, len(signers), i)
+		}
+		// Promote with the last one needed to pass the promotion
+		if _, err = oracle.Promote(bind.NewKeyedTransactor(keys[i/2]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+			t.Fatalf("Iter #%d: failed valid promotion completion attempt: %v", i, err)
+		}
+		sim.Commit()
+
+		signers, err = oracle.Signers(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve list of signers: %v", i, err)
+		}
+		if len(signers) != i+1 {
+			t.Fatalf("Iter #%d: signer count mismatch: have %v, want %v", i, len(signers), i+1)
+		}
+	}
+}
+
+// Tests that subsequent signers can be demoted, each requiring half plus one
+// votes for it to pass through.
+func TestSignerDemotion(t *testing.T) {
+	// Prefund a few accounts to authorize with and create the oracle
+	keys := make([]*ecdsa.PrivateKey, 5)
+	for i := 0; i < len(keys); i++ {
+		keys[i], _ = crypto.GenerateKey()
+	}
+	key, oracle, sim := setupReleaseTest(t, keys...)
+
+	// Authorize all the keys as valid signers and verify cardinality
+	keys = append([]*ecdsa.PrivateKey{key}, keys...)
+	for i := 1; i < len(keys); i++ {
+		for j := 0; j <= i/2; j++ {
+			if _, err := oracle.Promote(bind.NewKeyedTransactor(keys[j]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+				t.Fatalf("Iter #%d: failed valid promotion attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+	}
+	signers, err := oracle.Signers(nil)
+	if err != nil {
+		t.Fatalf("Failed to retrieve list of signers: %v", err)
+	}
+	if len(signers) != len(keys) {
+		t.Fatalf("Signer count mismatch: have %v, want %v", len(signers), len(keys))
+	}
+	// Gradually demote users until we run out of signers
+	for i := len(keys) - 1; i >= 0; i-- {
+		// Demote with half - 1 voters and check that the user's not yet dropped
+		for j := 0; j < (i+1)/2; j++ {
+			if _, err = oracle.Demote(bind.NewKeyedTransactor(keys[j]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+				t.Fatalf("Iter #%d: failed valid demotion attempt: %v", len(keys)-i, err)
+			}
+		}
+		sim.Commit()
+
+		signers, err := oracle.Signers(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve list of signers: %v", len(keys)-i, err)
+		}
+		if len(signers) != i+1 {
+			t.Fatalf("Iter #%d: signer count mismatch: have %v, want %v", len(keys)-i, len(signers), i+1)
+		}
+		// Demote with the last one needed to pass the demotion
+		if _, err = oracle.Demote(bind.NewKeyedTransactor(keys[(i+1)/2]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+			t.Fatalf("Iter #%d: failed valid demotion completion attempt: %v", i, err)
+		}
+		sim.Commit()
+
+		signers, err = oracle.Signers(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve list of signers: %v", len(keys)-i, err)
+		}
+		if len(signers) != i {
+			t.Fatalf("Iter #%d: signer count mismatch: have %v, want %v", len(keys)-i, len(signers), i)
+		}
+		// Check that no votes are accepted from the already demoted users
+		if _, err = oracle.Promote(bind.NewKeyedTransactor(keys[i]), common.Address{}); err != nil {
+			t.Fatalf("Iter #%d: failed invalid promotion attempt: %v", i, err)
+		}
+		sim.Commit()
+
+		pend, err := oracle.AuthProposals(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve active proposals: %v", i, err)
+		}
+		if len(pend) != 0 {
+			t.Fatalf("Iter #%d: proposal count mismatch: have %d, want 0", i, len(pend))
+		}
+	}
+}
+
+// Tests that new versions can be released, honouring both voting rights as well
+// as the minimum required vote count.
+func TestVersionRelease(t *testing.T) {
+	// Prefund a few accounts to authorize with and create the oracle
+	keys := make([]*ecdsa.PrivateKey, 5)
+	for i := 0; i < len(keys); i++ {
+		keys[i], _ = crypto.GenerateKey()
+	}
+	key, oracle, sim := setupReleaseTest(t, keys...)
