Merge remote-tracking branch 'origin/master' into merge-v1.12.1

Conflicts:
      go-ethereum
      go.mod
      go.sum
      system_tests/arbtrace_test.go
      system_tests/block_validator_test.go
      system_tests/conditionaltx_test.go
      system_tests/debugapi_test.go
      system_tests/delayedinboxlong_test.go
      system_tests/fees_test.go
      system_tests/seqinbox_test.go
      system_tests/staker_test.go
      system_tests/twonodeslong_test.go

Resolve conflicts around introduction of test node builder pattern.

.github/workflows/arbitrator-ci.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-8
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
@@ -49,23 +49,18 @@ jobs:
           cache-dependency-path: '**/yarn.lock'
 
       - name: Install rust stable
-        uses: actions-rs/toolchain@v1
-        id: install-rust
+        uses: dtolnay/rust-toolchain@stable
         with:
-          profile: minimal
-          toolchain: "stable"
-          override: true
           components: 'llvm-tools-preview, rustfmt, clippy'
+          targets: 'wasm32-wasi, wasm32-unknown-unknown'
 
       - name: Install grcov
-        uses: actions-rs/install@v0.1
+        uses: jaxxstorm/action-install[email protected]
         with:
-          crate: grcov
-          version: latest
-          use-tool-cache: true
-
-      - name: Install rust wasm targets
-        run: rustup target add wasm32-wasi wasm32-unknown-unknown
+          repo: mozilla/grcov
+          tag: v0.8.18
+          extension: "\\.bz2"
+          cache: enable
 
       - name: Cache Rust intermediate build products
         uses: actions/cache@v3
@@ -148,22 +143,13 @@ jobs:
           echo RUSTDOCFLAGS="-Cpanic=abort" >> $GITHUB_ENV
 
       - name: Clippy check
-        uses: actions-rs/cargo@v1
-        with:
-          command: clippy
-          args: --all --manifest-path arbitrator/Cargo.toml -- -D warnings
+        run: cargo clippy --all --manifest-path arbitrator/Cargo.toml -- -D warnings
 
       - name: Run rust tests
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
-          args: --all --manifest-path arbitrator/Cargo.toml
+        run: cargo test --all --manifest-path arbitrator/Cargo.toml
 
       - name: Rustfmt
-        uses: actions-rs/cargo@v1
-        with:
-          command: fmt
-          args: --all --manifest-path arbitrator/Cargo.toml -- --check
+        run: cargo fmt --all --manifest-path arbitrator/Cargo.toml -- --check
 
       - name: Make proofs from test cases
         run: make -j test-gen-proofs

.github/workflows/ci.yml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: true
 
@@ -53,27 +53,10 @@ jobs:
           sudo apt-get update && sudo apt-get install -y lld-14
           sudo ln -s /usr/bin/wasm-ld-14 /usr/local/bin/wasm-ld
 
-      - name: Install rust wasm32-unknown-unknown
-        uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: "stable"
-          target: wasm32-unknown-unknown
-
-      - name: Install rust wasm32-wasi
-        uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: "stable"
-          target: wasm32-wasi
-
       - name: Install rust stable
-        uses: actions-rs/toolchain@v1
-        id: install-rust
+        uses: dtolnay/rust-toolchain@stable
         with:
-          profile: minimal
-          toolchain: "stable"
-          override: true
+          targets: 'wasm32-unknown-unknown, wasm32-wasi'
 
       - name: Cache Build Products
         uses: actions/cache@v3
@@ -125,10 +108,9 @@ jobs:
         run: make -j build-node-deps
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
         with:
           version: latest
-          skip-go-installation: true
           skip-pkg-cache: true
       - name: Custom Lint
         run: |

.github/workflows/codeql-analysis.yml

@@ -32,7 +32,6 @@ jobs:
       contents: read
       security-events: write
     env:
-      CODEQL_EXTRACTOR_GO_BUILD_TRACING: 'on'
       WABT_VERSION: 1.0.32
 
     strategy:
@@ -44,7 +43,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         submodules: true
 
@@ -74,12 +73,7 @@ jobs:
         go-version: 1.20.x
 
     - name: Install rust stable
-      uses: actions-rs/toolchain@v1
-      id: install-rust
-      with:
-        profile: minimal
-        toolchain: "stable"
-        override: true
+      uses: dtolnay/rust-toolchain@stable
 
