Add an option for open (permissionless) multi-leader rounds. (#3168)

## Motivation

For #3162, some
chains need to be "permissionless", i.e. admit any signer as a block
proposer, as far as the chain manager is concerned.

## Proposal

Add an `open_multi_leader_rounds` option. If it is `true`, the
multi-leader rounds are not restricted to the chain owners anymore. (All
other round types still are restricted as usual.)

## Test Plan

A test was added.

## Release Plan

- Nothing to do / These changes follow the usual release cycle.

## Links

- Closes #3163.
- [reviewer
checklist](https://github.com/linera-io/linera-protocol/blob/main/CONTRIBUTING.md#reviewer-checklist)

Author: afck

CLI.md

@@ -200,6 +200,7 @@ Open (i.e. activate) a new multi-owner chain deriving the UID from an existing o
 
    If they are specified there must be exactly one weight for each owner. If no weights are given, every owner will have weight 100.
 * `--multi-leader-rounds <MULTI_LEADER_ROUNDS>` — The number of rounds in which every owner can propose blocks, i.e. the first round number in which only a single designated leader is allowed to propose blocks
+* `--open-multi-leader-rounds` — Whether the multi-leader rounds are unrestricted, i.e. not limited to chain owners. This should only be `true` on chains with restrictive application permissions and an application-based mechanism to select block proposers
 * `--fast-round-ms <FAST_ROUND_DURATION>` — The duration of the fast round, in milliseconds
 * `--base-timeout-ms <BASE_TIMEOUT>` — The duration of the first single-leader and all multi-leader rounds
 
@@ -236,6 +237,7 @@ Specify the complete set of new owners, by public key. Existing owners that are
 
    If they are specified there must be exactly one weight for each owner. If no weights are given, every owner will have weight 100.
 * `--multi-leader-rounds <MULTI_LEADER_ROUNDS>` — The number of rounds in which every owner can propose blocks, i.e. the first round number in which only a single designated leader is allowed to propose blocks
+* `--open-multi-leader-rounds` — Whether the multi-leader rounds are unrestricted, i.e. not limited to chain owners. This should only be `true` on chains with restrictive application permissions and an application-based mechanism to select block proposers
 * `--fast-round-ms <FAST_ROUND_DURATION>` — The duration of the fast round, in milliseconds
 * `--base-timeout-ms <BASE_TIMEOUT>` — The duration of the first single-leader and all multi-leader rounds
 

linera-base/src/ownership.rs

@@ -57,8 +57,12 @@ pub struct ChainOwnership {
     /// The regular owners, with their weights that determine how often they are round leader.
     #[debug(skip_if = BTreeMap::is_empty)]
     pub owners: BTreeMap<Owner, u64>,
-    /// The number of initial rounds after 0 in which all owners are allowed to propose blocks.
+    /// The number of rounds in which all owners are allowed to propose blocks.
     pub multi_leader_rounds: u32,
+    /// Whether the multi-leader rounds are unrestricted, i.e. not limited to chain owners.
+    /// This should only be `true` on chains with restrictive application permissions and an
+    /// application-based mechanism to select block proposers.
+    pub open_multi_leader_rounds: bool,
     /// The timeout configuration: how long fast, multi-leader and single-leader rounds last.
     pub timeout_config: TimeoutConfig,
 }
@@ -70,6 +74,7 @@ impl ChainOwnership {
             super_owners: iter::once(owner).collect(),
             owners: BTreeMap::new(),
             multi_leader_rounds: 2,
+            open_multi_leader_rounds: false,
             timeout_config: TimeoutConfig::default(),
         }
     }
@@ -80,6 +85,7 @@ impl ChainOwnership {
             super_owners: BTreeSet::new(),
             owners: iter::once((owner, 100)).collect(),
             multi_leader_rounds: 2,
+            open_multi_leader_rounds: false,
             timeout_config: TimeoutConfig::default(),
         }
     }
@@ -94,6 +100,7 @@ impl ChainOwnership {
             super_owners: BTreeSet::new(),
             owners: owners_and_weights.into_iter().collect(),
             multi_leader_rounds,
+            open_multi_leader_rounds: false,
             timeout_config,
         }
     }
@@ -197,6 +204,7 @@ mod tests {
             super_owners: BTreeSet::from_iter([super_owner]),
             owners: BTreeMap::from_iter([(owner, 100)]),
             multi_leader_rounds: 10,
+            open_multi_leader_rounds: false,
             timeout_config: TimeoutConfig {
                 fast_round_duration: Some(TimeDelta::from_secs(5)),
                 base_timeout: TimeDelta::from_secs(10),