+
+	// Track the "current release"
+	var (
+		verMajor  = uint32(0)
+		verMinor  = uint32(0)
+		verPatch  = uint32(0)
+		verCommit = [20]byte{}
+	)
+	// Gradually push releases, always requiring more signers than previously
+	keys = append([]*ecdsa.PrivateKey{key}, keys...)
+	for i := 1; i < len(keys); i++ {
+		// Check that no votes are accepted from the not yet authed user
+		if _, err := oracle.Release(bind.NewKeyedTransactor(keys[i]), 0, 0, 0, [20]byte{0}); err != nil {
+			t.Fatalf("Iter #%d: failed invalid release attempt: %v", i, err)
+		}
+		sim.Commit()
+
+		prop, err := oracle.ProposedVersion(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve active proposal: %v", i, err)
+		}
+		if len(prop.Pass) != 0 {
+			t.Fatalf("Iter #%d: proposal vote count mismatch: have %d, want 0", i, len(prop.Pass))
+		}
+		// Authorize the user to make releases
+		for j := 0; j <= i/2; j++ {
+			if _, err = oracle.Promote(bind.NewKeyedTransactor(keys[j]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+				t.Fatalf("Iter #%d: failed valid promotion attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+
+		// Propose release with half voters and check that the release does not yet go through
+		for j := 0; j < (i+1)/2; j++ {
+			if _, err = oracle.Release(bind.NewKeyedTransactor(keys[j]), uint32(i), uint32(i+1), uint32(i+2), [20]byte{}); err != nil {
+				t.Fatalf("Iter #%d: failed valid release attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+
+		ver, err := oracle.CurrentVersion(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve current version: %v", i, err)
+		}
+		if ver.Major != verMajor || ver.Minor != verMinor || ver.Patch != verPatch || ver.Commit != verCommit {
+			t.Fatalf("Iter #%d: version mismatch: have %d.%d.%d-%x, want %d.%d.%d-%x", i, ver.Major, ver.Minor, ver.Patch, ver.Commit, verMajor, verMinor, verPatch, verCommit)
+		}
+
+		// Pass the release and check that it became the next version
+		verMajor, verMinor, verPatch, verCommit = uint32(i), uint32(i+1), uint32(i+2), [20]byte{}
+		if _, err = oracle.Release(bind.NewKeyedTransactor(keys[(i+1)/2]), uint32(i), uint32(i+1), uint32(i+2), [20]byte{}); err != nil {
+			t.Fatalf("Iter #%d: failed valid release completion attempt: %v", i, err)
+		}
+		sim.Commit()
+
+		ver, err = oracle.CurrentVersion(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve current version: %v", i, err)
+		}
+		if ver.Major != verMajor || ver.Minor != verMinor || ver.Patch != verPatch || ver.Commit != verCommit {
+			t.Fatalf("Iter #%d: version mismatch: have %d.%d.%d-%x, want %d.%d.%d-%x", i, ver.Major, ver.Minor, ver.Patch, ver.Commit, verMajor, verMinor, verPatch, verCommit)
+		}
+	}
+}
+
+// Tests that proposed versions can be nuked out of existence.
+func TestVersionNuking(t *testing.T) {
+	// Prefund a few accounts to authorize with and create the oracle
+	keys := make([]*ecdsa.PrivateKey, 9)
+	for i := 0; i < len(keys); i++ {
+		keys[i], _ = crypto.GenerateKey()
+	}
+	key, oracle, sim := setupReleaseTest(t, keys...)
+
+	// Authorize all the keys as valid signers
+	keys = append([]*ecdsa.PrivateKey{key}, keys...)
