Add validator list RPC calls (RIPD-1541)

[bachase]

In support of dynamic validator list, this changeset

1. Adds a new validator_list_expires field to server_info that indicates when the current validator list will become stale.
2. Adds a new admin only validator_lists RPC that returns the current list of known validators and the most recent published validator lists.
3. Adds a new admin only validator_sites RPC that returns the list of configured validator publisher sites and when they were most recently queried.

This builds on PR #2240, which is the first two commits in this changeset.

[bachase]

@HowardHinnant, I took some of your chrono changes in #2237 for use cdc7537

[wilsonianb]

No newline at end of file

[wilsonianb]

#UnIndent2x

[wilsonianb]

I'm getting the same test failures as Travis:

#32 failed: ValidatorRPC_test.cpp(269)
#33 failed: ValidatorRPC_test.cpp(273)
#34 failed: ValidatorRPC_test.cpp(275)
#35 failed: ValidatorRPC_test.cpp(277)
#37 failed: ValidatorRPC_test.cpp(290)
#38 failed: ValidatorRPC_test.cpp(291)
#39 failed: ValidatorRPC_test.cpp(301)
#41 failed: ValidatorRPC_test.cpp(304)
#45 failed: ValidatorRPC_test.cpp(314)
#46 failed: ValidatorRPC_test.cpp(317)

The site isn't being fetched here because ValidatorSite::start was already called when env was constructed.
The only workaround I've thought of is to use a new Env for this set of tests (and construct it after the site is up).

[codecov-io]

Codecov Report

Merging #2242 into develop will increase coverage by 0.09%.
The diff coverage is 93.2%.

@@            Coverage Diff             @@
##           develop   #2242      +/-   ##
==========================================
+ Coverage    70.11%   70.2%   +0.09%     
==========================================
  Files          689     691       +2     
  Lines        50800   50890      +90     
==========================================
+ Hits         35617   35726     +109     
+ Misses       15183   15164      -19

Impacted Files	Coverage Δ
src/ripple/app/misc/ValidatorSite.h	100% <ø> (ø)	⬆️
src/ripple/rpc/impl/Handler.cpp	97.61% <ø> (ø)	⬆️
src/ripple/app/misc/ValidatorList.h	98.24% <100%> (-0.04%)	⬇️
src/ripple/rpc/handlers/ValidatorListSites.cpp	100% <100%> (ø)
src/ripple/app/misc/NetworkOPs.cpp	62.56% <100%> (+0.81%)	⬆️
src/ripple/rpc/handlers/Validators.cpp	100% <100%> (ø)
src/ripple/app/misc/impl/ValidatorSite.cpp	80.24% <89.47%> (+1.92%)	⬆️
src/ripple/app/misc/impl/ValidatorList.cpp	85.09% <92.3%> (+1.76%)	⬆️
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cafe18c...9b6ce34. Read the comment docs.

[mellery451]

I'd like to see the hardcoded test port changed ...otherwise looks good to me

[mellery451]

I don't see any evidence that this header is used...I might be missing something

[mellery451]

to be super nit-picky, this is mispelled (no 'd' in privilege) BUT I would not change unless you are messing the the code for some other reason.

[mellery451]

ioService (line 116) is now unused, FWIW

[mellery451]

for tests particularly, I would opt for OS port selection - it helps avoids spurious failures related to ports in use. You can use port 0 in for the bind endpoint and then provide a way on TrustedPublisherServer to get acceptor_.local_endpoint() after listen has been called, which you then pass to clients (probably the simplest approach is just make acceptor_ public).

[mellery451]

👍

[wilsonianb]

This seems redundant since it's always accompanied by the individual published lists from above.
What if we instead just list the trusted keys (from trustedKeys_)?

[bachase]

Agreed, that makes a lot more sense.

[bachase]

Call the JSON field validator_keys or trusted_validator_keys?

[wilsonianb]

I like trusted_validator_keys better

[wilsonianb]

I think lastRefreshStatus should also be updated with ListDisposition::invalid in the else below in the case that we fail to parse the JSON.

[wilsonianb]

also in ValidatorList

[wilsonianb]

Do we need the lock? (Same with ValidatorSites handler)

[bachase]

Good catch. I was just following other RPCs, but since the getJson calls are themselves safe, this is not needed.

