[Infra] System Contract Dictionary

[quantumagi]

Note that this approach, relying on signatures, does not require additional external permission management.

Example Authorization:

- Anyone calls the "WhiteList" method on the "Dictionary" contract. The method responds with an authorization challenge:
  - E.g. "WhiteList(Nonce:0,CodeHash:123,LastAddress:,Name:)"
- Each signatory calls the legacy "SignMessage" API to obtain a signature for the challenge.
- The submitter calls the "WhiteList" method again with all the signatures.
- The contract is now successfully white-listed and can now be deployed.
- Following contract deployment a contract address will be available. 
- This process is repeated to provide the contract address and a friendly name (e.g. "Multisig").
- Now all nodes that rely on the information from the "Multisig" contract will be able to locate the new contract.

Note: The contract hash of the "System Contract Dictionary" itself will be hard-coded (as being white-listed) in the code base. Initially only the first deployment will be used to determine the contract address unless it is self-listed with a different address in which case we will "follow the chain" to find the most recent version.

Merge PR #509 first.

[noescape00]

I prefer this one over 489
Please let me know when it's ready for full review

[quantumagi]

@noescape00 , I've added some more functionality if you would like to have a look now.

[quantumagi]

Equality check should not be negated in here?

It is correct afaik. The error is displayed when the assertion fails.

[YakupIpek]

I added my feedbacks and i did not leave same feedbacks on duplicated issues. So i will review again after you submited changes.

I suggest you to review and follow style of DAO contract
https://github.com/stratisproject/CirrusSmartContracts/blob/master/Testnet/DAOContract/DAOContract/DAOContract.cs

[YakupIpek]

Can you import just namespace in here ?

[quantumagi]

Is there a reason?

[YakupIpek]

These type of using statements for fixing conflicts when one type is exist in more than 2 namespace so this is not a case in here.

[quantumagi]

Hmm... It would protect against any conflicts that may arise in the future?

[rowandh]

Seems fine.

[YakupIpek]

These value should be hard coded ?

[quantumagi]

These "default" values should be updated at some stage with the correct default values. The AddSignatory and RemoveSignatory will allow the defaults to be changed. I am worried about passing the defaults to the constructor as maybe this will lead to reduced or single person security and maybe make a mockery of the multiple person security this wants to offer.

[YakupIpek]

State should be access by getters/setters in everywhere

[quantumagi]

Done

[YakupIpek]

Can you move namespace to top of page ?

[YakupIpek]

IMO ECRecover.TryVerifySignatures should be GetVerifiedSignatories and return addresses otherwise Try prefix and out param is quite confusing to me. I suggest code like below.

        var challange = Encoding.ASCII.GetBytes(authorizationChallenge);

        var verifieds = ECRecover.GEtVerifiedSignatures(sigs, challange, this.Signatories);

        Assert(verifieds.Length >= this.Quorum, $"Please provide {this.Quorum} valid signatures for '{authorizationChallenge}'.");

[quantumagi]

@rowandh , this was your suggestion, wdyt? I'm on the fence.

[YakupIpek]

When TryVerifySignatures will return false ?
When there is some verified signatories ? No
When there is no any verified signatories ? Still no
These are very unexpected behavior from this method.

It only returns false if provided parameters are null. It is clear that expected behavior of the method is return verified signatories.

[quantumagi]

That is how it was and frankly I had similar thoughts as Yakup. @rowandh should I change this back?

[YakupIpek]

This assert is not necessary so you can remove it.

[quantumagi]

It does make a difference by throwing an error versus simply returning the default. Intuitively throwing an error makes more sense but perhaps there is some reason you don't want to do that for smart contracts. @rowandh , wdyt?

[rowandh]

You might save a small amount of gas by doing this. Seems fine.

[YakupIpek]

Who is going to call this method ? Owner of the contract or anyone ?

[quantumagi]

Anyone that's willing to pay the gas cost to execute it. However signatures are checked before any updates are made.

