Optionally disable all state-based policy checks in test signer

TheBlueMatt · TheBlueMatt · commit 3b08fea069d1 · 2025-05-16T14:20:32.000Z
The signer we use in tests tracks the state of the channel and
refuses to sign when the channel attempts an invalid state
transition. In the next commit, however, we'll add an upgrade test
which will fail these checks as the the state won't get copied from
previous versions of LDK to this version.

Thus, here, we add the ability to disable all state-based checks
in the signer.
diff --git a/fuzz/src/chanmon_consistency.rs b/fuzz/src/chanmon_consistency.rs
@@ -380,7 +380,7 @@ impl SignerProvider for KeyProvider {
 		);
 		let revoked_commitment = self.make_enforcement_state_cell(keys.commitment_seed);
 		let keys = DynSigner::new(keys);
-		TestChannelSigner::new_with_revoked(keys, revoked_commitment, false)
+		TestChannelSigner::new_with_revoked(keys, revoked_commitment, false, false)
 	}
 
 	fn get_destination_script(&self, _channel_keys_id: [u8; 32]) -> Result<ScriptBuf, ()> {
diff --git a/fuzz/src/full_stack.rs b/fuzz/src/full_stack.rs
@@ -465,7 +465,7 @@ impl SignerProvider for KeyProvider {
 		f = key;
 		let signer = InMemorySigner::new(&secp_ctx, a, b, c, d, e, f, keys_id, keys_id);
 
-		TestChannelSigner::new_with_revoked(DynSigner::new(signer), state, false)
+		TestChannelSigner::new_with_revoked(DynSigner::new(signer), state, false, false)
 	}
 
 	fn get_destination_script(&self, _channel_keys_id: [u8; 32]) -> Result<ScriptBuf, ()> {
diff --git a/lightning/src/util/test_channel_signer.rs b/lightning/src/util/test_channel_signer.rs
@@ -74,6 +74,7 @@ pub struct TestChannelSigner {
 	/// Channel state used for policy enforcement
 	pub state: Arc<Mutex<EnforcementState>>,
 	pub disable_revocation_policy_check: bool,
+	pub disable_all_state_policy_checks: bool,
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
@@ -123,7 +124,12 @@ impl TestChannelSigner {
 	/// Construct an TestChannelSigner
 	pub fn new(inner: DynSigner) -> Self {
 		let state = Arc::new(Mutex::new(EnforcementState::new()));
-		Self { inner, state, disable_revocation_policy_check: false }
+		Self {
+			inner,
+			state,
+			disable_revocation_policy_check: false,
+			disable_all_state_policy_checks: false,
+		}
 	}
 
 	/// Construct an TestChannelSigner with externally managed storage
@@ -133,9 +139,9 @@ impl TestChannelSigner {
 	/// here, usually by an implementation of KeysInterface.
 	pub fn new_with_revoked(
 		inner: DynSigner, state: Arc<Mutex<EnforcementState>>,
-		disable_revocation_policy_check: bool,
+		disable_revocation_policy_check: bool, disable_all_state_policy_checks: bool,
 	) -> Self {
-		Self { inner, state, disable_revocation_policy_check }
+		Self { inner, state, disable_revocation_policy_check, disable_all_state_policy_checks }
 	}
 
 	#[cfg(any(test, feature = "_test_utils"))]
@@ -175,12 +181,12 @@ impl ChannelSigner for TestChannelSigner {
 		if !self.is_signer_available(SignerOp::ReleaseCommitmentSecret) {
 			return Err(());
 		}
-		{
-			let mut state = self.state.lock().unwrap();
+		let mut state = self.state.lock().unwrap();
+		if !self.disable_all_state_policy_checks {
 			assert!(idx == state.last_holder_revoked_commitment || idx == state.last_holder_revoked_commitment - 1, "can only revoke the current or next unrevoked commitment - trying {}, last revoked {}", idx, state.last_holder_revoked_commitment);
 			assert!(idx > state.last_holder_commitment, "cannot revoke the last holder commitment - attempted to revoke {} last commitment {}", idx, state.last_holder_commitment);
-			state.last_holder_revoked_commitment = idx;
 		}
+		state.last_holder_revoked_commitment = idx;
 		self.inner.release_commitment_secret(idx)
 	}
 