     - name: Cache Rust Build Products
       uses: actions/cache@v3

.github/workflows/docker.yml

@@ -23,12 +23,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
         with:
           driver-opts: network=host
 
@@ -40,7 +40,7 @@ jobs:
           restore-keys: ${{ runner.os }}-buildx-
 
       - name: Build nitro-node docker
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           target: nitro-node
           push: true
@@ -50,7 +50,7 @@ jobs:
           cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
 
       - name: Build nitro-node-dev docker
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           target: nitro-node-dev
           push: true

.github/workflows/waitForNitro.sh

@@ -1,10 +1,13 @@
-# poll the nitro endpoint until we get a 0 return code
-while true
-do
-  curl -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","id":45678,"method":"eth_chainId","params":[]}' 'http://localhost:8547'
-  if [ "$?" -eq "0" ]; then
+#!/bin/bash
+# poll the nitro endpoint until we get a 0 return code or 30mins have passed, in that case exit 1
+timeout_time=$(($(date +%s) + 1800))
+
+while (( $(date +%s) <= timeout_time )); do
+  if curl -X POST -H 'Content-Type: application/json' -d '{"jsonrpc":"2.0","id":45678,"method":"eth_chainId","params":[]}' 'http://localhost:8547'; then
     exit 0
   else
     sleep 20
   fi
-done
+done
+
+exit 1

Dockerfile

@@ -29,7 +29,7 @@ RUN apt-get update && \
     apt-get install -y git python3 make g++
 WORKDIR /workspace
 COPY contracts/package.json contracts/yarn.lock contracts/
-RUN cd contracts && yarn install --ignore-optional
+RUN cd contracts && yarn install
 COPY contracts contracts/
 COPY Makefile .
 RUN NITRO_BUILD_IGNORE_TIMESTAMPS=1 make build-solidity
@@ -77,6 +77,7 @@ COPY ./fastcache ./fastcache
 COPY ./go-ethereum ./go-ethereum
 COPY --from=brotli-wasm-export / target/
 COPY --from=contracts-builder workspace/contracts/build/contracts/src/precompiles/ contracts/build/contracts/src/precompiles/
+COPY --from=contracts-builder workspace/contracts/node_modules/@offchainlabs/upgrade-executor/build/contracts/src/UpgradeExecutor.sol/UpgradeExecutor.json contracts/
 COPY --from=contracts-builder workspace/.make/ .make/
 RUN PATH="$PATH:/usr/local/go/bin" NITRO_BUILD_IGNORE_TIMESTAMPS=1 make build-wasm-bin
 
@@ -180,6 +181,7 @@ COPY fastcache/go.mod fastcache/go.sum fastcache/
 RUN go mod download
 COPY . ./
 COPY --from=contracts-builder workspace/contracts/build/ contracts/build/
+COPY --from=contracts-builder workspace/contracts/node_modules/@offchainlabs/upgrade-executor/build/contracts/src/UpgradeExecutor.sol/UpgradeExecutor.json contracts/node_modules/@offchainlabs/upgrade-executor/build/contracts/src/UpgradeExecutor.sol/
 COPY --from=contracts-builder workspace/.make/ .make/
 COPY --from=prover-header-export / target/
 COPY --from=brotli-library-export / target/

arbnode/dataposter/data_poster.go

@@ -175,22 +175,36 @@ func NewDataPoster(ctx context.Context, opts *DataPosterOpts) (*DataPoster, erro
 }
 