linera-base/src/unit_tests.rs

@@ -147,6 +147,7 @@ fn chain_ownership_test_case() -> ChainOwnership {
         super_owners,
         owners,
         multi_leader_rounds: 5,
+        open_multi_leader_rounds: false,
         timeout_config: TimeoutConfig {
             fast_round_duration: None,
             base_timeout: TimeDelta::ZERO,

linera-chain/src/manager.rs

@@ -579,8 +579,9 @@ where
                 false // Only super owners can propose in the first round.
             }
             Round::MultiLeader(_) => {
+                let ownership = self.ownership.get();
                 // Not in leader rotation mode; any owner is allowed to propose.
-                self.ownership.get().owners.contains_key(owner)
+                ownership.open_multi_leader_rounds || ownership.owners.contains_key(owner)
             }
             Round::SingleLeader(r) => {
                 let Some(index) = self.round_leader_index(r) else {

linera-chain/src/unit_tests/chain_tests.rs

@@ -112,7 +112,7 @@ async fn test_block_size_limit() {
     let mut chain = ChainStateView::new(chain_id).await;
 
     // The size of the executed valid block below.
-    let maximum_executed_block_size = 675;
+    let maximum_executed_block_size = 676;
 
     // Initialize the chain.
     let mut config = make_open_chain_config();

linera-client/src/client_options.rs

@@ -1236,6 +1236,12 @@ pub struct ChainOwnershipConfig {
     #[arg(long)]
     multi_leader_rounds: Option<u32>,
 
+    /// Whether the multi-leader rounds are unrestricted, i.e. not limited to chain owners.
+    /// This should only be `true` on chains with restrictive application permissions and an
+    /// application-based mechanism to select block proposers.
+    #[arg(long)]
+    open_multi_leader_rounds: bool,
+
     /// The duration of the fast round, in milliseconds.
     #[arg(long = "fast-round-ms", value_parser = util::parse_millis_delta)]
     fast_round_duration: Option<TimeDelta>,
@@ -1277,6 +1283,7 @@ impl TryFrom<ChainOwnershipConfig> for ChainOwnership {
             owner_weights,
             multi_leader_rounds,
             fast_round_duration,
+            open_multi_leader_rounds,
             base_timeout,
             timeout_increment,
             fallback_duration,
@@ -1303,6 +1310,7 @@ impl TryFrom<ChainOwnershipConfig> for ChainOwnership {
             super_owners,
             owners,
             multi_leader_rounds,
+            open_multi_leader_rounds,
             timeout_config,
         })
     }

linera-core/src/client/mod.rs

@@ -2646,6 +2646,7 @@ where
             super_owners: vec![new_owner],
             owners: Vec::new(),
             multi_leader_rounds: 2,
+            open_multi_leader_rounds: false,
             timeout_config: TimeoutConfig::default(),
         }))
         .await
@@ -2671,6 +2672,7 @@ where
                 super_owners: Vec::new(),
                 owners,
                 multi_leader_rounds: ownership.multi_leader_rounds,
+                open_multi_leader_rounds: ownership.open_multi_leader_rounds,
                 timeout_config: ownership.timeout_config,
             })];
             match self.execute_block(operations).await? {
@@ -2701,6 +2703,7 @@ where
             super_owners: ownership.super_owners.into_iter().collect(),
             owners: ownership.owners.into_iter().collect(),
             multi_leader_rounds: ownership.multi_leader_rounds,
+            open_multi_leader_rounds: ownership.open_multi_leader_rounds,
             timeout_config: ownership.timeout_config.clone(),
         }))
         .await