[wilsonianb]

Manifest

[wilsonianb]

manifest --> list

[wilsonianb]

Consider "Expires" or "Expiration"

[wilsonianb]

an --> a

[wilsonianb]

ep is unused

[wilsonianb]

--> update

[wilsonianb]

Speaking of redundant information, what do you think about including each publisher list's version, which would always be 1?

[wilsonianb]

For the static list in the config, the entry shows up as:

         {
            "available" : true,
            "expiration" : "2136-Feb-07 06:28:15",
            "list" : [
               "n949f75evCHwgyP4fPVgaHqNHxUVN15PsJEZ3B3HnXPcPjcZAoy7",
               "n9MD5h24qrQqiyBC8aeqqCWvpiBiYQ3jxSr91uiDvmrkyHRdYLUj",
               "n9L81uNCaPgtUJfaHh89gmdvXKAmSt5Gdsw2g1iPWaPkAHW5Nm4C",
               "n9KiYM9CgngLvtRCQHZwgC2gjpdaZcCcbt3VboxiNFcKuwFVujzS",
               "n9LdgEtkmGB9E2h3K4Vp7iGUaKuq23Zr32ehxiU8FWY7xoxbWTSA"
            ],
            "pubkey_publisher" : "",
            "seq" : 0
         }

I'm wondering if these should instead be in a third list (static_validator_keys?) outside of publisher_lists, since available, expiration, pubkey_publisher, and seq are all meaningless.

[wilsonianb]

maybe the three lists returned could be something like

• local_static_keys
• published_lists/dynamic_lists
• trusted_keys

[bachase]

I like that distinction, but wasn't sure if the preference is to encourage the use of published_lists over local keys. That being said, its simple to include them.

Maybe the better ordering is:

• trusted_keys
• local_static_keys
• published_lists
  ?

[wilsonianb]

Since they're keys in a JSON object, I don't think the order is preserved

[bachase]

🤦‍♂️

[wilsonianb]

keyListings_ --> trustedKeys_

[wilsonianb]

I'm wondering if this should be admin-only.
However it does seem to be in a similar category as validation_quorum, which is currently not admin-only.

[bachase]

I could be convinced otherwise, but I like matching validation_quorum, so that if you ever do get stale and validation_quorum goes to "infinity", you would know when it happened.

[wilsonianb]

What do you think about displaying something like "never" or "no expiration" if when equals TimeKeeper::time_point::max()? Same would apply to the validator_lists response

[bachase]

I like "never". I'll update it.

[wilsonianb]

What do you think about just calling this validators?

[bachase]

Makse sense

Do you think validator_sites should become validator_list_sites to match https://github.com/ripple/rippled/blob/develop/doc/validators-example.txt#L26?

[wilsonianb]

Yeah, that's clearer

[bachase]

There were some issue with my use of asio in TrustedPublisherServer, so I went with @wilsonianb's advice and went back to providing the io_service in 661d72f.

[wilsonianb]

Should we switch to OS port selection for these servers too?

[wilsonianb]

This should also use "never" when when is max()

[bachase]

Uggh, sorry I missed this. Maybe I should just make expires return a string?

[bachase]

Actually, that doesn't work as well with the machine readable response in server_state. I'll just handle it directly.

[wilsonianb]

--> doValidators

[wilsonianb]

--> doValidatorListSites

[wilsonianb]

--> "never"

[wilsonianb]

I'm wondering if seq and expiration should either be "unknown" or excluded in this situation

[bachase]

Is there a way to distinguish a list that was previously loaded and is now unavailable versus one that has not been successfully loaded yet?

[wilsonianb]

The expiration would be TimeKeeper::time_point{} in the latter case. (We would never accept a list with that expiration without a time machine.)

[bachase]

Rebased on 0.80.0

[wilsonianb]

Speaking of new ListDispositions, this commit adds same_sequence to distinguish between a fetched list with a previous sequence (and/or expired expiration) from a fetched list with the current sequence, which are both currently treated as stale.
wilsonianb@cfb2ef6
How do you feel about including the change in this PR since it depends on your to_string for ListDisposition?