[YakupIpek]

Adding, removing or checking existence of signatories cause iterative codes and resizing array costs. Alternatively we can index signatories in state like

"Signatories:{signature}" => group

After that you can quickly verify it is existence in dictionary

Another key pair alternative would be

"Signatories:{group}:{signature}" => bool(true)

@rowandh wdty?

[quantumagi]

That would shift the problem of being able to obtain a list of all signatories.

[YakupIpek]

Proably "Signatories:{signature}" => group wouldn't work because same address can be added to different groups so second solution is only solution.

[quantumagi]

@YakupIpek , given your approach how would you list all the signatories of a group? I've optimized for this method since the other methods would occur far less frequently:

    public Address[] GetSignatories(string group)
    {
        return this.State.GetArray<Address>($"Signatories:{group}");
    }

[YakupIpek]

I am not quite sure which path we have to follow right now. You can still separate index like $"Signatories:{group}:{index}" but you have to iterate it at the end if you want to obtain all of them.
Lets wait @rowandh feedback.

[YakupIpek]

These methods can be called by anyone ?

[quantumagi]

Anyone that's willing to pay the gas cost to execute it. However signatures are checked before any updates are made.

[YakupIpek]

It is really needed to specify newSize and newQuorum, why not to automate it ?

[quantumagi]

I really want the user to be very exact about the change being accomplished especially due to how important the quorum count is in relation to the signatory count. The user must know exactly what is being accomplished in that regards and show that knowledge by specifying the values explicitly. All the signatories will also see that information in the security challenge when signing.

[YakupIpek]

Hımm but the transaction is going to fail and cost fee if anyone going to call these methods in same block or in prev blocks.

[quantumagi]

Not sure I understand what you're saying. Will mull it over.

[YakupIpek]

Imo these asserts are not necessary. If someone send null,empty or none existence key then we return default value already from state.

[quantumagi]

It does make a difference by throwing an error versus simply returning the default. Intuitively throwing an error makes more sense but perhaps there is some reason you don't want to do that for smart contracts. @rowandh , wdyt?

[YakupIpek]

As caller of the method, i should to verify that there is hash code or not for given name parameter in any case and i do it by checking its value is default or not. But you added assertion, in the case of it is null so i have to verify exception + default value check.

We should not optimize code for exceptional cases.

[YakupIpek]

This is common way we did in other contracts ussually.

[quantumagi]

If there is insufficient checks something like "Quorum:" could obtain a value, then when "Quorum:" is accessed later a junk value could be returned.

so i have to verify exception + default value check.

You don't have to verify exception if you're not passing null values. If you are unexpectedly passing null values then it better to get an error than some junk value you may proceed processing with.

[YakupIpek]

Why not as below ?

authorizationChallenge = $"{nameof(WhiteList)}:{nonce}:{codeHash},{lastAddress},{name})"

[quantumagi]

It's meant to be as human readable as possible to ensure signatories can read it and know what they are signing.

[YakupIpek]

When TryVerifySignatures will return false ?
When there is some verified signatories ? No
When there is no any verified signatories ? Still no
These are very unexpected behavior from this method.

It only returns false if provided parameters are null. It is clear that expected behavior of the method is return verified signatories.

[YakupIpek]

I am not quite sure which path we have to follow right now. You can still separate index like $"Signatories:{group}:{index}" but you have to iterate it at the end if you want to obtain all of them.
Lets wait @rowandh feedback.

[YakupIpek]

As caller of the method, i should to verify that there is hash code or not for given name parameter in any case and i do it by checking its value is default or not. But you added assertion, in the case of it is null so i have to verify exception + default value check.

We should not optimize code for exceptional cases.

[YakupIpek]

This is common way we did in other contracts ussually.

[quantumagi]

#490 (comment)

[noescape00]

Please add xmldoc for all methods of SystemContractsDictionary that are not pretty much self explanatory, plus general description of the class

[rowandh]

This is an API change to the SCL library. I don't think these should be made randomly in PRs like this but rather as part of a structured API design for the initial SCL release.

[quantumagi]

Moved to other PRs.