## New Features

- Signed references now implement feature detection. The features are marked as

  `none`, `root`, and `parent`. If the signed references are marked as `none`

  this implies that they only contain `/refs` and `/signature` with no

  `refs/rad/root` entry nor `refs/rad/sigrefs-parent`. The next feature is

  `root`, which implies `none`, but includes `refs/rad/root`. Finally, `parent`

  implies `root`, but includes `refs/rad/sigrefs-parent`.

  This means that feature levels are monotonically increasing. This allows the

  signed references processes to detect downgrades, preventing downgrade

  attacks.

  Note that this means that a node which upgrades, and subsequently downgrades

  will appear as a downgrade attacker.

use radicle::storage::refs::{FeatureLevel, SIGREFS_BRANCH};

        let Some(ref refs) = info.refs else {

            // No refs, nothing to upgrade.

            return Ok(());

        };

        if refs.feature_level() >= FeatureLevel::LATEST {

            // Refs are at target level or above, nothing to upgrade.

            return Ok(());

        log::info!(

            "Migrating `rad/sigrefs` from level {} which is lower than target level {}.",

            refs.feature_level(),

            FeatureLevel::LATEST

        );

        // NOTE: We assume to reach `FeatureLevel::MAX` by signing refs.

        assert_eq!(remotes[&public_key].refs.refs(), refs.refs());

    pub refs: Option<refs::SignedRefsAt>,

            let refs = refs::SignedRefsAt::load(self.info.key, &repo)

                .map_err(|err| Error::Refs(refs::Error::Read(err)))?;

            let synced_at = refs

                .as_ref()

                .map(|r| node::SyncedAt::new(r.at, &repo))

                .transpose()?;

            let refs = refs::SignedRefsAt::load(self.info.key, &repo)

                .map_err(|err| RepositoryError::Refs(refs::Error::Read(err)))?;

            let synced_at = refs

                .as_ref()

                .map(|r| SyncedAt::new(r.at, &repo))

                .transpose()?;

        assert_eq!(remote.refs.refs(), signed.refs());

use crate::storage::refs::sigrefs::read::Tip;

        // FIXME(lorenz): We promise this feature level to the caller, but

        // have not actually verified it.

        const LEVEL_PROMISED: FeatureLevel = FeatureLevel::Parent;

            sigrefs::write::Update::Changed { entry } => {

                Ok(entry.into_sigrefs_at(namespace, LEVEL_PROMISED))

            }

                    level: LEVEL_PROMISED,

/// The Signed References feature has evolved over time.

/// This enum captures the corresponding "feature level".

///

/// Feature levels are monotonic, in the sense that a greater feature level

/// encompasses all the features of smaller ones.

#[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Default)]

#[non_exhaustive]

pub enum FeatureLevel {

    /// References are stored without additional metadata.

    #[default]

    None,

    /// Introduced in Radicle 1.1.0, in commit

    /// `989edacd564fa658358f5ccfd08c243c5ebd8cda`,

    /// this requires [`IDENTITY_ROOT`].

    Root,

    /// Introduced in Radicle 1.7.0, in commit

    /// `d3bc868e84c334f113806df1737f52cc57c5453d`,

    /// this requires [`SIGREFS_PARENT`].

    Parent,

}

impl FeatureLevel {

    pub const LATEST: Self = FeatureLevel::Parent;

}

impl std::fmt::Display for FeatureLevel {

    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

        let s = match &self {

            Self::None => "none",

            Self::Root => "root",

            Self::Parent => "parent",

        };

        f.write_str(s)

    }

}

    #[serde(skip)]

    level: FeatureLevel,

    /// Returns the [`FeatureLevel`] computed for the signed references.

    pub fn feature_level(&self) -> FeatureLevel {

        self.level

    }

        Self::load_internal(remote, repo, sigrefs::read::Tip::Reference(remote))

        Self::load_internal(remote, repo, sigrefs::read::Tip::Commit(oid))

    }

    fn load_internal<R>(

        remote: RemoteId,

        repo: &R,

        tip: Tip,

    ) -> Result<Self, sigrefs::read::error::Read>

    where

        R: HasRepoId,

        R: sigrefs::git::object::Reader + sigrefs::git::reference::Reader,

    {

        Ok(latest.into_sigrefs_at(remote).sigrefs)

    let mut level = None;

        level = Some(FeatureLevel::Parent);

        level: level.unwrap_or_else(|| FeatureLevel::arbitrary(g)),

impl Arbitrary for FeatureLevel {

    fn arbitrary(g: &mut qcheck::Gen) -> Self {

        *g.choose(&[FeatureLevel::None, FeatureLevel::Root, FeatureLevel::Parent])