@@ -190,12 +196,14 @@ impl ChannelSigner for TestChannelSigner {
 	) -> Result<(), ()> {
 		let mut state = self.state.lock().unwrap();
 		let idx = holder_tx.commitment_number();
-		assert!(
-			idx == state.last_holder_commitment || idx == state.last_holder_commitment - 1,
-			"expecting to validate the current or next holder commitment - trying {}, current {}",
-			idx,
-			state.last_holder_commitment
-		);
+		if !self.disable_all_state_policy_checks {
+			assert!(
+				idx == state.last_holder_commitment || idx == state.last_holder_commitment - 1,
+				"expecting to validate the current or next holder commitment - trying {}, current {}",
+				idx,
+				state.last_holder_commitment
+			);
+		}
 		state.last_holder_commitment = idx;
 		Ok(())
 	}
@@ -206,7 +214,9 @@ impl ChannelSigner for TestChannelSigner {
 			return Err(());
 		}
 		let mut state = self.state.lock().unwrap();
-		assert!(idx == state.last_counterparty_revoked_commitment || idx == state.last_counterparty_revoked_commitment - 1, "expecting to validate the current or next counterparty revocation - trying {}, current {}", idx, state.last_counterparty_revoked_commitment);
+		if !self.disable_all_state_policy_checks {
+			assert!(idx == state.last_counterparty_revoked_commitment || idx == state.last_counterparty_revoked_commitment - 1, "expecting to validate the current or next counterparty revocation - trying {}, current {}", idx, state.last_counterparty_revoked_commitment);
+		}
 		state.last_counterparty_revoked_commitment = idx;
 		Ok(())
 	}
@@ -230,14 +240,14 @@ impl EcdsaChannelSigner for TestChannelSigner {
 	) -> Result<(Signature, Vec<Signature>), ()> {
 		self.verify_counterparty_commitment_tx(channel_parameters, commitment_tx, secp_ctx);
 
-		{
-			#[cfg(test)]
-			if !self.is_signer_available(SignerOp::SignCounterpartyCommitment) {
-				return Err(());
-			}
-			let mut state = self.state.lock().unwrap();
-			let actual_commitment_number = commitment_tx.commitment_number();
-			let last_commitment_number = state.last_counterparty_commitment;
+		#[cfg(test)]
+		if !self.is_signer_available(SignerOp::SignCounterpartyCommitment) {
+			return Err(());
+		}
+		let mut state = self.state.lock().unwrap();
+		let actual_commitment_number = commitment_tx.commitment_number();
+		let last_commitment_number = state.last_counterparty_commitment;
+		if !self.disable_all_state_policy_checks {
 			// These commitment numbers are backwards counting.  We expect either the same as the previously encountered,
 			// or the next one.
 			assert!(
@@ -255,9 +265,9 @@ impl EcdsaChannelSigner for TestChannelSigner {
 				actual_commitment_number,
 				state.last_counterparty_revoked_commitment
 			);
-			state.last_counterparty_commitment =
-				cmp::min(last_commitment_number, actual_commitment_number)
 		}
+		state.last_counterparty_commitment =
+			cmp::min(last_commitment_number, actual_commitment_number);
 
