@inco/lightning 0.8.0-devnet-7 → 0.8.0-devnet-9

package/src/test/TEELifecycle/TEELifecycleMockTest.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: UNLICENSED
-pragma solidity ^0.8.0;
+pragma solidity ^0.8;
 
 import {TEELifecycle} from "../../lightning-parts/TEELifecycle.sol";
 import {BootstrapResult, AddNodeResult, UpgradeResult} from "../../lightning-parts/TEELifecycle.types.sol";
@@ -24,7 +24,8 @@ contract TEELifecycleMockTest is MockRemoteAttestation, TEELifecycle {
         hex"010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101";
     // See DEFAULT_MR_AGGREGATED in attestation/src/remote_attestation.rs to
     // see the calculation of the default value.
-    bytes32 testMrAggregated = hex"c3a67bac251d4946d7b17481d39631676042fe3afab06e70c22105ad8383c19f";
+    // Note: This uses abi.encode (not encodePacked) to avoid hash collision vulnerabilities.
+    bytes32 testMrAggregated = hex"3d48a1faa8620d86ae037f4fd6746987733d085314b3cd5d5d074ade8bab6ebd";
 
     function setUp() public {
         getTeeLifecycleStorage().quoteVerifier = new FakeQuoteVerifier();
@@ -133,61 +134,6 @@ contract TEELifecycleMockTest is MockRemoteAttestation, TEELifecycle {
         vm.stopPrank();
     }
 
-    function testRemoveApprovedTeeVersionPreservesOrder() public {
-        bytes32 mrAggregated1 = hex"1111111111111111111111111111111111111111111111111111111111111111";
-        bytes32 mrAggregated2 = hex"2222222222222222222222222222222222222222222222222222222222222222";
-        bytes32 mrAggregated3 = hex"3333333333333333333333333333333333333333333333333333333333333333";
-
-        vm.startPrank(this.owner());
-
-        // Add three versions
-        this.approveNewTeeVersion(mrAggregated1);
-        this.approveNewTeeVersion(mrAggregated2);
-        this.approveNewTeeVersion(mrAggregated3);
-
-        // Verify all exist in order
-        assertEq(this.approvedTeeVersions(0), mrAggregated1);
-        assertEq(this.approvedTeeVersions(1), mrAggregated2);
-        assertEq(this.approvedTeeVersions(2), mrAggregated3);
-
-        // Remove the middle one (mrAggregated2)
-        this.removeApprovedTeeVersion(mrAggregated2);
-
-        // Verify insertion order is preserved: mrAggregated1 stays at 0, mrAggregated3 shifts to 1
-        assertEq(this.approvedTeeVersions(0), mrAggregated1);
-        assertEq(this.approvedTeeVersions(1), mrAggregated3);
-
-        // Verify index 2 is now out of bounds
-        vm.expectRevert(TEELifecycle.IndexOutOfBounds.selector);
-        this.approvedTeeVersions(2);
-
-        vm.stopPrank();
-    }
-
-    function testRemoveApprovedTeeVersionNotFound() public {
-        bytes32 nonExistentMrAggregated = hex"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
-
-        vm.startPrank(this.owner());
-        vm.expectRevert(TEELifecycle.TEEVersionNotFound.selector);
-        this.removeApprovedTeeVersion(nonExistentMrAggregated);
-        vm.stopPrank();
-    }
-
-    function testRemoveApprovedTeeVersionOnlyOwner() public {
-        bytes32 mrAggregated = hex"1111111111111111111111111111111111111111111111111111111111111111";
-
-        vm.startPrank(this.owner());
-        this.approveNewTeeVersion(mrAggregated);
-        vm.stopPrank();
-
-        // Try to remove as non-owner
-        address nonOwner = address(0x1234);
-        vm.startPrank(nonOwner);
-        vm.expectRevert();
-        this.removeApprovedTeeVersion(mrAggregated);
-        vm.stopPrank();
-    }
-
     // Helper function to create a successful bootstrap result
     function successfulBootstrapResult()
         internal
@@ -449,4 +395,83 @@ contract TEELifecycleMockTest is MockRemoteAttestation, TEELifecycle {
         );
     }
 
