Signature consensus ratio config

docs/configuration.md

@@ -43,6 +43,7 @@ value, it is recommended to only populate overridden properties in the custom `a
 | `hedera.mirror.importer.downloader.balance.threads`                  | 15                      | The number of threads to search for new files to download                                      |
 | `hedera.mirror.importer.downloader.bucketName`                       |                         | The cloud storage bucket name to download streamed files. This value takes priority over network hardcoded bucket names regardless of `hedera.mirror.importer.network` value.|
 | `hedera.mirror.importer.downloader.cloudProvider`                    | S3                      | The cloud provider to download files from. Either `S3` or `GCP`                                |
+| `hedera.mirror.importer.downloader.consensusRatio`                   | 0.333                   | The ratio of verified nodes (nodes used to come to consensus on the signature file hash) to total number of nodes available |
 | `hedera.mirror.importer.downloader.endpointOverride`                 |                         | Can be specified to download streams from a source other than S3 and GCP. Should be S3 compatible |
 | `hedera.mirror.importer.downloader.event.batchSize`                  | 100                     | The number of signature files to download per node before downloading the signed files         |
 | `hedera.mirror.importer.downloader.event.enabled`                    | false                   | Whether to enable event file downloads                                                         |

hedera-mirror-importer/src/main/java/com/hedera/mirror/importer/domain/FileStreamSignature.java

@@ -45,6 +45,7 @@ public class FileStreamSignature implements Comparable<FileStreamSignature> {
     private SignatureStatus status = SignatureStatus.DOWNLOADED;
     private byte[] metadataHash;
     private byte[] metadataHashSignature;
+    private StreamType streamType;
 
     @Override
     public int compareTo(FileStreamSignature other) {

hedera-mirror-importer/src/main/java/com/hedera/mirror/importer/downloader/CommonDownloaderProperties.java

@@ -20,6 +20,7 @@
  * ‍
  */
 
+import javax.validation.constraints.Max;
 import javax.validation.constraints.Min;
 import javax.validation.constraints.NotNull;
 import lombok.Data;
@@ -46,6 +47,10 @@ public String getBucketName() {
         return StringUtils.isNotBlank(bucketName) ? bucketName : mirrorProperties.getNetwork().getBucketName();
     }
 
+    @Max(1)
+    @Min(0)
+    private float consensusRatio = 0.333f;
+
     @NotNull
     private CloudProvider cloudProvider = CloudProvider.S3;
 

hedera-mirror-importer/src/main/java/com/hedera/mirror/importer/downloader/Downloader.java

@@ -29,7 +29,6 @@
 import com.google.common.collect.Multimap;
 import com.google.common.collect.Multimaps;
 import com.google.common.collect.TreeMultimap;
-import io.micrometer.core.instrument.Counter;
 import io.micrometer.core.instrument.MeterRegistry;
 import io.micrometer.core.instrument.Timer;
 import java.nio.file.Path;
@@ -99,7 +98,6 @@ public abstract class Downloader<T extends StreamFile> {
     private final MeterRegistry meterRegistry;
     private final Timer cloudStorageLatencyMetric;
     private final Timer downloadLatencyMetric;
-    private final Counter.Builder signatureVerificationMetric;
     private final Timer streamCloseMetric;
     private final Timer.Builder streamVerificationMetric;
 
@@ -138,10 +136,6 @@ protected Downloader(S3AsyncClient s3Client,
                 .tag("type", streamType.toString())
                 .register(meterRegistry);
 