[wilsonianb]

I'm wondering if this should return boost::none if a list has a TimeKeeper::time_point{} expiration (meaning it hasn't been fetched yet).
As is, we have this subset of possible validator_list_expires values:
-unfetched list: unknown
-unfetched list & one or more fetched lists: the timestamp of the soonest expiration
-unfetched list & static validator keys: never

I'm leaning toward always making validator_list_expires to be unknown if any list has yet to be successfully fetched.

[bachase]

Even though the quorum becomes infinite if a list is unavailable, don't you still process/forward validations for whatever trusted nodes are available? If that is the case, I think providing the expiration of the trusted keys you are using is still useful.

But I don't hold that opinion particularly strongly, so if you prefer the above, I will switch.

[wilsonianb]

We'd still have the expiration in each publisher_lists entry for the validators response to tell us when we might stop trusting and forwarding certain validators.
I've been thinking of validator_list_expires as indicating the earliest point at which you might have an incomplete trusted validator list and be unable to reach quorum, but we would need to return something like unknown whenever if we already have an incomplete list.

[bachase]

👍 I'll make the change then.

[bachase]

On a second take, I'm not sure why I was using the available field in this function. That looks to be used to indicate whether a list has been loaded and is unexpired, but if it expires, we don't want to stop reporting its expiry.

Is the better change to just

• Return boost::none if any expiration is TimeKeeper::time_point{}
• Otherwise, return the earliest expiration.

[wilsonianb]

Good catch. Changing available back to false when the list expires was just added in #2240
Your suggested better change looks correct.

[wilsonianb]

It might be worth adding a test to testExpires and/or testDynamicUNL to check the when/validator_list_expires after a list has expired.
https://github.com/ripple/rippled/blob/cafe18c59279e7de447f25a0e00d0562d6441c7a/src/test/app/ValidatorList_test.cpp#L745-L746

[bachase]

👍 Already working on one in testExpires.

[wilsonianb]

We currently don't record a lastRefreshStatus if there was an error fetching the list.
@mtrippled added an else for that case here (should this pr be rebased on that branch as well? 😬)
https://github.com/ripple/rippled/pull/2243/files#diff-746977a6800a792fee7608383bca05deR282
I don't know if we should use ListDisposition::invalid or a new ListDisposition value?

[bachase]

Yes, will add. I think invalid works for now. I don't think a new name would any useful actionable information; clients would likely need to querying the publisher site either way to figure out what is going on.

[bachase]

I don't mind adding the same_sequence disposition. I'll rebase to include #2243 and we can always squash #2243, #2240 and this into one commit if this is approved in time. Or I'll continue to rebase, its not that painful.

[bachase]

Rebased to include #2243. I went with invalid disposition for the case @mtrippled added in that PR.

[wilsonianb]

Observation: If a configured trusted publisher key is revoked via its manifest, we simply remove the key and its list.
https://github.com/ripple/rippled/blob/cafe18c59279e7de447f25a0e00d0562d6441c7a/src/ripple/app/misc/impl/ValidatorList.cpp#L279-L283
I don't see a way for us to convey that this happened in the validators rpc response.

[wilsonianb]

I don't think it's necessary, but we could add a call to onConsensusStart here since that is what updates list information (such as available) when a list expires.

[wilsonianb]

It looks like these last two checks need to be updated

[wilsonianb]

I think we want to get the sites_mutex_ lock here

[wilsonianb]

I just realized we probably also want to set lastRefreshStatus as invalid in the if for this else
https://github.com/ripple/rippled/blob/develop/src/ripple/app/misc/impl/ValidatorSite.cpp#L208-L214

[bachase]

I suppose we convey revoking by not having it in the response when the user might expect it. I'm tempted to say that is good enough for now and we can revisit if needed.

[wilsonianb]

LGTM 👍
Thanks!

[wilsonianb]

nit: ( publisher_lists) --> ( publisher_lists )
also for refresh_interval_min and validator_list_expires below

[wilsonianb]

I think the make_lock.h include isn't necessary. Ditto for ValidatorListSites.cpp

[bachase]

Thanks for the thorough review and suggestions @wilsonianb! I'll fix the remaining nits and squash it down.

[wilsonianb]

It looks like this branch has a distinct 0.80.0 version commit, probably due to rebasing on those other branches.

[bachase]

Merged as 044dd53

[mDuo13]

For posterity, the two new methods are documented here:
https://ripple.com/build/rippled-apis/#validators
https://ripple.com/build/rippled-apis/#validator-list-sites