            .unwrap()

    }

}

        if written_refs != *verified.commit().refs() {

use std::collections::{BTreeMap, HashMap};

use crypto::{signature, PublicKey};

    FeatureLevel, Refs, SignedRefs, SignedRefsAt, IDENTITY_ROOT, REFS_BLOB_PATH,

    SIGNATURE_BLOB_PATH, SIGREFS_BRANCH,

    /// The feature level that was recognized for the commit that was verified.

    level: FeatureLevel,

    /// Borrow the [`Commit`] that was verified.

    pub(super) fn commit(&self) -> &Commit {

        &self.commit

    // The [`FeatureLevel`] of the refs in this commit.

    pub fn level(&self) -> FeatureLevel {

        self.level

    pub(crate) fn into_sigrefs_at(self, id: PublicKey) -> SignedRefsAt {

        SignedRefsAt {

            sigrefs: SignedRefs {

                refs: self.commit.refs,

                signature: self.commit.signature,

                id,

                level: self.level,

            },

            at: self.commit.oid,

        }

/// Describes the feature levels of a history of commits.

#[derive(Debug, PartialEq)]

pub struct FeatureLevels(BTreeMap<FeatureLevel, Oid>);

impl FeatureLevels {

    fn new() -> Self {

        Self(BTreeMap::new())

    }

    fn max(&self) -> FeatureLevel {

        self.0.last_key_value().map(|(k, _)| *k).unwrap_or_default()

    }

    fn insert(&mut self, verified: &VerifiedCommit) {

        if verified.level != FeatureLevel::None {

            self.0.entry(verified.level).or_insert(verified.commit.oid);

        }

    }

    #[cfg(any(test, feature = "test"))]

    pub fn test(from: impl IntoIterator<Item = (FeatureLevel, Oid)>) -> Self {

        Self(BTreeMap::from_iter(from))

    }

}

impl std::fmt::Display for FeatureLevels {

    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {

        f.write_str(

            &self

                .0

                .iter()

                .map(|(level, at)| format!("{level}@{at}"))

                .collect::<Vec<_>>()

                .join(", "),

        )

    }

}

        let mut head = CommitReader::new(self.resolve_tip()?, self.repository)

        if head.commit.parent.is_none() && head.level == FeatureLevel::Root {

            head.level = FeatureLevel::Parent;

        }

        let head = head;

        if head.level >= FeatureLevel::Parent {

        // `seen` maps from signatures to the `NonEmpty` of commits they were

        // seen in. Note that for all sets of commits which share the same

        // signature, the `NonEmpty` in `seen` will be in reverse order of the

        // walk.  That is, the latest commit in the set will be at the first

        // position, and the earliest commit will be at the last position.

        //

        // `level` is the feature level of the history, which is

        // the maximum feature level over all commits in the history.

        let (seen, levels) = iter::Walk::new(head.commit.oid, self.repository).try_fold(

            (

                HashMap::<crypto::Signature, NonEmpty<Oid>>::new(),

                FeatureLevels::new(),

            ),

            |(mut seen, mut levels), commit| {

                let commit = commit.map_err(error::Read::Commit)?;

                seen.entry(commit.signature)

                    .and_modify(|value| value.push(commit.oid))

                    .or_insert_with(|| NonEmpty::new(commit.oid));

                // Before `commit` can be interpreted for feature detection,

                // it must be verified. In particular, we do not want to

                // detect features on commits that have an invalid signature.

                // However, if we have already reached the maximum level,

                // this is not required anymore, since it cannot increase any

                // further.

                if levels.max() < FeatureLevel::LATEST {

                    let commit = commit

                        .verify(self.rid, self.verifier)

                        .map_err(error::Read::Verify)?;

                    if commit.level > FeatureLevel::None {

                        levels.insert(&commit);

                    }

                }

                Ok((seen, levels))

        let level = levels.max();

        if head.level < level {

            return Err(error::Read::Downgrade {

                levels,

                actual: head.level,

                commit: head.commit.oid,

            });

        }

        if seen

            .get(&head.commit.signature)

        }

        // If the signature in `head` was seen twice, then

        // `head` must have a parent.

        let parent = head.commit.parent.expect("parent must exist");

        // The second walk can start from the parent of `head`. We do not need to

        // verify `head` twice, and we already know that the parent exists.