 func rpcClient(ctx context.Context, opts *ExternalSignerCfg) (*rpc.Client, error) {
-	rootCrt, err := os.ReadFile(opts.RootCA)
-	if err != nil {
-		return nil, fmt.Errorf("error reading external signer root CA: %w", err)
+	tlsCfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
+
+	if opts.ClientCert != "" && opts.ClientPrivateKey != "" {
+		log.Info("Client certificate for external signer is enabled")
+		clientCert, err := tls.LoadX509KeyPair(opts.ClientCert, opts.ClientPrivateKey)
+		if err != nil {
+			return nil, fmt.Errorf("error loading client certificate and private key: %w", err)
+		}
+		tlsCfg.Certificates = []tls.Certificate{clientCert}
 	}
-	pool := x509.NewCertPool()
-	pool.AppendCertsFromPEM(rootCrt)
+
+	if opts.RootCA != "" {
+		rootCrt, err := os.ReadFile(opts.RootCA)
+		if err != nil {
+			return nil, fmt.Errorf("error reading external signer root CA: %w", err)
+		}
+		rootCertPool := x509.NewCertPool()
+		rootCertPool.AppendCertsFromPEM(rootCrt)
+		tlsCfg.RootCAs = rootCertPool
+	}
+
 	return rpc.DialOptions(
 		ctx,
 		opts.URL,
 		rpc.WithHTTPClient(
 			&http.Client{
 				Transport: &http.Transport{
-					TLSClientConfig: &tls.Config{
-						MinVersion: tls.VersionTLS12,
-						RootCAs:    pool,
-					},
+					TLSClientConfig: tlsCfg,
 				},
 			},
 		),
@@ -743,9 +757,14 @@ type ExternalSignerCfg struct {
 	Address string `koanf:"address"`
 	// API method name (e.g. eth_signTransaction).
 	Method string `koanf:"method"`
-	// Path to the external signer root CA certificate.
+	// (Optional) Path to the external signer root CA certificate.
 	// This allows us to use self-signed certificats on the external signer.
 	RootCA string `koanf:"root-ca"`
+	// (Optional) Client certificate for mtls.
+	ClientCert string `koanf:"client-cert"`
+	// (Optional) Client certificate key for mtls.
+	// This is required when client-cert is set.
+	ClientPrivateKey string `koanf:"client-private-key"`
 }
 
 type DangerousConfig struct {
@@ -788,6 +807,8 @@ func addExternalSignerOptions(prefix string, f *pflag.FlagSet) {
 	f.String(prefix+".address", DefaultDataPosterConfig.ExternalSigner.Address, "external signer address")
 	f.String(prefix+".method", DefaultDataPosterConfig.ExternalSigner.Method, "external signer method")
 	f.String(prefix+".root-ca", DefaultDataPosterConfig.ExternalSigner.RootCA, "external signer root CA")
+	f.String(prefix+".client-cert", DefaultDataPosterConfig.ExternalSigner.ClientCert, "rpc client cert")
+	f.String(prefix+".client-private-key", DefaultDataPosterConfig.ExternalSigner.ClientPrivateKey, "rpc client private key")
 }
 
 var DefaultDataPosterConfig = DataPosterConfig{

arbnode/dataposter/dataposter_test.go

@@ -2,6 +2,8 @@ package dataposter
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -74,10 +76,12 @@ func TestExternalSigner(t *testing.T) {
 	}()
 	signer, addr, err := externalSigner(ctx,
 		&ExternalSignerCfg{
-			Address: srv.address.Hex(),
-			URL:     "https://localhost:1234",
-			Method:  "test_signTransaction",
-			RootCA:  cert,
+			Address:          srv.address.Hex(),
+			URL:              "https://localhost:1234",
+			Method:           "test_signTransaction",
+			RootCA:           cert,
+			ClientCert:       "./testdata/client.crt",
+			ClientPrivateKey: "./testdata/client.key",
 		})
 	if err != nil {
 		t.Fatalf("Error getting external signer: %v", err)
@@ -129,7 +133,24 @@ func newServer(ctx context.Context, t *testing.T) (*http.Server, *server) {
 		"test_signTransaction": s.signTransaction,
 	}
 	m := http.NewServeMux()
-	httpSrv := &http.Server{Addr: ":1234", Handler: m, ReadTimeout: 5 * time.Second}
+
+	clientCert, err := os.ReadFile("./testdata/client.crt")
+	if err != nil {
+		t.Fatalf("Error reading client certificate: %v", err)
+	}
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(clientCert)
+
+	httpSrv := &http.Server{
+		Addr:        ":1234",
+		Handler:     m,
+		ReadTimeout: 5 * time.Second,
+		TLSConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			ClientAuth: tls.RequireAndVerifyClientCert,
+			ClientCAs:  pool,
+		},
+	}
 	m.HandleFunc("/", s.mux)
 	return httpSrv, s
 }