linera-core/src/unit_tests/client_tests.rs

@@ -1448,6 +1448,7 @@ where
         super_owners: Vec::new(),
         owners: vec![(owner2_a, 50), (owner2_b, 50)],
         multi_leader_rounds: 10,
+        open_multi_leader_rounds: false,
         timeout_config: TimeoutConfig::default(),
     });
     client2_a
@@ -1579,6 +1580,7 @@ where
         super_owners: Vec::new(),
         owners: vec![(owner3_a, 50), (owner3_b, 50), (owner3_c, 50)],
         multi_leader_rounds: 10,
+        open_multi_leader_rounds: false,
         timeout_config: TimeoutConfig::default(),
     });
     client3_a

linera-core/src/unit_tests/worker_tests.rs

@@ -3230,6 +3230,7 @@ where
             super_owners: Vec::new(),
             owners: vec![(owner0, 100), (owner1, 100)],
             multi_leader_rounds: 0,
+            open_multi_leader_rounds: false,
             timeout_config: TimeoutConfig::default(),
         })
         .with_authenticated_signer(Some(owner0));
@@ -3433,6 +3434,7 @@ where
         super_owners: vec![owner0],
         owners: vec![(owner0, 100), (owner1, 100)],
         multi_leader_rounds: 2,
+        open_multi_leader_rounds: false,
         timeout_config: TimeoutConfig {
             fast_round_duration: Some(TimeDelta::from_secs(5)),
             ..TimeoutConfig::default()
@@ -3450,12 +3452,11 @@ where
     assert_eq!(response.info.manager.leader, None);
 
     // So owner 1 cannot propose a block in this round. And the next round hasn't started yet.
-    let proposal =
-        make_child_block(&value0.clone()).into_proposal_with_round(&key_pairs[1], Round::Fast);
+    let proposal = make_child_block(&value0).into_proposal_with_round(&key_pairs[1], Round::Fast);
     let result = worker.handle_block_proposal(proposal).await;
     assert_matches!(result, Err(WorkerError::InvalidOwner));
-    let proposal = make_child_block(&value0.clone())
-        .into_proposal_with_round(&key_pairs[1], Round::MultiLeader(0));
+    let proposal =
+        make_child_block(&value0).into_proposal_with_round(&key_pairs[1], Round::MultiLeader(0));
     let result = worker.handle_block_proposal(proposal).await;
     assert_matches!(result, Err(WorkerError::ChainError(ref error))
         if matches!(**error, ChainError::WrongRound(Round::Fast))
@@ -3499,6 +3500,69 @@ where
     Ok(())
 }
 