            let verified = commit

            if verified.level < level {

                // To avoid downgrade attacks, we skip `commit`.

                continue;

            }

            let commit = verified.commit();

            let commits = seen.get(&commit.signature).expect(SIGNATURES_COLLECTED);

                return Ok(verified);

            let id = &commit.oid;

                return Ok(verified);

                log::warn!("Duplicate signature found in commits {commits:?}");

pub(super) struct Commit {

    #[cfg(test)]

    pub(super) fn refs(&self) -> &Refs {

        &self.refs

    }

        let level = if let Some(IdentityRoot {

                FeatureLevel::Root

            FeatureLevel::None

        };

        let level = match (self.parent, self.refs.remove_parent()) {

            (None, None) | (Some(_), None) => {

                // Pattern 1:

                // We are looking at a root commit.

                // This is a special case, as there is no good value

                // for `rad/refs/sigrefs-parent` to target. The zero OID would

                // be a candidate, but it is filtered out in [`Refs`].

                // Upgrading to `FeatureLevel::Parent` is not a good idea

                // either, otherwise any history containing this commit

                // would be at that level from the root onwards.

                // Pattern 2:

                // The ref `refs/rad/sigrefs-parent` is simply absent,

                // we remain on the same feature level.

                level

            }

                // We are looking at a root commit.

                // Any target OID is treated as dangling.

                });

            }

            (Some(expected), Some(actual)) if expected == actual => {

                // We have a good value for `refs/rad/sigrefs-parent`, however,

                // as feature levels are monotonic, we also make sure that the

                // earlier check of `refs/rad/root` was positive.

                // In case the prior feature level was not `FeatureLevel::Root`,

                // we can even error early.

                if level == FeatureLevel::Root {

                    FeatureLevel::Parent

                } else {

                    return Err(error::Verify::IdentityRootDowngrade {

                        sigrefs_commit: self.oid,

                    });

                }

            level,

use crate::storage::refs::sigrefs::read::FeatureLevels;

use crate::storage::refs::{canonical, FeatureLevel};

    #[error("refusing to downgrade from history '{levels}' to '{actual}' at commit {commit}")]

    Downgrade {

        levels: FeatureLevels,

        actual: FeatureLevel,

        commit: Oid,

    },

    #[error("expected identity root in refs commit '{sigrefs_commit}' but found none")]

    IdentityRootDowngrade { sigrefs_commit: Oid },

    assert_eq!(vc.commit.oid, head);

    assert_eq!(vc.commit.oid, root);

use crate::storage::refs::sigrefs::read::{error, Commit, FeatureLevels, SignedRefsReader, Tip};

use crate::storage::refs::{FeatureLevel, IDENTITY_ROOT, SIGREFS_PARENT};

fn refs_without_root(head: Oid, parent: Oid) -> Vec<(git::fmt::RefString, Oid)> {

    vec![

        (mock::refs_heads_main(), head),

        (SIGREFS_PARENT.to_ref_string(), parent),

    ]

}

fn refs_without_root_and_parent(head: Oid) -> Vec<(git::fmt::RefString, Oid)> {

    vec![(mock::refs_heads_main(), head)]

}

    assert_eq!(vc.commit.oid, head);

    assert_eq!(vc.commit.oid, head);

            read(mock::oid((chain.len() - 1) as u8), repo)

                .unwrap()

                .commit

                .oid,

mod downgrade {

    use super::*;

    #[test]

    fn parent() {

        const SIGNATURE_1: u8 = 1;

        const SIGNATURE_2: u8 = 2;

        const SIGNATURE_3: u8 = 3;

        let c1 = mock::oid(1);

        let c2 = mock::oid(2);

        let c3 = mock::oid(3);

        let r3 = refs_without_parent(mock::oid(10));

        let r2 = refs(mock::oid(10), c3);

        let r1 = refs_without_parent(mock::oid(10));

        let repo = mock::setup_chain([

            (c3, SIGNATURE_3, r3),

            (c2, SIGNATURE_2, r2),

            (c1, SIGNATURE_1, r1),

        ]);

        let expected_levels =

            FeatureLevels::test([(FeatureLevel::Parent, c2), (FeatureLevel::Root, c1)]);

        assert_matches!(

            read(c1, repo),

            Err(error::Read::Downgrade {

                levels,

                actual: FeatureLevel::Root,

                ..

