ValidatorList_test.cpp

#include <test/jtx.h>
 
#include <xrpld/app/misc/ValidatorList.h>
#include <xrpld/overlay/detail/ProtocolMessage.h>
 
#include <xrpl/basics/Slice.h>
#include <xrpl/basics/base64.h>
#include <xrpl/basics/strHex.h>
#include <xrpl/protocol/HashPrefix.h>
#include <xrpl/protocol/PublicKey.h>
#include <xrpl/protocol/SecretKey.h>
#include <xrpl/protocol/Sign.h>
#include <xrpl/protocol/digest.h>
#include <xrpl/protocol/jss.h>
#include <xrpl/protocol/messages.h>
 
#include <boost/beast/core/multi_buffer.hpp>
 
namespace xrpl {
namespace test {
 
class ValidatorList_test : public beast::unit_test::suite
{
private:
    struct Validator
    {
        PublicKey masterPublic;
        PublicKey signingPublic;
        std::string manifest;
    };
 
    static PublicKey
    randomNode()
    {
        return derivePublicKey(KeyType::secp256k1, randomSecretKey());
    }
 
    static PublicKey
    randomMasterKey()
    {
        return derivePublicKey(KeyType::ed25519, randomSecretKey());
    }
 
    static std::string
    makeManifestString(PublicKey const& pk, SecretKey const& sk, PublicKey const& spk, SecretKey const& ssk, int seq)
    {
        STObject st(sfGeneric);
        st[sfSequence] = seq;
        st[sfPublicKey] = pk;
 
        if (seq != std::numeric_limits<std::uint32_t>::max())
        {
            st[sfSigningPubKey] = spk;
            sign(st, HashPrefix::manifest, *publicKeyType(spk), ssk);
        }
 
        sign(st, HashPrefix::manifest, *publicKeyType(pk), sk, sfMasterSignature);
 
        Serializer s;
        st.add(s);
 
        return std::string(static_cast<char const*>(s.data()), s.size());
    }
 
    static std::string
    makeRevocationString(PublicKey const& pk, SecretKey const& sk)
    {
        STObject st(sfGeneric);
        st[sfSequence] = std::numeric_limits<std::uint32_t>::max();
        st[sfPublicKey] = pk;
 
        sign(st, HashPrefix::manifest, *publicKeyType(pk), sk, sfMasterSignature);
 
        Serializer s;
        st.add(s);
 
        return std::string(static_cast<char const*>(s.data()), s.size());
    }
 
    static Validator
    randomValidator()
    {
        auto const secret = randomSecretKey();
        auto const masterPublic = derivePublicKey(KeyType::ed25519, secret);
        auto const signingKeys = randomKeyPair(KeyType::secp256k1);
        return {
            masterPublic,
            signingKeys.first,
            base64_encode(makeManifestString(masterPublic, secret, signingKeys.first, signingKeys.second, 1))};
    }
 
    std::string
    makeList(
        std::vector<Validator> const& validators,
        std::size_t sequence,
        std::size_t validUntil,
        std::optional<std::size_t> validFrom = {})
    {
        std::string data =
            "{\"sequence\":" + std::to_string(sequence) + ",\"expiration\":" + std::to_string(validUntil);
        if (validFrom)
            data += ",\"effective\":" + std::to_string(*validFrom);
        data += ",\"validators\":[";
 
        for (auto const& val : validators)
        {
            data += "{\"validation_public_key\":\"" + strHex(val.masterPublic) + "\",\"manifest\":\"" + val.manifest +
                "\"},";
        }
 
        data.pop_back();
        data += "]}";
        return base64_encode(data);
    }
 
    std::string
    signList(std::string const& blob, std::pair<PublicKey, SecretKey> const& keys)
    {
        auto const data = base64_decode(blob);
        return strHex(sign(keys.first, keys.second, makeSlice(data)));
    }
 
    static hash_set<NodeID>
    asNodeIDs(std::initializer_list<PublicKey> const& pks)
    {
        hash_set<NodeID> res;
        res.reserve(pks.size());
        for (auto const& pk : pks)
            res.insert(calcNodeID(pk));
        return res;
    }
 
    void
    checkResult(
        ValidatorList::PublisherListStats const& result,
        PublicKey pubKey,
        ListDisposition expectedWorst,
        ListDisposition expectedBest)
    {
        BEAST_EXPECT(
            result.bestDisposition() > ListDisposition::same_sequence ||
            (result.publisherKey && *result.publisherKey == pubKey));
        BEAST_EXPECT(result.bestDisposition() == expectedBest);
        BEAST_EXPECT(result.worstDisposition() == expectedWorst);
    }
 
    void
    testGenesisQuorum()
    {
        testcase("Genesis Quorum");
 
        ManifestCache manifests;
        jtx::Env env(*this);
        auto& app = env.app();
        {
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
            BEAST_EXPECT(trustedKeys->quorum() == 1);
        }
        {
            std::size_t minQuorum = 0;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal, minQuorum);
            BEAST_EXPECT(trustedKeys->quorum() == minQuorum);
        }
    }
 
    void
    testConfigLoad()
    {
        testcase("Config Load");
 
        jtx::Env env(*this, jtx::envconfig(), nullptr, beast::severities::kDisabled);
        auto& app = env.app();
        std::vector<std::string> const emptyCfgKeys;
        std::vector<std::string> const emptyCfgPublishers;
 
        auto const localSigningKeys = randomKeyPair(KeyType::secp256k1);
        auto const localSigningPublicOuter = localSigningKeys.first;
        auto const localSigningSecret = localSigningKeys.second;
        auto const localMasterSecret = randomSecretKey();
        auto const localMasterPublic = derivePublicKey(KeyType::ed25519, localMasterSecret);
 
        std::string const cfgManifest(
            makeManifestString(localMasterPublic, localMasterSecret, localSigningPublicOuter, localSigningSecret, 1));
 
        auto format = [](PublicKey const& publicKey, char const* comment = nullptr) {
            auto ret = toBase58(TokenType::NodePublic, publicKey);
 
            if (comment)
                ret += comment;
 
            return ret;
        };
 
        std::vector<PublicKey> configList;
        configList.reserve(8);
 
        while (configList.size() != 8)
            configList.push_back(randomNode());
 
        // Correct configuration
        std::vector<std::string> cfgKeys(
            {format(configList[0]),
             format(configList[1], " Comment"),
             format(configList[2], " Multi Word Comment"),
             format(configList[3], "    Leading Whitespace"),
             format(configList[4], " Trailing Whitespace    "),
             format(configList[5], "    Leading & Trailing Whitespace    "),
             format(configList[6], "    Leading, Trailing & Internal    Whitespace    "),
             format(configList[7], "    ")});
 
        {
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            // Correct (empty) configuration
            BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, emptyCfgPublishers));
 