+	for i := 1; i < len(keys); i++ {
+		for j := 0; j <= i/2; j++ {
+			if _, err := oracle.Promote(bind.NewKeyedTransactor(keys[j]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+				t.Fatalf("Iter #%d: failed valid promotion attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+	}
+	// Propose releases with more and more keys, always retaining enough users to nuke the proposals
+	for i := 1; i < (len(keys)+1)/2; i++ {
+		// Propose release with an initial set of signers
+		for j := 0; j < i; j++ {
+			if _, err := oracle.Release(bind.NewKeyedTransactor(keys[j]), uint32(i), uint32(i+1), uint32(i+2), [20]byte{}); err != nil {
+				t.Fatalf("Iter #%d: failed valid proposal attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+
+		prop, err := oracle.ProposedVersion(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve active proposal: %v", i, err)
+		}
+		if len(prop.Pass) != i {
+			t.Fatalf("Iter #%d: proposal vote count mismatch: have %d, want %d", i, len(prop.Pass), i)
+		}
+		// Nuke the release with half+1 voters
+		for j := i; j <= i+(len(keys)+1)/2; j++ {
+			if _, err := oracle.Nuke(bind.NewKeyedTransactor(keys[j])); err != nil {
+				t.Fatalf("Iter #%d: failed valid nuke attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+
+		prop, err = oracle.ProposedVersion(nil)
+		if err != nil {
+			t.Fatalf("Iter #%d: failed to retrieve active proposal: %v", i, err)
+		}
+		if len(prop.Pass) != 0 || len(prop.Fail) != 0 {
+			t.Fatalf("Iter #%d: proposal vote count mismatch: have %d/%d pass/fail, want 0/0", i, len(prop.Pass), len(prop.Fail))
+		}
+	}
+}
+
+// Tests that demoting a signer will auto-nuke the currently pending release.
+func TestVersionAutoNuke(t *testing.T) {
+	// Prefund a few accounts to authorize with and create the oracle
+	keys := make([]*ecdsa.PrivateKey, 5)
+	for i := 0; i < len(keys); i++ {
+		keys[i], _ = crypto.GenerateKey()
+	}
+	key, oracle, sim := setupReleaseTest(t, keys...)
+
+	// Authorize all the keys as valid signers
+	keys = append([]*ecdsa.PrivateKey{key}, keys...)
+	for i := 1; i < len(keys); i++ {
+		for j := 0; j <= i/2; j++ {
+			if _, err := oracle.Promote(bind.NewKeyedTransactor(keys[j]), crypto.PubkeyToAddress(keys[i].PublicKey)); err != nil {
+				t.Fatalf("Iter #%d: failed valid promotion attempt: %v", i, err)
+			}
+		}
+		sim.Commit()
+	}
+	// Make a release proposal and check it's existence
+	if _, err := oracle.Release(bind.NewKeyedTransactor(keys[0]), 1, 2, 3, [20]byte{}); err != nil {
+		t.Fatalf("Failed valid proposal attempt: %v", err)
+	}
+	sim.Commit()
+
+	prop, err := oracle.ProposedVersion(nil)
+	if err != nil {
+		t.Fatalf("Failed to retrieve active proposal: %v", err)
+	}
+	if len(prop.Pass) != 1 {
+		t.Fatalf("Proposal vote count mismatch: have %d, want 1", len(prop.Pass))
+	}
+	// Demote a signer and check release proposal deletion
+	for i := 0; i <= len(keys)/2; i++ {
+		if _, err := oracle.Demote(bind.NewKeyedTransactor(keys[i]), crypto.PubkeyToAddress(keys[len(keys)-1].PublicKey)); err != nil {
+			t.Fatalf("Iter #%d: failed valid demotion attempt: %v", i, err)
+		}
+	}
+	sim.Commit()
+
+	prop, err = oracle.ProposedVersion(nil)
+	if err != nil {
+		t.Fatalf("Failed to retrieve active proposal: %v", err)
+	}
+	if len(prop.Pass) != 0 {
+		t.Fatalf("Proposal vote count mismatch: have %d, want 0", len(prop.Pass))
+	}
+}

contracts/release/generator.go

@@ -0,0 +1,19 @@
+// Copyright 2016 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+//go:generate abigen --sol ./contract.sol --pkg release --out ./contract.go
+
+package release