            })

            if levels == expected_levels

        );

    }

    #[test]

    fn root() {

        const SIGNATURE_2: u8 = 2;

        const SIGNATURE_3: u8 = 3;

        let c2 = mock::oid(2);

        let c3 = mock::oid(3);

        let r3 = refs_without_parent(mock::oid(10));

        let r2 = refs_without_root_and_parent(mock::oid(10));

        let repo = mock::setup_chain([(c3, SIGNATURE_3, r3), (c2, SIGNATURE_2, r2)]);

        let expected_levels = FeatureLevels::test([(FeatureLevel::Root, c3)]);

        assert_matches!(

            read(c2, repo),

            Err(error::Read::Downgrade {

                levels,

                actual: FeatureLevel::None,

                ..

            })

            if levels == expected_levels

        );

    }

    #[test]

    fn root_with_parent() {

        const SIGNATURE_2: u8 = 2;

        const SIGNATURE_3: u8 = 3;

        let c2 = mock::oid(2);

        let c3 = mock::oid(3);

        let r3 = refs_without_root_and_parent(mock::oid(10));

        let r2 = refs_without_root(mock::oid(10), c3);

        let repo = mock::setup_chain([(c3, SIGNATURE_3, r3), (c2, SIGNATURE_2, r2)]);

        assert_matches!(

            read(c2, repo),

            Err(error::Read::Verify(Verify::IdentityRootDowngrade {

                sigrefs_commit

            }))

            if sigrefs_commit == c2

        );

    }

    #[test]

    fn restore() {

        const SIGNATURE_1: u8 = 1;

        const SIGNATURE_2: u8 = 2;

        const SIGNATURE_3: u8 = 3;

        const SIGNATURE_4: u8 = 4;

        let c1 = mock::oid(1);

        let c2 = mock::oid(2);

        let c3 = mock::oid(3);

        let c4 = mock::oid(4);

        let r1 = refs_without_parent(mock::oid(10));

        let r2 = refs(mock::oid(10), c1);

        let r3 = refs_without_parent(mock::oid(10));

        let r4 = refs(mock::oid(10), c3);

        let repo = mock::setup_chain([

            (c1, SIGNATURE_1, r1),

            (c2, SIGNATURE_2, r2),

            (c3, SIGNATURE_3, r3),

            (c4, SIGNATURE_4, r4),

        ]);

        assert_eq!(read(c4, repo).unwrap().commit.oid, c4);

    }

}

mod detect_parent {

    use super::*;

    #[test]

    fn root_without_parent() {

        const SIG: u8 = 3;

        let commit = mock::oid(3);

        let refs = refs_without_parent(mock::oid(10));

        let repo = mock::setup_chain([(commit, SIG, refs)]);

        assert_matches!(read(commit, repo).unwrap().level, FeatureLevel::Parent);

    }

    #[test]

    fn root_without_root() {

        const SIG: u8 = 3;

        let commit = mock::oid(3);

        let refs = refs_without_root_and_parent(mock::oid(10));

        let repo = mock::setup_chain([(commit, SIG, refs)]);

        assert_matches!(read(commit, repo).unwrap().level, FeatureLevel::None);

    }

}

    assert_eq!(vc.commit.oid, c1);

            level: FeatureLevel::Root,

fn read_ok_root() {

    const SIGNATURE_1: u8 = 1;

    const SIGNATURE_2: u8 = 2;

    let c1 = mock::oid(1);

    let c2 = mock::oid(2);

    let repo = mock::setup_chain([

        (c2, SIGNATURE_2, refs_without_root_and_parent(mock::oid(10))),

        (c1, SIGNATURE_1, refs_without_parent(mock::oid(20))),

    ]);

    let vc = read(c1, repo).unwrap();

    assert_eq!(vc.commit.oid, c1);

    assert_eq!(vc.commit.parent, Some(c2));

    assert_matches!(vc, VerifiedCommit { commit: Commit {

        oid,

        parent: Some(parent),

        refs: _,

        signature: _,

        identity_root: Some(_)

    }, level: FeatureLevel::Root } if parent == c2 && oid == c1);

}

#[test]

    assert_eq!(vc.commit.oid, c1);

    }, level: FeatureLevel::Parent } if parent == c2 && oid == c1);

    assert_eq!(vc.commit.oid, head);

    FeatureLevel, Refs, IDENTITY_ROOT, REFS_BLOB_PATH, SIGNATURE_BLOB_PATH, SIGREFS_BRANCH,

    SIGREFS_PARENT,

    pub(crate) fn into_sigrefs_at(self, id: PublicKey, level: FeatureLevel) -> SignedRefsAt {

                level,

                refs: None,