            // load local validator key with or without manifest
            BEAST_EXPECT(trustedKeys->load(localSigningPublicOuter, emptyCfgKeys, emptyCfgPublishers));
            BEAST_EXPECT(trustedKeys->listed(localSigningPublicOuter));
 
            manifests.applyManifest(*deserializeManifest(cfgManifest));
            BEAST_EXPECT(trustedKeys->load(localSigningPublicOuter, emptyCfgKeys, emptyCfgPublishers));
 
            BEAST_EXPECT(trustedKeys->listed(localMasterPublic));
            BEAST_EXPECT(trustedKeys->listed(localSigningPublicOuter));
        }
        {
            // load should add validator keys from config
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            BEAST_EXPECT(trustedKeys->load({}, cfgKeys, emptyCfgPublishers));
 
            for (auto const& n : configList)
                BEAST_EXPECT(trustedKeys->listed(n));
 
            // load should accept Ed25519 master public keys
            auto const masterNode1 = randomMasterKey();
            auto const masterNode2 = randomMasterKey();
 
            std::vector<std::string> cfgMasterKeys({format(masterNode1), format(masterNode2, " Comment")});
            BEAST_EXPECT(trustedKeys->load({}, cfgMasterKeys, emptyCfgPublishers));
            BEAST_EXPECT(trustedKeys->listed(masterNode1));
            BEAST_EXPECT(trustedKeys->listed(masterNode2));
 
            // load should reject invalid config keys
            BEAST_EXPECT(!trustedKeys->load({}, {"NotAPublicKey"}, emptyCfgPublishers));
            BEAST_EXPECT(!trustedKeys->load({}, {format(randomNode(), "!")}, emptyCfgPublishers));
 
            // load terminates when encountering an invalid entry
            auto const goodKey = randomNode();
            BEAST_EXPECT(!trustedKeys->load({}, {format(randomNode(), "!"), format(goodKey)}, emptyCfgPublishers));
            BEAST_EXPECT(!trustedKeys->listed(goodKey));
        }
        {
            // local validator key on config list
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            auto const localSigningPublic = parseBase58<PublicKey>(TokenType::NodePublic, cfgKeys.front());
 
            BEAST_EXPECT(trustedKeys->load(*localSigningPublic, cfgKeys, emptyCfgPublishers));
 
            BEAST_EXPECT(trustedKeys->localPublicKey() == localSigningPublic);
            BEAST_EXPECT(trustedKeys->listed(*localSigningPublic));
            for (auto const& n : configList)
                BEAST_EXPECT(trustedKeys->listed(n));
        }
        {
            // local validator key not on config list
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            auto const localSigningPublic = randomNode();
            BEAST_EXPECT(trustedKeys->load(localSigningPublic, cfgKeys, emptyCfgPublishers));
 
            BEAST_EXPECT(trustedKeys->localPublicKey() == localSigningPublic);
            BEAST_EXPECT(trustedKeys->listed(localSigningPublic));
            for (auto const& n : configList)
                BEAST_EXPECT(trustedKeys->listed(n));
        }
        {
            // local validator key (with manifest) not on config list
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            manifests.applyManifest(*deserializeManifest(cfgManifest));
 
            BEAST_EXPECT(trustedKeys->load(localSigningPublicOuter, cfgKeys, emptyCfgPublishers));
 
            BEAST_EXPECT(trustedKeys->localPublicKey() == localMasterPublic);
            BEAST_EXPECT(trustedKeys->listed(localSigningPublicOuter));
            BEAST_EXPECT(trustedKeys->listed(localMasterPublic));
            for (auto const& n : configList)
                BEAST_EXPECT(trustedKeys->listed(n));
        }
        {
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            // load should reject invalid validator list signing keys
            std::vector<std::string> badPublishers({"NotASigningKey"});
            BEAST_EXPECT(!trustedKeys->load({}, emptyCfgKeys, badPublishers));
 
            // load should reject validator list signing keys with invalid
            // encoding
            std::vector<PublicKey> keys({randomMasterKey(), randomMasterKey(), randomMasterKey()});
            badPublishers.clear();
            for (auto const& key : keys)
                badPublishers.push_back(toBase58(TokenType::NodePublic, key));
 
            BEAST_EXPECT(!trustedKeys->load({}, emptyCfgKeys, badPublishers));
            for (auto const& key : keys)
                BEAST_EXPECT(!trustedKeys->trustedPublisher(key));
 
            // load should accept valid validator list publisher keys
            std::vector<std::string> cfgPublishers;
            for (auto const& key : keys)
                cfgPublishers.push_back(strHex(key));
 
            BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers));
            for (auto const& key : keys)
                BEAST_EXPECT(trustedKeys->trustedPublisher(key));
            BEAST_EXPECT(trustedKeys->getListThreshold() == keys.size() / 2 + 1);
        }
        {
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            std::vector<PublicKey> keys({randomMasterKey(), randomMasterKey(), randomMasterKey(), randomMasterKey()});
            std::vector<std::string> cfgPublishers;
            for (auto const& key : keys)
                cfgPublishers.push_back(strHex(key));
 
            // explicitly set the list threshold
            BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers, std::size_t(2)));
            for (auto const& key : keys)
                BEAST_EXPECT(trustedKeys->trustedPublisher(key));
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
        }
        {
            // Attempt to load a publisher key that has been revoked.
            // Should fail
            ManifestCache valManifests;
            ManifestCache pubManifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                valManifests, pubManifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            auto const pubRevokedSecret = randomSecretKey();
            auto const pubRevokedPublic = derivePublicKey(KeyType::ed25519, pubRevokedSecret);
            auto const pubRevokedSigning = randomKeyPair(KeyType::secp256k1);
            // make this manifest revoked (seq num = max)
            //  -- thus should not be loaded
            pubManifests.applyManifest(*deserializeManifest(makeManifestString(
                pubRevokedPublic,
                pubRevokedSecret,
                pubRevokedSigning.first,
                pubRevokedSigning.second,
                std::numeric_limits<std::uint32_t>::max())));
 
            // these two are not revoked (and not in the manifest cache at all.)
            auto legitKey1 = randomMasterKey();
            auto legitKey2 = randomMasterKey();
 
            std::vector<std::string> cfgPublishers = {strHex(pubRevokedPublic), strHex(legitKey1), strHex(legitKey2)};
            BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers));
 
            BEAST_EXPECT(!trustedKeys->trustedPublisher(pubRevokedPublic));
            BEAST_EXPECT(trustedKeys->trustedPublisher(legitKey1));
            BEAST_EXPECT(trustedKeys->trustedPublisher(legitKey2));
            // 2 is the threshold for 3 publishers (even though 1 is revoked)
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
        }
        {
            // One (of two) publisher keys has been revoked, the user had
            // explicitly set validator list threshold to 2.
            ManifestCache valManifests;
            ManifestCache pubManifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                valManifests, pubManifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            auto const pubRevokedSecret = randomSecretKey();
            auto const pubRevokedPublic = derivePublicKey(KeyType::ed25519, pubRevokedSecret);
            auto const pubRevokedSigning = randomKeyPair(KeyType::secp256k1);
            // make this manifest revoked (seq num = max)
            //  -- thus should not be loaded
            pubManifests.applyManifest(*deserializeManifest(makeManifestString(
                pubRevokedPublic,
                pubRevokedSecret,
                pubRevokedSigning.first,
                pubRevokedSigning.second,
                std::numeric_limits<std::uint32_t>::max())));
 