+    // ============ Tests for reset() ============
+
+    function testReset_OnlyOwner() public {
+        address nonOwner = address(0x1234);
+        vm.startPrank(nonOwner);
+        vm.expectRevert();
+        this.reset();
+        vm.stopPrank();
+    }
+
+    function testReset_WithMultipleSigners() public {
+        // Complete bootstrap with first signer
+        (
+            BootstrapResult memory bootstrapResult,,
+            address bootstrapPartyAddress,
+            bytes memory quote,
+            bytes memory signature,
+            bytes32 mrAggregated
+        ) = successfulBootstrapResult();
+
+        vm.startPrank(this.owner());
+        this.approveNewTeeVersion(mrAggregated);
+        this.verifyBootstrapResult(bootstrapResult, quote, signature);
+
+        // Add a second node
+        (uint256 newNodePrivkey, address newNodeAddress) = getLabeledKeyPair("newNode");
+        AddNodeResult memory addNodeResult = AddNodeResult({networkPubkey: testNetworkPubkey});
+        bytes memory addNodeSignature = signAddNodeResult(addNodeResult, newNodePrivkey);
+        bytes memory addNodeQuote = createQuote(testMrtd, newNodeAddress);
+        this.verifyAddNodeResult(mrAggregated, addNodeResult, addNodeQuote, addNodeSignature);
+
+        // Verify state before reset
+        assertTrue(this.isBootstrapComplete(), "Bootstrap should be complete before reset");
+        assertEq(this.networkPubkey(), testNetworkPubkey, "Network pubkey should be set before reset");
+        assertEq(this.approvedTeeVersions(0), mrAggregated, "Approved TEE version should exist before reset");
+        assertEq(this.getSignersCount(), 2, "Should have 2 signers before reset");
+        assertTrue(this.isSigner(bootstrapPartyAddress), "First signer should exist");
+        assertTrue(this.isSigner(newNodeAddress), "Second signer should exist");
+
+        // Call reset
+        this.reset();
+
+        // Verify all state has been cleared
+        assertFalse(this.isBootstrapComplete(), "Bootstrap should not be complete after reset");
+        assertEq(this.networkPubkey().length, 0, "Network pubkey should be empty after reset");
+        assertEq(this.getSignersCount(), 0, "Should have 0 signers after reset");
+        assertFalse(this.isSigner(bootstrapPartyAddress), "First signer should be removed");
+        assertFalse(this.isSigner(newNodeAddress), "Second signer should be removed");
+        assertEq(this.getThreshold(), 0, "Threshold should be 0 after reset");
+
+        // Verify approved TEE versions array is empty
+        vm.expectRevert(TEELifecycle.IndexOutOfBounds.selector);
+        this.approvedTeeVersions(0);
+
+        vm.stopPrank();
+    }
+
+    function testReset_AllowsNewBootstrap() public {
+        // Complete bootstrap
+        (BootstrapResult memory bootstrapResult,,, bytes memory quote, bytes memory signature, bytes32 mrAggregated) =
+            successfulBootstrapResult();
+
+        vm.startPrank(this.owner());
+        this.approveNewTeeVersion(mrAggregated);
+        this.verifyBootstrapResult(bootstrapResult, quote, signature);
+        assertTrue(this.isBootstrapComplete(), "Bootstrap should be complete");
+
+        // Reset the contract
+        this.reset();
+        assertFalse(this.isBootstrapComplete(), "Bootstrap should not be complete after reset");
+
+        // Should be able to bootstrap again
+        this.approveNewTeeVersion(mrAggregated);
+        this.verifyBootstrapResult(bootstrapResult, quote, signature);
+        assertTrue(this.isBootstrapComplete(), "Should be able to bootstrap again after reset");
+
+        vm.stopPrank();
+    }
+
 }

package/src/test/TestDeploy.t.sol

@@ -5,6 +5,7 @@ import {Test} from "forge-std/Test.sol";
 import {TrivialEncryption} from "../lightning-parts/TrivialEncryption.sol";
 import {ETypes} from "../Types.sol";
 import {UUPSUpgradeable} from "@openzeppelin/contracts/proxy/utils/UUPSUpgradeable.sol";
+import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
 import {inco} from "../Lib.sol";
 import {IncoTest} from "./IncoTest.sol";
 
@@ -26,6 +27,7 @@ contract TestDeploy is Test, IncoTest {
         vm.expectEmit(false, false, true, false, address(inco));
         emit TrivialEncryption.TrivialEncrypt(bytes32(uint256(1)), bytes32(uint256(1)), ETypes.Bool, 0);
         inco.asEbool(true);
+        assertTrue(inco.isAcceptedVersion(2));
     }
 
     function testUpgrade() public {
@@ -35,4 +37,30 @@ contract TestDeploy is Test, IncoTest {
         assertEq(ReturnTwo(address(inco)).getTwo(), 2);
     }
 
+    function testAddAcceptedVersion() public {
+        assertFalse(inco.isAcceptedVersion(42));
+        vm.prank(owner);
+        inco.addAcceptedVersion(42);
+        assertTrue(inco.isAcceptedVersion(42));
+    }
+
+    function testAddAcceptedVersionNotOwner() public {
+        vm.expectRevert(abi.encodeWithSelector(OwnableUpgradeable.OwnableUnauthorizedAccount.selector, alice));
+        vm.prank(alice);
+        inco.addAcceptedVersion(42);
+    }
+
+    function testRemoveAcceptedVersion() public {
+        assertFalse(inco.isAcceptedVersion(42));
+        vm.prank(owner);
+        inco.removeAcceptedVersion(42); // removing a non-existent version should be no-op
+        assertFalse(inco.isAcceptedVersion(42));
+    }
+
+    function testRemoveAcceptedVersionNotOwner() public {
+        vm.expectRevert(abi.encodeWithSelector(OwnableUpgradeable.OwnableUnauthorizedAccount.selector, alice));
+        vm.prank(alice);
+        inco.removeAcceptedVersion(42);
+    }
+
 }

package/src/test/TestUpgrade.t.sol

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: No License
-pragma solidity ^0.8.20;
+pragma solidity ^0.8;
 
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
 import {Safe} from "safe-smart-account/Safe.sol";

package/src/version/IncoLightningConfig.sol

@@ -7,7 +7,7 @@ pragma solidity ^0.8;
 // UPDATE the CHANGELOG on new versions
 
 string constant CONTRACT_NAME = "incoLightning";
-uint8 constant MAJOR_VERSION = 4;
+uint8 constant MAJOR_VERSION = 5;
 uint8 constant MINOR_VERSION = 0;
 // whenever a new version is deployed, we need to pump this up
 // otherwise make test_upgrade will fail