-        signatureVerificationMetric = Counter.builder("hedera.mirror.download.signature.verification")
-                .description("The number of signatures verified from a particular node")
-                .tag("type", streamType.toString());
-
         streamCloseMetric = Timer.builder("hedera.mirror.stream.close.latency")
                 .description("The difference between the consensus time of the last and first transaction in the " +
                         "stream file")
@@ -313,6 +307,7 @@ private Optional<FileStreamSignature> parseSignatureFile(PendingDownload pending
         StreamFileData streamFileData = new StreamFileData(streamFilename, pendingDownload.getBytes());
         FileStreamSignature fileStreamSignature = signatureFileReader.read(streamFileData);
         fileStreamSignature.setNodeAccountId(nodeAccountId);
+        fileStreamSignature.setStreamType(streamType);
         return Optional.of(fileStreamSignature);
     }
 
@@ -395,16 +390,6 @@ private void verifySigsAndDownloadDataFiles(Multimap<String, FileStreamSignature
                     continue;
                 }
                 throw ex;
-            } finally {
-                for (FileStreamSignature signature : signatures) {
-                    EntityId nodeAccountId = signature.getNodeAccountId();
-                    signatureVerificationMetric.tag("nodeAccount", nodeAccountId.getEntityNum().toString())
-                            .tag("realm", nodeAccountId.getRealmNum().toString())
-                            .tag("shard", nodeAccountId.getShardNum().toString())
-                            .tag("status", signature.getStatus().toString())
-                            .register(meterRegistry)
-                            .increment();
-                }
             }
 
             for (FileStreamSignature signature : signatures) {

hedera-mirror-importer/src/main/java/com/hedera/mirror/importer/downloader/NodeSignatureVerifier.java

@@ -23,32 +23,56 @@
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Multimap;
 import com.google.common.collect.Sets;
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.MeterRegistry;
 import java.security.PublicKey;
 import java.security.Signature;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.stream.Collectors;
 import javax.inject.Named;
-import lombok.RequiredArgsConstructor;
 import lombok.extern.log4j.Log4j2;
 
 import com.hedera.mirror.importer.addressbook.AddressBookService;
 import com.hedera.mirror.importer.domain.AddressBook;
+import com.hedera.mirror.importer.domain.EntityId;
+import com.hedera.mirror.importer.domain.EntityTypeEnum;
 import com.hedera.mirror.importer.domain.FileStreamSignature;
 import com.hedera.mirror.importer.domain.FileStreamSignature.SignatureStatus;
 import com.hedera.mirror.importer.exception.SignatureVerificationException;
 
 @Named
 @Log4j2
-@RequiredArgsConstructor
 public class NodeSignatureVerifier {
 
     private final AddressBookService addressBookService;
+    private final CommonDownloaderProperties commonDownloaderProperties;
+
+    // Metrics
+    private final MeterRegistry meterRegistry;
+    private final Map<EntityId, Counter> metricMap = new ConcurrentHashMap<>();
+    private final Counter.Builder missingNodeSignatureFileMetric;
+    private final Counter.Builder signatureVerificationMetric;
+
+    public NodeSignatureVerifier(AddressBookService addressBookService,
+                                 CommonDownloaderProperties commonDownloaderProperties,
+                                 MeterRegistry meterRegistry) {
+        this.addressBookService = addressBookService;
+        this.commonDownloaderProperties = commonDownloaderProperties;
+        this.meterRegistry = meterRegistry;
+
+        missingNodeSignatureFileMetric = Counter.builder("hedera.mirror.download.signature.missing")
+                .description("The number of nodes whose signatures are missing from the consensus process");
+        signatureVerificationMetric = Counter.builder("hedera.mirror.download.signature.verification")
+                .description("The number of signatures verified from a particular node");
+    }
 
-    private static boolean canReachConsensus(long actualNodes, long expectedNodes) {
-        return actualNodes >= Math.ceil(expectedNodes / 3.0);
+    private boolean canReachConsensus(long actualNodes, long expectedNodes) {
+        return actualNodes >= Math.ceil(expectedNodes * commonDownloaderProperties.getConsensusRatio());
     }
 