            // this one is not revoked (and not in the manifest cache at all.)
            auto legitKey = randomMasterKey();
 
            std::vector<std::string> cfgPublishers = {strHex(pubRevokedPublic), strHex(legitKey)};
            BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers, std::size_t(2)));
 
            BEAST_EXPECT(!trustedKeys->trustedPublisher(pubRevokedPublic));
            BEAST_EXPECT(trustedKeys->trustedPublisher(legitKey));
            // 2 is the threshold, as requested in configuration
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
        }
    }
 
    void
    testApplyLists()
    {
        testcase("Apply list");
        using namespace std::chrono_literals;
 
        std::string const siteUri = "testApplyList.test";
 
        auto checkAvailable = [this](
                                  auto const& trustedKeys,
                                  auto const& hexPublic,
                                  auto const& manifest,
                                  auto const version,
                                  std::vector<std::pair<std::string, std::string>> const& expected) {
            auto const available = trustedKeys->getAvailable(hexPublic);
 
            BEAST_EXPECT(!version || available);
            if (available)
            {
                auto const& a = *available;
                BEAST_EXPECT(a[jss::public_key] == hexPublic);
                BEAST_EXPECT(a[jss::manifest] == manifest);
                // Because multiple lists were processed, the version was
                // overridden
                BEAST_EXPECT(a[jss::version] == version);
                if (version == 1)
                {
                    BEAST_EXPECT(expected.size() == 1);
                    BEAST_EXPECT(a[jss::blob] == expected[0].first);
                    BEAST_EXPECT(a[jss::signature] == expected[0].second);
                    BEAST_EXPECT(!a.isMember(jss::blobs_v2));
                }
                else if (BEAST_EXPECT(a.isMember(jss::blobs_v2)))
                {
                    BEAST_EXPECT(!a.isMember(jss::blob));
                    BEAST_EXPECT(!a.isMember(jss::signature));
                    auto const& blobs_v2 = a[jss::blobs_v2];
                    BEAST_EXPECT(blobs_v2.isArray() && blobs_v2.size() == expected.size());
 
                    for (unsigned int i = 0; i < expected.size(); ++i)
                    {
                        BEAST_EXPECT(blobs_v2[i][jss::blob] == expected[i].first);
                        BEAST_EXPECT(blobs_v2[i][jss::signature] == expected[i].second);
                    }
                }
            }
        };
 
        ManifestCache manifests;
        jtx::Env env(*this);
        auto& app = env.app();
        auto trustedKeys = std::make_unique<ValidatorList>(
            manifests, manifests, env.app().timeKeeper(), app.config().legacy("database_path"), env.journal);
 
        auto expectTrusted = [this, &trustedKeys](std::vector<Validator> const& list) {
            for (auto const& val : list)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(trustedKeys->listed(val.signingPublic));
            }
        };
 
        auto expectUntrusted = [this, &trustedKeys](std::vector<Validator> const& list) {
            for (auto const& val : list)
            {
                BEAST_EXPECT(!trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->listed(val.signingPublic));
            }
        };
 
        auto const publisherSecret = randomSecretKey();
        auto const publisherPublic = derivePublicKey(KeyType::ed25519, publisherSecret);
        auto const hexPublic = strHex(publisherPublic.begin(), publisherPublic.end());
        auto const pubSigningKeys1 = randomKeyPair(KeyType::secp256k1);
        auto const manifest1 = base64_encode(
            makeManifestString(publisherPublic, publisherSecret, pubSigningKeys1.first, pubSigningKeys1.second, 1));
 
        std::vector<std::string> cfgKeys1({strHex(publisherPublic)});
        std::vector<std::string> emptyCfgKeys;
 
        BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgKeys1));
 
        std::map<std::size_t, std::vector<Validator>> const lists = []() {
            auto constexpr listSize = 20;
            auto constexpr numLists = 9;
            std::map<std::size_t, std::vector<Validator>> lists;
            // 1-based to correspond with the individually named blobs below.
            for (auto i = 1; i <= numLists; ++i)
            {
                auto& list = lists[i];
                list.reserve(listSize);
                while (list.size() < listSize)
                    list.push_back(randomValidator());
            }
            return lists;
        }();
 
        // Attempt an expired list (fail) and a single list (succeed)
        env.timeKeeper().set(env.timeKeeper().now() + 1s);
        auto const version = 1;
        auto const sequence1 = 1;
        auto const expiredblob = makeList(lists.at(1), sequence1, env.timeKeeper().now().time_since_epoch().count());
        auto const expiredSig = signList(expiredblob, pubSigningKeys1);
 
        NetClock::time_point const validUntil = env.timeKeeper().now() + 3600s;
        auto const sequence2 = 2;
        auto const blob2 = makeList(lists.at(2), sequence2, validUntil.time_since_epoch().count());
        auto const sig2 = signList(blob2, pubSigningKeys1);
 
        checkResult(
            trustedKeys->applyLists(manifest1, version, {{expiredblob, expiredSig, {}}, {blob2, sig2, {}}}, siteUri),
            publisherPublic,
            ListDisposition::expired,
            ListDisposition::accepted);
 
        expectTrusted(lists.at(2));
 
        checkAvailable(trustedKeys, hexPublic, manifest1, version, {{blob2, sig2}});
 
        // Do not apply future lists, but process them
        auto const version2 = 2;
        auto const sequence7 = 7;
        auto const effective7 = validUntil - 60s;
        auto const expiration7 = effective7 + 3600s;
        auto const blob7 = makeList(
            lists.at(7), sequence7, expiration7.time_since_epoch().count(), effective7.time_since_epoch().count());
        auto const sig7 = signList(blob7, pubSigningKeys1);
 
        auto const sequence8 = 8;
        auto const effective8 = expiration7 - 60s;
        auto const expiration8 = effective8 + 3600s;
        auto const blob8 = makeList(
            lists.at(8), sequence8, expiration8.time_since_epoch().count(), effective8.time_since_epoch().count());
        auto const sig8 = signList(blob8, pubSigningKeys1);
 
        checkResult(
            trustedKeys->applyLists(manifest1, version2, {{blob7, sig7, {}}, {blob8, sig8, {}}}, siteUri),
            publisherPublic,
            ListDisposition::pending,
            ListDisposition::pending);
 
        expectUntrusted(lists.at(7));
        expectUntrusted(lists.at(8));
 