+#[test_case(MemoryStorageBuilder::default(); "memory")]
+#[cfg_attr(feature = "rocksdb", test_case(RocksDbStorageBuilder::new().await; "rocks_db"))]
+#[cfg_attr(feature = "dynamodb", test_case(DynamoDbStorageBuilder::default(); "dynamo_db"))]
+#[cfg_attr(feature = "scylladb", test_case(ScyllaDbStorageBuilder::default(); "scylla_db"))]
+#[test_log::test(tokio::test)]
+async fn test_open_multi_leader_rounds<B>(mut storage_builder: B) -> anyhow::Result<()>
+where
+    B: StorageBuilder,
+{
+    let storage = storage_builder.build().await?;
+    let chain_id = ChainId::root(0);
+    let key_pair = KeyPair::generate();
+    let owner = key_pair.public().into();
+    let description = ChainDescription::Root(0);
+    let (committee, worker) =
+        init_worker_with_chain(storage, description, owner, Amount::from_tokens(2)).await;
+
+    // Configure open multi-leader rounds.
+    let change_ownership_block =
+        make_first_block(chain_id).with_operation(SystemOperation::ChangeOwnership {
+            super_owners: vec![],
+            owners: vec![(owner, 100)],
+            multi_leader_rounds: 2,
+            open_multi_leader_rounds: true,
+            timeout_config: TimeoutConfig {
+                fast_round_duration: Some(TimeDelta::from_secs(5)),
+                ..TimeoutConfig::default()
+            },
+        });
+    let (change_ownership_executed_block, _) =
+        worker.stage_block_execution(change_ownership_block).await?;
+    let change_ownership_value = Hashed::new(ConfirmedBlock::new(change_ownership_executed_block));
+    let change_ownership_certificate =
+        make_certificate(&committee, &worker, change_ownership_value.clone());
+    worker
+        .fully_handle_certificate_with_notifications(change_ownership_certificate, &())
+        .await?;
+
+    // The first round is the multi-leader round 0. Anyone is allowed to propose.
+    // But non-owners are not allowed to transfer the chain's funds.
+    let proposal = make_child_block(&change_ownership_value)
+        .with_transfer(None, Recipient::Burn, Amount::from_tokens(1))
+        .into_proposal_with_round(&KeyPair::generate(), Round::MultiLeader(0));
+    let result = worker.handle_block_proposal(proposal).await;
+    assert_matches!(result, Err(WorkerError::ChainError(error)) if matches!(&*error,
+        ChainError::ExecutionError(error, _) if matches!(&**error,
+        ExecutionError::SystemError(SystemExecutionError::UnauthenticatedTransferOwner
+    ))));
+
+    // Without the transfer, a random key pair can propose a block.
+    let proposal = make_child_block(&change_ownership_value)
+        .into_proposal_with_round(&KeyPair::generate(), Round::MultiLeader(0));
+    let (executed_block, _) = worker
+        .stage_block_execution(proposal.content.proposal.clone())
+        .await?;
+    let value = Hashed::new(ConfirmedBlock::new(executed_block));
+    let (response, _) = worker.handle_block_proposal(proposal).await?;
+    let vote = response.info.manager.pending.unwrap();
+    assert_eq!(vote.round, Round::MultiLeader(0));
+    assert_eq!(vote.value.value_hash, value.hash());
+    Ok(())
+}
+
 #[test_case(MemoryStorageBuilder::default(); "memory")]
 #[cfg_attr(feature = "rocksdb", test_case(RocksDbStorageBuilder::new().await; "rocks_db"))]
 #[cfg_attr(feature = "dynamodb", test_case(DynamoDbStorageBuilder::default(); "dynamo_db"))]
@@ -3522,6 +3586,7 @@ where
         super_owners: vec![owner0],
         owners: vec![(owner0, 100), (owner1, 100)],
         multi_leader_rounds: 3,
+        open_multi_leader_rounds: false,
         timeout_config: TimeoutConfig {
             fast_round_duration: Some(TimeDelta::from_millis(5)),
             ..TimeoutConfig::default()

linera-execution/src/system.rs

@@ -146,6 +146,10 @@ pub enum SystemOperation {
         owners: Vec<(Owner, u64)>,
         /// The number of initial rounds after 0 in which all owners are allowed to propose blocks.
         multi_leader_rounds: u32,
+        /// Whether the multi-leader rounds are unrestricted, i.e. not limited to chain owners.
+        /// This should only be `true` on chains with restrictive application permissions and an
+        /// application-based mechanism to select block proposers.
+        open_multi_leader_rounds: bool,
         /// The timeout configuration: how long fast, multi-leader and single-leader rounds last.
         timeout_config: TimeoutConfig,
     },
@@ -472,12 +476,14 @@ where
                 super_owners,
                 owners,
                 multi_leader_rounds,
+                open_multi_leader_rounds,
                 timeout_config,
             } => {
                 self.ownership.set(ChainOwnership {
                     super_owners: super_owners.into_iter().collect(),
                     owners: owners.into_iter().collect(),
                     multi_leader_rounds,
+                    open_multi_leader_rounds,
                     timeout_config,
                 });
             }