     /**
@@ -76,9 +100,13 @@ public void verify(Collection<FileStreamSignature> signatures) throws SignatureV
         long sigFileCount = signatures.size();
         long nodeCount = nodeAccountIDPubKeyMap.size();
         if (!canReachConsensus(sigFileCount, nodeCount)) {
-            throw new SignatureVerificationException("Require at least 1/3 signature files to reach consensus, got " +
-                    sigFileCount + " out of " + nodeCount + " for file " + filename + ": " + statusMap(signatures,
-                    nodeAccountIDPubKeyMap));
+            throw new SignatureVerificationException(String.format(
+                    "Requires at least %s of signature files to reach consensus, got %d out of %d for file %s: %s",
+                    String.format("%.03f", commonDownloaderProperties.getConsensusRatio()),
+                    sigFileCount,
+                    nodeCount,
+                    filename,
+                    statusMap(signatures, nodeAccountIDPubKeyMap)));
         }
 
         for (FileStreamSignature fileStreamSignature : signatures) {
@@ -104,6 +132,9 @@ public void verify(Collection<FileStreamSignature> signatures) throws SignatureV
             log.warn("Verified signature file {} reached consensus but with some errors: {}", filename,
                     statusMap(signatures, nodeAccountIDPubKeyMap));
             return;
+        } else if (commonDownloaderProperties.getConsensusRatio() == 0) {
+            log.debug("Signature file {} does not require consensus, skipping verification", filename);
+            return;
         }
 
         throw new SignatureVerificationException("Signature verification failed for file " + filename + ": " + statusMap(signatures, nodeAccountIDPubKeyMap));
@@ -153,17 +184,45 @@ private boolean verifySignature(FileStreamSignature fileStreamSignature,
         return false;
     }
 
-    private Map<String, Collection<String>> statusMap(Collection<FileStreamSignature> signatures, Map<String,
+    private Map<String, Collection<EntityId>> statusMap(Collection<FileStreamSignature> signatures, Map<String,
             PublicKey> nodeAccountIDPubKeyMap) {
-        Map<String, Collection<String>> statusMap = signatures.stream()
+        Map<String, Collection<EntityId>> statusMap = signatures.stream()
                 .collect(Collectors.groupingBy(fss -> fss.getStatus().toString(),
-                        Collectors.mapping(FileStreamSignature::getNodeAccountIdString, Collectors
+                        Collectors.mapping(FileStreamSignature::getNodeAccountId, Collectors
                                 .toCollection(TreeSet::new))));
-        Set<String> seenNodes = signatures.stream().map(FileStreamSignature::getNodeAccountIdString)
-                .collect(Collectors.toSet());
-        Set<String> missingNodes = new TreeSet<>(Sets.difference(nodeAccountIDPubKeyMap.keySet(), seenNodes));
+
+        Set<EntityId> seenNodes = new HashSet<>();
+        signatures.forEach(signature -> {
+            seenNodes.add(signature.getNodeAccountId());
+            EntityId nodeAccountId = signature.getNodeAccountId();
+
+            metricMap.computeIfAbsent(nodeAccountId, n -> signatureVerificationMetric
+                    .tag("nodeAccount", nodeAccountId.getEntityNum().toString())
+                    .tag("realm", nodeAccountId.getRealmNum().toString())
+                    .tag("shard", nodeAccountId.getShardNum().toString())
+                    .tag("status", signature.getStatus().toString())
+                    .tag("type", signature.getStreamType().toString())
+                    .register(meterRegistry))
+                    .increment();
+        });
+
+        Set<EntityId> missingNodes = new TreeSet<>(Sets.difference(
+                nodeAccountIDPubKeyMap.keySet().stream().map(x -> EntityId.of(x, EntityTypeEnum.ACCOUNT))
+                        .collect(Collectors.toSet()),
+                seenNodes));
         statusMap.put("MISSING", missingNodes);
         statusMap.remove(SignatureStatus.CONSENSUS_REACHED.toString());
+
+        String streamType = signatures.stream().map(FileStreamSignature::getStreamType).findFirst().toString();
+        missingNodes.forEach(nodeAccountId -> metricMap
+                .computeIfAbsent(nodeAccountId, n -> missingNodeSignatureFileMetric
+                        .tag("nodeAccount", n.getEntityNum().toString())
+                        .tag("realm", nodeAccountId.getRealmNum().toString())
+                        .tag("shard", nodeAccountId.getShardNum().toString())
+                        .tag("type", streamType)
+                        .register(meterRegistry))
+                .increment());
+
         return statusMap;
     }
 }