        // Do not apply out-of-order future list, but process it
        auto const sequence6 = 6;
        auto const effective6 = effective7 - 60s;
        auto const expiration6 = effective6 + 3600s;
        auto const blob6 = makeList(
            lists.at(6), sequence6, expiration6.time_since_epoch().count(), effective6.time_since_epoch().count());
        auto const sig6 = signList(blob6, pubSigningKeys1);
 
        // Process future list that is overridden by a later list
        auto const sequence6a = 5;
        auto const effective6a = effective6 + 60s;
        auto const expiration6a = effective6a + 3600s;
        auto const blob6a = makeList(
            lists.at(5), sequence6a, expiration6a.time_since_epoch().count(), effective6a.time_since_epoch().count());
        auto const sig6a = signList(blob6a, pubSigningKeys1);
 
        checkResult(
            trustedKeys->applyLists(manifest1, version, {{blob6a, sig6a, {}}, {blob6, sig6, {}}}, siteUri),
            publisherPublic,
            ListDisposition::pending,
            ListDisposition::pending);
 
        expectUntrusted(lists.at(6));
        expectTrusted(lists.at(2));
 
        // Do not apply re-process lists known future sequence numbers
 
        checkResult(
            trustedKeys->applyLists(manifest1, version, {{blob7, sig7, {}}, {blob6, sig6, {}}}, siteUri),
            publisherPublic,
            ListDisposition::known_sequence,
            ListDisposition::known_sequence);
 
        expectUntrusted(lists.at(6));
        expectUntrusted(lists.at(7));
        expectTrusted(lists.at(2));
 
        // try empty or mangled manifest
        checkResult(
            trustedKeys->applyLists("", version, {{blob7, sig7, {}}, {blob6, sig6, {}}}, siteUri),
            publisherPublic,
            ListDisposition::invalid,
            ListDisposition::invalid);
 
        checkResult(
            trustedKeys->applyLists(
                base64_encode("not a manifest"), version, {{blob7, sig7, {}}, {blob6, sig6, {}}}, siteUri),
            publisherPublic,
            ListDisposition::invalid,
            ListDisposition::invalid);
 
        // do not use list from untrusted publisher
        auto const untrustedManifest = base64_encode(
            makeManifestString(randomMasterKey(), publisherSecret, pubSigningKeys1.first, pubSigningKeys1.second, 1));
 
        checkResult(
            trustedKeys->applyLists(untrustedManifest, version, {{blob2, sig2, {}}}, siteUri),
            publisherPublic,
            ListDisposition::untrusted,
            ListDisposition::untrusted);
 
        // do not use list with unhandled version
        auto const badVersion = 666;
        checkResult(
            trustedKeys->applyLists(manifest1, badVersion, {{blob2, sig2, {}}}, siteUri),
            publisherPublic,
            ListDisposition::unsupported_version,
            ListDisposition::unsupported_version);
 
        // apply list with highest sequence number
        auto const sequence3 = 3;
        auto const blob3 = makeList(lists.at(3), sequence3, validUntil.time_since_epoch().count());
        auto const sig3 = signList(blob3, pubSigningKeys1);
 
        checkResult(
            trustedKeys->applyLists(manifest1, version, {{blob3, sig3, {}}}, siteUri),
            publisherPublic,
            ListDisposition::accepted,
            ListDisposition::accepted);
 
        expectUntrusted(lists.at(1));
        expectUntrusted(lists.at(2));
        expectTrusted(lists.at(3));
 
        // Note that blob6a is not present, because it was dropped during
        // processing
        checkAvailable(
            trustedKeys, hexPublic, manifest1, 2, {{blob3, sig3}, {blob6, sig6}, {blob7, sig7}, {blob8, sig8}});
 
        // do not re-apply lists with past or current sequence numbers
        checkResult(
            trustedKeys->applyLists(manifest1, version, {{blob2, sig2, {}}, {blob3, sig3, {}}}, siteUri),
            publisherPublic,
            ListDisposition::stale,
            ListDisposition::same_sequence);
 
        // apply list with new publisher key updated by manifest. Also send some
        // old lists along with the old manifest
        auto const pubSigningKeys2 = randomKeyPair(KeyType::secp256k1);
        auto manifest2 = base64_encode(
            makeManifestString(publisherPublic, publisherSecret, pubSigningKeys2.first, pubSigningKeys2.second, 2));
 
        auto const sequence4 = 4;
        auto const blob4 = makeList(lists.at(4), sequence4, validUntil.time_since_epoch().count());
        auto const sig4 = signList(blob4, pubSigningKeys2);
 
        checkResult(
            trustedKeys->applyLists(
                manifest2, version, {{blob2, sig2, manifest1}, {blob3, sig3, manifest1}, {blob4, sig4, {}}}, siteUri),
            publisherPublic,
            ListDisposition::stale,
            ListDisposition::accepted);
 
        expectUntrusted(lists.at(2));
        expectUntrusted(lists.at(3));
        expectTrusted(lists.at(4));
 
        checkAvailable(
            trustedKeys, hexPublic, manifest2, 2, {{blob4, sig4}, {blob6, sig6}, {blob7, sig7}, {blob8, sig8}});
 
        auto const sequence5 = 5;
        auto const blob5 = makeList(lists.at(5), sequence5, validUntil.time_since_epoch().count());
        auto const badSig = signList(blob5, pubSigningKeys1);
        checkResult(
            trustedKeys->applyLists(manifest1, version, {{blob5, badSig, {}}}, siteUri),
            publisherPublic,
            ListDisposition::invalid,
            ListDisposition::invalid);
 
        expectUntrusted(lists.at(2));
        expectUntrusted(lists.at(3));
        expectTrusted(lists.at(4));
        expectUntrusted(lists.at(5));
 
        // Reprocess the pending list, but the signature is no longer valid
        checkResult(
            trustedKeys->applyLists(manifest1, version, {{blob7, sig7, {}}, {blob8, sig8, {}}}, siteUri),
            publisherPublic,
            ListDisposition::invalid,
            ListDisposition::invalid);
 
        expectTrusted(lists.at(4));
        expectUntrusted(lists.at(7));
        expectUntrusted(lists.at(8));
 
        // Automatically rotate the first pending already processed list using
        // updateTrusted. Note that the timekeeper is NOT moved, so the close
        // time will be ahead of the test's wall clock
        trustedKeys->updateTrusted(
            {}, effective6 + 1s, env.app().getOPs(), env.app().overlay(), env.app().getHashRouter());
 
        expectUntrusted(lists.at(3));
        expectTrusted(lists.at(6));
 
        checkAvailable(trustedKeys, hexPublic, manifest2, 2, {{blob6, sig6}, {blob7, sig7}, {blob8, sig8}});
 