 		Ok(self
 			.inner
@@ -281,14 +291,16 @@ impl EcdsaChannelSigner for TestChannelSigner {
 		}
 		let trusted_tx =
 			self.verify_holder_commitment_tx(channel_parameters, commitment_tx, secp_ctx);
-		let state = self.state.lock().unwrap();
-		let commitment_number = trusted_tx.commitment_number();
-		if state.last_holder_revoked_commitment - 1 != commitment_number
-			&& state.last_holder_revoked_commitment - 2 != commitment_number
-		{
-			if !self.disable_revocation_policy_check {
-				panic!("can only sign the next two unrevoked commitment numbers, revoked={} vs requested={} for {}",
-				       state.last_holder_revoked_commitment, commitment_number, self.inner.channel_keys_id()[0])
+		if !self.disable_all_state_policy_checks {
+			let state = self.state.lock().unwrap();
+			let commitment_number = trusted_tx.commitment_number();
+			if state.last_holder_revoked_commitment - 1 != commitment_number
+				&& state.last_holder_revoked_commitment - 2 != commitment_number
+			{
+				if !self.disable_revocation_policy_check {
+					panic!("can only sign the next two unrevoked commitment numbers, revoked={} vs requested={} for {}",
+						state.last_holder_revoked_commitment, commitment_number, self.inner.channel_keys_id()[0])
+				}
 			}
 		}
 		Ok(self.inner.sign_holder_commitment(channel_parameters, commitment_tx, secp_ctx).unwrap())
@@ -356,13 +368,15 @@ impl EcdsaChannelSigner for TestChannelSigner {
 		if !self.is_signer_available(SignerOp::SignHolderHtlcTransaction) {
 			return Err(());
 		}
-		let state = self.state.lock().unwrap();
-		if state.last_holder_revoked_commitment - 1 != htlc_descriptor.per_commitment_number
-			&& state.last_holder_revoked_commitment - 2 != htlc_descriptor.per_commitment_number
-		{
-			if !self.disable_revocation_policy_check {
-				panic!("can only sign the next two unrevoked commitment numbers, revoked={} vs requested={} for {}",
-				       state.last_holder_revoked_commitment, htlc_descriptor.per_commitment_number, self.inner.channel_keys_id()[0])
+		if !self.disable_all_state_policy_checks {
+			let state = self.state.lock().unwrap();
+			if state.last_holder_revoked_commitment - 1 != htlc_descriptor.per_commitment_number
+				&& state.last_holder_revoked_commitment - 2 != htlc_descriptor.per_commitment_number
+			{
+				if !self.disable_revocation_policy_check {
+					panic!("can only sign the next two unrevoked commitment numbers, revoked={} vs requested={} for {}",
+						state.last_holder_revoked_commitment, htlc_descriptor.per_commitment_number, self.inner.channel_keys_id()[0])
+				}
 			}
 		}
 		assert_eq!(htlc_tx.input[input], htlc_descriptor.unsigned_tx_input());
diff --git a/lightning/src/util/test_utils.rs b/lightning/src/util/test_utils.rs
@@ -1531,6 +1531,7 @@ pub struct TestKeysInterface {
 	pub backing: DynKeysInterface,
 	pub override_random_bytes: Mutex<Option<[u8; 32]>>,
 	pub disable_revocation_policy_check: bool,
+	pub disable_all_state_policy_checks: bool,
 	enforcement_states: Mutex<HashMap<[u8; 32], Arc<Mutex<EnforcementState>>>>,
 	expectations: Mutex<Option<VecDeque<OnGetShutdownScriptpubkey>>>,
 	pub unavailable_signers_ops: Mutex<HashMap<[u8; 32], HashSet<SignerOp>>>,
@@ -1599,8 +1600,9 @@ impl SignerProvider for TestKeysInterface {
 	fn derive_channel_signer(&self, channel_keys_id: [u8; 32]) -> TestChannelSigner {
 		let keys = self.backing.derive_channel_signer(channel_keys_id);
 		let state = self.make_enforcement_state_cell(keys.channel_keys_id());
-		let signer =
-			TestChannelSigner::new_with_revoked(keys, state, self.disable_revocation_policy_check);
+		let rev_checks = self.disable_revocation_policy_check;
+		let state_checks = self.disable_all_state_policy_checks;
+		let signer = TestChannelSigner::new_with_revoked(keys, state, rev_checks, state_checks);
 		#[cfg(test)]
 		if let Some(ops) = self.unavailable_signers_ops.lock().unwrap().get(&channel_keys_id) {
 			for &op in ops {
@@ -1668,6 +1670,7 @@ impl TestKeysInterface {
 			backing: DynKeysInterface::new(backing),
 			override_random_bytes: Mutex::new(None),
 			disable_revocation_policy_check: false,
+			disable_all_state_policy_checks: false,
 			enforcement_states: Mutex::new(new_hash_map()),
 			expectations: Mutex::new(None),
 			unavailable_signers_ops: Mutex::new(new_hash_map()),

Original file line number	Diff line number	Diff line change
`@@ -380,7 +380,7 @@ impl SignerProvider for KeyProvider {`
`380`	`380`	`);`
`381`	`381`	`let revoked_commitment = self.make_enforcement_state_cell(keys.commitment_seed);`
`382`	`382`	`let keys = DynSigner::new(keys);`
`383`		`- TestChannelSigner::new_with_revoked(keys, revoked_commitment, false)`
	`383`	`+ TestChannelSigner::new_with_revoked(keys, revoked_commitment, false, false)`
`384`	`384`	`}`
`385`	`385`
`386`	`386`	`fn get_destination_script(&self, _channel_keys_id: [u8; 32]) -> Result<ScriptBuf, ()> {`
Original file line number	Diff line number	Diff line change
`@@ -465,7 +465,7 @@ impl SignerProvider for KeyProvider {`
`465`	`465`	`f = key;`
`466`	`466`	`let signer = InMemorySigner::new(&secp_ctx, a, b, c, d, e, f, keys_id, keys_id);`
`467`	`467`
`468`		`- TestChannelSigner::new_with_revoked(DynSigner::new(signer), state, false)`
	`468`	`+ TestChannelSigner::new_with_revoked(DynSigner::new(signer), state, false, false)`
`469`	`469`	`}`
`470`	`470`
`471`	`471`	`fn get_destination_script(&self, _channel_keys_id: [u8; 32]) -> Result<ScriptBuf, ()> {`