hedera-mirror-importer/src/test/java/com/hedera/mirror/importer/downloader/AbstractDownloaderTest.java

@@ -200,7 +200,10 @@ mirrorProperties, commonDownloaderProperties, new MetricsExecutionInterceptor(me
 
         signatureFileReader = new CompositeSignatureFileReader(new SignatureFileReaderV2(),
                 new SignatureFileReaderV5());
-        nodeSignatureVerifier = new NodeSignatureVerifier(addressBookService);
+        nodeSignatureVerifier = new NodeSignatureVerifier(
+                addressBookService,
+                downloaderProperties.getCommon(),
+                meterRegistry);
         downloader = getDownloader();
         streamType = downloaderProperties.getStreamType();
 

hedera-mirror-importer/src/test/java/com/hedera/mirror/importer/downloader/NodeSignatureVerifierTest.java

@@ -23,6 +23,8 @@
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.when;
 
+import io.micrometer.core.instrument.MeterRegistry;
+import io.micrometer.core.instrument.logging.LoggingMeterRegistry;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -48,6 +50,7 @@
 import com.hedera.mirror.importer.domain.EntityTypeEnum;
 import com.hedera.mirror.importer.domain.FileStreamSignature;
 import com.hedera.mirror.importer.domain.FileStreamSignature.SignatureType;
+import com.hedera.mirror.importer.domain.StreamType;
 import com.hedera.mirror.importer.exception.SignatureVerificationException;
 
 @ExtendWith(MockitoExtension.class)
@@ -57,11 +60,15 @@ class NodeSignatureVerifierTest {
     private static PublicKey publicKey;
 
     private static final EntityId nodeId = new EntityId(0L, 0L, 3L, EntityTypeEnum.ACCOUNT.getId());
+    private static final MeterRegistry meterRegistry = new LoggingMeterRegistry();
     private Signature signer;
 
     @Mock
     private AddressBookService addressBookService;
 
+    @Mock
+    private CommonDownloaderProperties commonDownloaderProperties;
+
     @Mock
     private AddressBook currentAddressBook;
 
@@ -76,13 +83,17 @@ static void generateKeys() throws NoSuchAlgorithmException {
 
     @BeforeEach
     void setup() throws GeneralSecurityException {
-        nodeSignatureVerifier = new NodeSignatureVerifier(addressBookService);
+        nodeSignatureVerifier = new NodeSignatureVerifier(
+                addressBookService,
+                commonDownloaderProperties,
+                meterRegistry);
         signer = Signature.getInstance("SHA384withRSA", "SunRsaSign");
         signer.initSign(privateKey);
         Map<String, PublicKey> nodeAccountIDPubKeyMap = new HashMap();
         nodeAccountIDPubKeyMap.put("0.0.3", publicKey);
         when(addressBookService.getCurrent()).thenReturn(currentAddressBook);
         when(currentAddressBook.getNodeAccountIDPubKeyMap()).thenReturn(nodeAccountIDPubKeyMap);
+        when(commonDownloaderProperties.getConsensusRatio()).thenReturn(0.333f);
     }
 