        // Automatically rotate the LAST pending list using updateTrusted,
        // bypassing blob7. Note that the timekeeper IS moved, so the provided
        // close time will be behind the test's wall clock, and thus the wall
        // clock is used.
        env.timeKeeper().set(effective8);
        trustedKeys->updateTrusted(
            {}, effective8 + 1s, env.app().getOPs(), env.app().overlay(), env.app().getHashRouter());
 
        expectUntrusted(lists.at(6));
        expectUntrusted(lists.at(7));
        expectTrusted(lists.at(8));
 
        checkAvailable(trustedKeys, hexPublic, manifest2, 2, {{blob8, sig8}});
 
        // resign the pending list with new key and validate it, but it's
        // already valid Also try reprocessing the pending list with an
        // explicit manifest
        // - it is still invalid
        auto const sig8_2 = signList(blob8, pubSigningKeys2);
 
        checkResult(
            trustedKeys->applyLists(manifest2, version, {{blob8, sig8, manifest1}, {blob8, sig8_2, {}}}, siteUri),
            publisherPublic,
            ListDisposition::invalid,
            ListDisposition::same_sequence);
 
        expectTrusted(lists.at(8));
 
        checkAvailable(trustedKeys, hexPublic, manifest2, 2, {{blob8, sig8}});
 
        // do not apply list with revoked publisher key
        // applied list is removed due to revoked publisher key
        auto const signingKeysMax = randomKeyPair(KeyType::secp256k1);
        auto maxManifest = base64_encode(makeRevocationString(publisherPublic, publisherSecret));
 
        auto const sequence9 = 9;
        auto const blob9 = makeList(lists.at(9), sequence9, validUntil.time_since_epoch().count());
        auto const sig9 = signList(blob9, signingKeysMax);
 
        checkResult(
            trustedKeys->applyLists(maxManifest, version, {{blob9, sig9, {}}}, siteUri),
            publisherPublic,
            ListDisposition::untrusted,
            ListDisposition::untrusted);
 
        BEAST_EXPECT(!trustedKeys->trustedPublisher(publisherPublic));
        for (auto const& [num, list] : lists)
        {
            (void)num;
            expectUntrusted(list);
        }
 
        checkAvailable(trustedKeys, hexPublic, manifest2, 0, {});
    }
 
    void
    testGetAvailable()
    {
        testcase("GetAvailable");
        using namespace std::chrono_literals;
 
        std::string const siteUri = "testApplyList.test";
 
        ManifestCache manifests;
        jtx::Env env(*this);
        auto& app = env.app();
        auto trustedKeys = std::make_unique<ValidatorList>(
            manifests, manifests, env.app().timeKeeper(), app.config().legacy("database_path"), env.journal);
 
        auto const publisherSecret = randomSecretKey();
        auto const publisherPublic = derivePublicKey(KeyType::ed25519, publisherSecret);
        auto const hexPublic = strHex(publisherPublic.begin(), publisherPublic.end());
        auto const pubSigningKeys1 = randomKeyPair(KeyType::secp256k1);
        auto const manifest = base64_encode(
            makeManifestString(publisherPublic, publisherSecret, pubSigningKeys1.first, pubSigningKeys1.second, 1));
 
        std::vector<std::string> cfgKeys1({strHex(publisherPublic)});
        std::vector<std::string> emptyCfgKeys;
 
        BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgKeys1));
 
        std::vector<Validator> const list = []() {
            auto constexpr listSize = 20;
            std::vector<Validator> list;
            list.reserve(listSize);
            while (list.size() < listSize)
                list.push_back(randomValidator());
            return list;
        }();
 
        // Process a list
        env.timeKeeper().set(env.timeKeeper().now() + 1s);
        NetClock::time_point const validUntil = env.timeKeeper().now() + 3600s;
        auto const blob = makeList(list, 1, validUntil.time_since_epoch().count());
        auto const sig = signList(blob, pubSigningKeys1);
 
        {
            // list unavailable
            auto const available = trustedKeys->getAvailable(hexPublic);
            BEAST_EXPECT(!available);
        }
 
        BEAST_EXPECT(
            trustedKeys->applyLists(manifest, 1, {{blob, sig, {}}}, siteUri).bestDisposition() ==
            ListDisposition::accepted);
 
        {
            // invalid public key
            auto const available = trustedKeys->getAvailable(hexPublic + "invalid", 1);
            BEAST_EXPECT(!available);
        }
 
        {
            // unknown public key
            auto const badSecret = randomSecretKey();
            auto const badPublic = derivePublicKey(KeyType::ed25519, badSecret);
            auto const hexBad = strHex(badPublic.begin(), badPublic.end());
 
            auto const available = trustedKeys->getAvailable(hexBad, 1);
            BEAST_EXPECT(!available);
        }
        {
            // bad version 0
            auto const available = trustedKeys->getAvailable(hexPublic, 0);
            if (BEAST_EXPECT(available))
            {
                auto const& a = *available;
                BEAST_EXPECT(!a);
            }
        }
        {
            // bad version 3
            auto const available = trustedKeys->getAvailable(hexPublic, 3);
            if (BEAST_EXPECT(available))
            {
                auto const& a = *available;
                BEAST_EXPECT(!a);
            }
        }
        {
            // version 1
            auto const available = trustedKeys->getAvailable(hexPublic, 1);
            if (BEAST_EXPECT(available))
            {
                auto const& a = *available;
                BEAST_EXPECT(a[jss::public_key] == hexPublic);
                BEAST_EXPECT(a[jss::manifest] == manifest);
                BEAST_EXPECT(a[jss::version] == 1);
 
                BEAST_EXPECT(a[jss::blob] == blob);
                BEAST_EXPECT(a[jss::signature] == sig);
                BEAST_EXPECT(!a.isMember(jss::blobs_v2));
            }
        }
 
        {
            // version 2
            auto const available = trustedKeys->getAvailable(hexPublic, 2);
            if (BEAST_EXPECT(available))
            {
                auto const& a = *available;
                BEAST_EXPECT(a[jss::public_key] == hexPublic);
                BEAST_EXPECT(a[jss::manifest] == manifest);
                BEAST_EXPECT(a[jss::version] == 2);
 
                if (BEAST_EXPECT(a.isMember(jss::blobs_v2)))
                {
                    BEAST_EXPECT(!a.isMember(jss::blob));
                    BEAST_EXPECT(!a.isMember(jss::signature));
                    auto const& blobs_v2 = a[jss::blobs_v2];
                    BEAST_EXPECT(blobs_v2.isArray() && blobs_v2.size() == 1);
 
                    BEAST_EXPECT(blobs_v2[0u][jss::blob] == blob);
                    BEAST_EXPECT(blobs_v2[0u][jss::signature] == sig);
                }
            }
        }
    }
 
    void
    testUpdateTrusted()
    {
        testcase("Update trusted");
 
        std::string const siteUri = "testUpdateTrusted.test";
 
