add context interceptor and provide bootstrapping

salesforce · Jan 14, 2024 · 9814af6 · 9814af6
1 parent 1e5e7b5
commit 9814af6
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 9 deletions.
diff --git a/gorgoneion/src/main/java/com/salesforce/apollo/gorgoneion/Gorgoneion.java b/gorgoneion/src/main/java/com/salesforce/apollo/gorgoneion/Gorgoneion.java
@@ -216,7 +216,7 @@ private void notarize(Credentials credentials, Validations validations) {
 
         var successors = Context.uniqueSuccessors(context,
                                                   digestOf(identifier.toIdent(), parameters.digestAlgorithm()));
-        final var majority = context.activeCount() == 1 ? 0 : context.majority();
+        final var majority = context.totalCount() == 1 ? 0 : context.majority();
         SliceIterator<Endorsement> redirecting = new SliceIterator<>("Enrollment", member, successors, endorsementComm);
         var completed = new HashSet<Member>();
         redirecting.iterate((link, m) -> {
@@ -243,7 +243,7 @@ private Validations register(Credentials request) {
 
         var successors = Context.uniqueSuccessors(context,
                                                   digestOf(identifier.toIdent(), parameters.digestAlgorithm()));
-        final var majority = context.activeCount() == 1 ? 0 : context.majority();
+        final var majority = context.totalCount() == 1 ? 0 : context.majority();
         final var redirecting = new SliceIterator<>("Credential verification", member, successors, endorsementComm);
         var verifications = new HashSet<Validation_>();
         redirecting.iterate((link, m) -> {
@@ -458,12 +458,13 @@ private boolean validate(Notarization request, Identifier identifier, KERL_ kerl
                     }
                 }
                 // If there is only one active member in our context, it's us.
-                final var majority = count >= (context.activeCount() == 1 ? 1 : context.majority());
-                if (!majority) {
+                var majority = context.totalCount() == 1 ? 1 : context.majority();
+                if (count < majority) {
                     log.warn("Invalid notarization, no majority: {} required: {} for: {} from: {} on: {}", count,
-                             context.majority(), identifier, from, member.getId());
+                             majority, identifier, from, member.getId());
+                    return false;
                 }
-                return majority;
+                return true;
             } else {
                 log.warn("Invalid notarization, invalid kerl for: {} from: {} on: {}", identifier, from,
                          member.getId());
@@ -516,9 +517,10 @@ private boolean validateCredentials(Credentials credentials, Digest from) {
                 count++;
             }
 
-            if (count < context.majority()) {
-                log.warn("Invalid credential nonce, no majority signature: {} required > {} from: {} on: {}", count,
-                         context.majority(), from, member.getId());
+            var majority = context.totalCount() == 1 ? 1 : context.majority();
+            if (count < majority) {
+                log.warn("Invalid credential nonce, no majority signature: {} required >= {} from: {} on: {}", count,
+                         majority, from, member.getId());
                 return false;
             }
 

diff --git a/protocols/src/test/java/com/salesforce/apollo/comm/grpc/MtlsClient.java b/protocols/src/test/java/com/salesforce/apollo/comm/grpc/MtlsClient.java
@@ -12,6 +12,7 @@
 import com.netflix.concurrency.limits.grpc.client.GrpcClientRequestContext;
 import com.salesforce.apollo.cryptography.ssl.CertificateValidator;
 import io.grpc.ManagedChannel;
+import io.grpc.NameResolver;
 import io.grpc.Status;
 import io.grpc.netty.NettyChannelBuilder;
 import io.netty.handler.ssl.ClientAuth;
@@ -59,6 +60,22 @@ public MtlsClient(SocketAddress address, ClientAuth clientAuth, String alias, X5
 
     }
 
+    public MtlsClient(String target, NameResolver.Factory resolverFactory, ClientAuth clientAuth, String alias,
+                      X509Certificate certificate, PrivateKey privateKey, CertificateValidator validator) {
+
+        Limiter<GrpcClientRequestContext> limiter = new GrpcClientLimiterBuilder().blockOnLimit(false).build();
+        channel = NettyChannelBuilder.forTarget(target)
+                                     .nameResolverFactory(resolverFactory)
+                                     .defaultLoadBalancingPolicy("round_robin")
+                                     .executor(exec)
+                                     .sslContext(forClient(clientAuth, alias, certificate, privateKey, validator))
+                                     .intercept(new ConcurrencyLimitClientInterceptor(limiter,
+                                                                                      () -> Status.RESOURCE_EXHAUSTED.withDescription(
+                                                                                      "Client side concurrency limit exceeded")))
+                                     .build();
+
+    }
+
     public ManagedChannel getChannel() {
         return channel;
     }