     @Test
@@ -149,7 +160,29 @@ void testCannotReachConsensus() {
         List<FileStreamSignature> fileStreamSignatures = Arrays.asList(buildBareBonesFileStreamSignature());
         Exception e = assertThrows(SignatureVerificationException.class, () -> nodeSignatureVerifier
                 .verify(fileStreamSignatures));
-        assertTrue(e.getMessage().contains("Require at least 1/3 signature files to reach consensus"));
+        assertTrue(e.getMessage().contains("Requires at least 0.333 of signature files to reach consensus"));
+    }
+
+    @Test
+    void testNoConsensusRequired() throws GeneralSecurityException {
+        Map<String, PublicKey> nodeAccountIDPubKeyMap = new HashMap();
+        nodeAccountIDPubKeyMap.put("0.0.3", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.4", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.5", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.6", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.7", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.8", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.9", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.10", publicKey);
+
+        when(currentAddressBook.getNodeAccountIDPubKeyMap()).thenReturn(nodeAccountIDPubKeyMap);
+        when(commonDownloaderProperties.getConsensusRatio()).thenReturn(0f);
+
+        byte[] fileHash = TestUtils.generateRandomByteArray(48);
+        byte[] fileHashSignature = signHash(fileHash);
+
+        // only 1 node node necessary
+        nodeSignatureVerifier.verify(List.of());
     }
 
     @Test
@@ -174,7 +207,36 @@ void testVerifiedWithOneThirdConsensus() throws GeneralSecurityException {
                 null, null);
         fileStreamSignatureNode4.setNodeAccountId(new EntityId(0L, 0L, 5L, EntityTypeEnum.ACCOUNT.getId()));
 
-        nodeSignatureVerifier.verify(Arrays.asList(fileStreamSignatureNode3, fileStreamSignatureNode5));
+        nodeSignatureVerifier
+                .verify(Arrays.asList(fileStreamSignatureNode3, fileStreamSignatureNode5));
+    }
+
+    @Test
+    void testVerifiedWithFullConsensusRequired() throws GeneralSecurityException {
+        Map<String, PublicKey> nodeAccountIDPubKeyMap = new HashMap();
+        nodeAccountIDPubKeyMap.put("0.0.3", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.4", publicKey);
+        nodeAccountIDPubKeyMap.put("0.0.5", publicKey);
+        when(currentAddressBook.getNodeAccountIDPubKeyMap()).thenReturn(nodeAccountIDPubKeyMap);
+        when(commonDownloaderProperties.getConsensusRatio()).thenReturn(1f);
+
+        byte[] fileHash = TestUtils.generateRandomByteArray(48);
+        byte[] fileHashSignature = signHash(fileHash);
+
+        FileStreamSignature fileStreamSignatureNode3 = buildFileStreamSignature(fileHash, fileHashSignature,
+                null, null);
+        fileStreamSignatureNode3.setNodeAccountId(new EntityId(0L, 0L, 3L, EntityTypeEnum.ACCOUNT.getId()));
+
+        FileStreamSignature fileStreamSignatureNode4 = buildFileStreamSignature(fileHash, fileHashSignature,
+                null, null);
+        fileStreamSignatureNode4.setNodeAccountId(new EntityId(0L, 0L, 4L, EntityTypeEnum.ACCOUNT.getId()));
+
+        FileStreamSignature fileStreamSignatureNode5 = buildFileStreamSignature(fileHash, fileHashSignature,
+                null, null);
+        fileStreamSignatureNode5.setNodeAccountId(new EntityId(0L, 0L, 5L, EntityTypeEnum.ACCOUNT.getId()));
+
+        nodeSignatureVerifier
+                .verify(Arrays.asList(fileStreamSignatureNode3, fileStreamSignatureNode4, fileStreamSignatureNode5));
     }
 
     @Test
@@ -259,6 +321,7 @@ private FileStreamSignature buildBareBonesFileStreamSignature() {
         fileStreamSignature.setFilename("");
         fileStreamSignature.setNodeAccountId(nodeId);
         fileStreamSignature.setSignatureType(SignatureType.SHA_384_WITH_RSA);
+        fileStreamSignature.setStreamType(StreamType.RECORD);
         return fileStreamSignature;
     }