        ManifestCache manifestsOuter;
        jtx::Env env(*this);
        auto& app = env.app();
        auto trustedKeysOuter = std::make_unique<ValidatorList>(
            manifestsOuter, manifestsOuter, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
        std::vector<std::string> cfgPublishersOuter;
        hash_set<NodeID> activeValidatorsOuter;
 
        std::size_t const maxKeys = 40;
        {
            std::vector<std::string> cfgKeys;
            cfgKeys.reserve(maxKeys);
            hash_set<NodeID> unseenValidators;
 
            while (cfgKeys.size() != maxKeys)
            {
                auto const valKey = randomNode();
                cfgKeys.push_back(toBase58(TokenType::NodePublic, valKey));
                if (cfgKeys.size() <= maxKeys - 5)
                    activeValidatorsOuter.emplace(calcNodeID(valKey));
                else
                    unseenValidators.emplace(calcNodeID(valKey));
            }
 
            BEAST_EXPECT(trustedKeysOuter->load({}, cfgKeys, cfgPublishersOuter));
 
            // updateTrusted should make all configured validators trusted
            // even if they are not active/seen
            TrustChanges changes = trustedKeysOuter->updateTrusted(
                activeValidatorsOuter,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
 
            for (auto const& val : unseenValidators)
                activeValidatorsOuter.emplace(val);
 
            BEAST_EXPECT(changes.added == activeValidatorsOuter);
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(trustedKeysOuter->quorum() == std::ceil(cfgKeys.size() * 0.8f));
            for (auto const& val : cfgKeys)
            {
                if (auto const valKey = parseBase58<PublicKey>(TokenType::NodePublic, val))
                {
                    BEAST_EXPECT(trustedKeysOuter->listed(*valKey));
                    BEAST_EXPECT(trustedKeysOuter->trusted(*valKey));
                }
                else
                    fail();
            }
 
            changes = trustedKeysOuter->updateTrusted(
                activeValidatorsOuter,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(trustedKeysOuter->quorum() == std::ceil(cfgKeys.size() * 0.8f));
        }
        {
            // update with manifests
            auto const masterPrivate = randomSecretKey();
            auto const masterPublic = derivePublicKey(KeyType::ed25519, masterPrivate);
 
            std::vector<std::string> cfgKeys({toBase58(TokenType::NodePublic, masterPublic)});
 
            BEAST_EXPECT(trustedKeysOuter->load({}, cfgKeys, cfgPublishersOuter));
 
            auto const signingKeys1 = randomKeyPair(KeyType::secp256k1);
            auto const signingPublic1 = signingKeys1.first;
            activeValidatorsOuter.emplace(calcNodeID(masterPublic));
 
            // Should not trust ephemeral signing key if there is no manifest
            TrustChanges changes = trustedKeysOuter->updateTrusted(
                activeValidatorsOuter,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.added == asNodeIDs({masterPublic}));
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(trustedKeysOuter->quorum() == std::ceil((maxKeys + 1) * 0.8f));
            BEAST_EXPECT(trustedKeysOuter->listed(masterPublic));
            BEAST_EXPECT(trustedKeysOuter->trusted(masterPublic));
            BEAST_EXPECT(!trustedKeysOuter->listed(signingPublic1));
            BEAST_EXPECT(!trustedKeysOuter->trusted(signingPublic1));
 
            // Should trust the ephemeral signing key from the applied manifest
            auto m1 = deserializeManifest(
                makeManifestString(masterPublic, masterPrivate, signingPublic1, signingKeys1.second, 1));
 
            BEAST_EXPECT(manifestsOuter.applyManifest(std::move(*m1)) == ManifestDisposition::accepted);
            BEAST_EXPECT(trustedKeysOuter->listed(masterPublic));
            BEAST_EXPECT(trustedKeysOuter->trusted(masterPublic));
            BEAST_EXPECT(trustedKeysOuter->listed(signingPublic1));
            BEAST_EXPECT(trustedKeysOuter->trusted(signingPublic1));
 
            // Should only trust the ephemeral signing key
            // from the newest applied manifest
            auto const signingKeys2 = randomKeyPair(KeyType::secp256k1);
            auto const signingPublic2 = signingKeys2.first;
            auto m2 = deserializeManifest(
                makeManifestString(masterPublic, masterPrivate, signingPublic2, signingKeys2.second, 2));
            BEAST_EXPECT(manifestsOuter.applyManifest(std::move(*m2)) == ManifestDisposition::accepted);
            BEAST_EXPECT(trustedKeysOuter->listed(masterPublic));
            BEAST_EXPECT(trustedKeysOuter->trusted(masterPublic));
            BEAST_EXPECT(trustedKeysOuter->listed(signingPublic2));
            BEAST_EXPECT(trustedKeysOuter->trusted(signingPublic2));
            BEAST_EXPECT(!trustedKeysOuter->listed(signingPublic1));
            BEAST_EXPECT(!trustedKeysOuter->trusted(signingPublic1));
 
            // Should not trust keys from revoked master public key
            auto const signingKeysMax = randomKeyPair(KeyType::secp256k1);
            auto const signingPublicMax = signingKeysMax.first;
            activeValidatorsOuter.emplace(calcNodeID(signingPublicMax));
            auto mMax = deserializeManifest(makeRevocationString(masterPublic, masterPrivate));
 
            BEAST_EXPECT(mMax->revoked());
            BEAST_EXPECT(manifestsOuter.applyManifest(std::move(*mMax)) == ManifestDisposition::accepted);
            BEAST_EXPECT(manifestsOuter.getSigningKey(masterPublic) == masterPublic);
            BEAST_EXPECT(manifestsOuter.revoked(masterPublic));
 
            // Revoked key remains trusted until list is updated
            BEAST_EXPECT(trustedKeysOuter->listed(masterPublic));
            BEAST_EXPECT(trustedKeysOuter->trusted(masterPublic));
 
            changes = trustedKeysOuter->updateTrusted(
                activeValidatorsOuter,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed == asNodeIDs({masterPublic}));
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(trustedKeysOuter->quorum() == std::ceil(maxKeys * 0.8f));
            BEAST_EXPECT(trustedKeysOuter->listed(masterPublic));
            BEAST_EXPECT(!trustedKeysOuter->trusted(masterPublic));
            BEAST_EXPECT(!trustedKeysOuter->listed(signingPublicMax));
            BEAST_EXPECT(!trustedKeysOuter->trusted(signingPublicMax));
            BEAST_EXPECT(!trustedKeysOuter->listed(signingPublic2));
            BEAST_EXPECT(!trustedKeysOuter->trusted(signingPublic2));
            BEAST_EXPECT(!trustedKeysOuter->listed(signingPublic1));
            BEAST_EXPECT(!trustedKeysOuter->trusted(signingPublic1));
        }
        {
            // Make quorum unattainable if lists from any publishers are
            // unavailable
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifestsOuter, manifestsOuter, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
            auto const publisherSecret = randomSecretKey();
            auto const publisherPublic = derivePublicKey(KeyType::ed25519, publisherSecret);
 
            std::vector<std::string> cfgPublishers({strHex(publisherPublic)});
            std::vector<std::string> emptyCfgKeys;
 
            BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidatorsOuter,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(trustedKeys->quorum() == std::numeric_limits<std::size_t>::max());
        }
        {
            // Trust explicitly listed validators also when list threshold is
            // higher than 1
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifestsOuter, manifestsOuter, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
            auto const masterPrivate = randomSecretKey();
            auto const masterPublic = derivePublicKey(KeyType::ed25519, masterPrivate);
            std::vector<std::string> cfgKeys({toBase58(TokenType::NodePublic, masterPublic)});
 
            auto const publisher1Secret = randomSecretKey();
            auto const publisher1Public = derivePublicKey(KeyType::ed25519, publisher1Secret);
            auto const publisher2Secret = randomSecretKey();
            auto const publisher2Public = derivePublicKey(KeyType::ed25519, publisher2Secret);
            std::vector<std::string> cfgPublishers({strHex(publisher1Public), strHex(publisher2Public)});
 
            BEAST_EXPECT(trustedKeys->load({}, cfgKeys, cfgPublishers, std::size_t(2)));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidatorsOuter,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(changes.added.size() == 1);
            BEAST_EXPECT(trustedKeys->listed(masterPublic));
            BEAST_EXPECT(trustedKeys->trusted(masterPublic));
        }
        {
            // Should use custom minimum quorum
            std::size_t const minQuorum = 1;
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal, minQuorum);
 
            std::size_t n = 10;
            std::vector<std::string> cfgKeys;
            cfgKeys.reserve(n);
            hash_set<NodeID> expectedTrusted;
            hash_set<NodeID> activeValidators;
            NodeID toBeSeen;
 
            while (cfgKeys.size() < n)
            {
                auto const valKey = randomNode();
                cfgKeys.push_back(toBase58(TokenType::NodePublic, valKey));
                expectedTrusted.emplace(calcNodeID(valKey));
                if (cfgKeys.size() < std::ceil(n * 0.8f))
                    activeValidators.emplace(calcNodeID(valKey));
                else if (cfgKeys.size() < std::ceil(n * 0.8f))
                    toBeSeen = calcNodeID(valKey);
            }
 
            BEAST_EXPECT(trustedKeys->load({}, cfgKeys, cfgPublishersOuter));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(changes.added == expectedTrusted);
            BEAST_EXPECT(trustedKeys->quorum() == minQuorum);
 
            // Use configured quorum even when seen validators >= quorum
            activeValidators.emplace(toBeSeen);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(trustedKeys->quorum() == minQuorum);
        }
        {
            // Remove expired published list
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifestsOuter,
                manifestsOuter,
                env.app().timeKeeper(),
                app.config().legacy("database_path"),
                env.journal);
 
            std::vector<std::string> emptyCfgKeys;
            auto const publisherKeys = randomKeyPair(KeyType::secp256k1);
            auto const pubSigningKeys = randomKeyPair(KeyType::secp256k1);
            auto const manifest = base64_encode(makeManifestString(
                publisherKeys.first, publisherKeys.second, pubSigningKeys.first, pubSigningKeys.second, 1));
 
            std::vector<std::string> cfgKeys({strHex(publisherKeys.first)});
 
            BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgKeys));
 
            std::vector<Validator> list({randomValidator(), randomValidator()});
            hash_set<NodeID> activeValidators(asNodeIDs({list[0].masterPublic, list[1].masterPublic}));
 
            // do not apply expired list
            auto const version = 1;
            auto const sequence = 1;
            using namespace std::chrono_literals;
            NetClock::time_point const validUntil = env.timeKeeper().now() + 60s;
            auto const blob = makeList(list, sequence, validUntil.time_since_epoch().count());
            auto const sig = signList(blob, pubSigningKeys);
 
            BEAST_EXPECT(
                ListDisposition::accepted ==
                trustedKeys->applyLists(manifest, version, {{blob, sig, {}}}, siteUri).bestDisposition());
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(changes.added == activeValidators);
            for (Validator const& val : list)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                BEAST_EXPECT(trustedKeys->trusted(val.signingPublic));
            }
            BEAST_EXPECT(trustedKeys->quorum() == 2);
 
            env.timeKeeper().set(validUntil);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed == activeValidators);
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(!trustedKeys->trusted(list[0].masterPublic));
            BEAST_EXPECT(!trustedKeys->trusted(list[1].masterPublic));
            BEAST_EXPECT(trustedKeys->quorum() == std::numeric_limits<std::size_t>::max());
 
            // (Re)trust validators from new valid list
            std::vector<Validator> list2({list[0], randomValidator()});
            activeValidators.insert(calcNodeID(list2[1].masterPublic));
            auto const sequence2 = 2;
            NetClock::time_point const expiration2 = env.timeKeeper().now() + 60s;
            auto const blob2 = makeList(list2, sequence2, expiration2.time_since_epoch().count());
            auto const sig2 = signList(blob2, pubSigningKeys);
 
            BEAST_EXPECT(
                ListDisposition::accepted ==
                trustedKeys->applyLists(manifest, version, {{blob2, sig2, {}}}, siteUri).bestDisposition());
 
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(changes.removed.empty());
            BEAST_EXPECT(changes.added == asNodeIDs({list2[0].masterPublic, list2[1].masterPublic}));
            for (Validator const& val : list2)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                BEAST_EXPECT(trustedKeys->trusted(val.signingPublic));
            }
            BEAST_EXPECT(!trustedKeys->trusted(list[1].masterPublic));
            BEAST_EXPECT(!trustedKeys->trusted(list[1].signingPublic));
            BEAST_EXPECT(trustedKeys->quorum() == 2);
        }
        {
            // Test 1-9 configured validators
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifestsOuter, manifestsOuter, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            std::vector<std::string> cfgPublishers;
            hash_set<NodeID> activeValidators;
            hash_set<PublicKey> activeKeys;
 
            std::vector<std::string> cfgKeys;
            cfgKeys.reserve(9);
 
            while (cfgKeys.size() < cfgKeys.capacity())
            {
                auto const valKey = randomNode();
                cfgKeys.push_back(toBase58(TokenType::NodePublic, valKey));
                activeValidators.emplace(calcNodeID(valKey));
                activeKeys.emplace(valKey);
                BEAST_EXPECT(trustedKeys->load({}, cfgKeys, cfgPublishers));
                TrustChanges changes = trustedKeys->updateTrusted(
                    activeValidators,
                    env.timeKeeper().now(),
                    env.app().getOPs(),
                    env.app().overlay(),
                    env.app().getHashRouter());
                BEAST_EXPECT(changes.removed.empty());
                BEAST_EXPECT(changes.added == asNodeIDs({valKey}));
                BEAST_EXPECT(trustedKeys->quorum() == std::ceil(cfgKeys.size() * 0.8f));
                for (auto const& key : activeKeys)
                    BEAST_EXPECT(trustedKeys->trusted(key));
            }
        }
        {
            // Test 2-9 configured validators as validator
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifestsOuter, manifestsOuter, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            auto const localKey = randomNode();
            std::vector<std::string> cfgPublishers;
            hash_set<NodeID> activeValidators;
            hash_set<PublicKey> activeKeys;
            std::vector<std::string> cfgKeys{toBase58(TokenType::NodePublic, localKey)};
            cfgKeys.reserve(9);
 
            while (cfgKeys.size() < cfgKeys.capacity())
            {
                auto const valKey = randomNode();
                cfgKeys.push_back(toBase58(TokenType::NodePublic, valKey));
                activeValidators.emplace(calcNodeID(valKey));
                activeKeys.emplace(valKey);
 
                BEAST_EXPECT(trustedKeys->load(localKey, cfgKeys, cfgPublishers));
                TrustChanges changes = trustedKeys->updateTrusted(
                    activeValidators,
                    env.timeKeeper().now(),
                    env.app().getOPs(),
                    env.app().overlay(),
                    env.app().getHashRouter());
                BEAST_EXPECT(changes.removed.empty());
                if (cfgKeys.size() > 2)
                    BEAST_EXPECT(changes.added == asNodeIDs({valKey}));
                else
                    BEAST_EXPECT(changes.added == asNodeIDs({localKey, valKey}));
 
                BEAST_EXPECT(trustedKeys->quorum() == std::ceil(cfgKeys.size() * 0.8f));
 
                for (auto const& key : activeKeys)
                    BEAST_EXPECT(trustedKeys->trusted(key));
            }
        }
        {
            // Trusted set should include all validators from multiple lists
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            hash_set<NodeID> activeValidators;
            std::vector<Validator> valKeys;
            valKeys.reserve(maxKeys);
 
            while (valKeys.size() != maxKeys)
            {
                valKeys.push_back(randomValidator());
                activeValidators.emplace(calcNodeID(valKeys.back().masterPublic));
            }
 
            // locals[0]: from 0 to maxKeys - 4
            // locals[1]: from 1 to maxKeys - 2
            // locals[2]: from 2 to maxKeys
            constexpr static int publishers = 3;
            std::array<std::pair<decltype(valKeys)::const_iterator, decltype(valKeys)::const_iterator>, publishers>
                locals = {
                    std::make_pair(valKeys.cbegin(), valKeys.cend() - 4),
                    std::make_pair(valKeys.cbegin() + 1, valKeys.cend() - 2),
                    std::make_pair(valKeys.cbegin() + 2, valKeys.cend()),
                };
 
            auto addPublishedList = [&, this](int i) {
                auto const publisherSecret = randomSecretKey();
                auto const publisherPublic = derivePublicKey(KeyType::ed25519, publisherSecret);
                auto const pubSigningKeys = randomKeyPair(KeyType::secp256k1);
                auto const manifest = base64_encode(makeManifestString(
                    publisherPublic, publisherSecret, pubSigningKeys.first, pubSigningKeys.second, 1));
 
                std::vector<std::string> cfgPublishers({strHex(publisherPublic)});
                std::vector<std::string> emptyCfgKeys;
 
                // Threshold of 1 will result in a union of all the lists
                BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers, std::size_t(1)));
 
                auto const version = 1;
                auto const sequence = 1;
                using namespace std::chrono_literals;
                NetClock::time_point const validUntil = env.timeKeeper().now() + 3600s;
                std::vector<Validator> localKeys{locals[i].first, locals[i].second};
                auto const blob = makeList(localKeys, sequence, validUntil.time_since_epoch().count());
                auto const sig = signList(blob, pubSigningKeys);
 
                BEAST_EXPECT(
                    ListDisposition::accepted ==
                    trustedKeys->applyLists(manifest, version, {{blob, sig, {}}}, siteUri).bestDisposition());
            };
 
            // Apply multiple published lists
            for (auto i = 0; i < publishers; ++i)
                addPublishedList(i);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
 
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(valKeys.size() * 0.8f));
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
        }
        {
            // Trusted set should include validators from intersection of lists
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            hash_set<NodeID> activeValidators;
            std::vector<Validator> valKeys;
            valKeys.reserve(maxKeys);
 
            while (valKeys.size() != maxKeys)
            {
                valKeys.push_back(randomValidator());
                activeValidators.emplace(calcNodeID(valKeys.back().masterPublic));
            }
 
            // locals[0]: from 0 to maxKeys - 4
            // locals[1]: from 1 to maxKeys - 2
            // locals[2]: from 2 to maxKeys
            // intersection of at least 2: same as locals[1]
            // intersection when 1 is dropped: from 2 to maxKeys - 4
            constexpr static int publishers = 3;
            std::array<std::pair<decltype(valKeys)::const_iterator, decltype(valKeys)::const_iterator>, publishers>
                locals = {
                    std::make_pair(valKeys.cbegin(), valKeys.cend() - 4),
                    std::make_pair(valKeys.cbegin() + 1, valKeys.cend() - 2),
                    std::make_pair(valKeys.cbegin() + 2, valKeys.cend()),
                };
 
            auto addPublishedList = [&, this](
                                        int i, NetClock::time_point& validUntil1, NetClock::time_point& validUntil2) {
                auto const publisherSecret = randomSecretKey();
                auto const publisherPublic = derivePublicKey(KeyType::ed25519, publisherSecret);
                auto const pubSigningKeys = randomKeyPair(KeyType::secp256k1);
                auto const manifest = base64_encode(makeManifestString(
                    publisherPublic, publisherSecret, pubSigningKeys.first, pubSigningKeys.second, 1));
 
                std::vector<std::string> cfgPublishers({strHex(publisherPublic)});
                std::vector<std::string> emptyCfgKeys;
 
                BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers));
 
                auto const version = 1;
                auto const sequence = 1;
                using namespace std::chrono_literals;
                // Want to drop 1 sooner
                NetClock::time_point const validUntil = env.timeKeeper().now() + (i == 2 ? 120s : i == 1 ? 60s : 3600s);
                if (i == 1)
                    validUntil1 = validUntil;
                else if (i == 2)
                    validUntil2 = validUntil;
                std::vector<Validator> localKeys{locals[i].first, locals[i].second};
                auto const blob = makeList(localKeys, sequence, validUntil.time_since_epoch().count());
                auto const sig = signList(blob, pubSigningKeys);
 
                BEAST_EXPECT(
                    ListDisposition::accepted ==
                    trustedKeys->applyLists(manifest, version, {{blob, sig, {}}}, siteUri).bestDisposition());
            };
 
            // Apply multiple published lists
            // validUntil1 is expiration time for locals[1]
            NetClock::time_point validUntil1, validUntil2;
            for (auto i = 0; i < publishers; ++i)
                addPublishedList(i, validUntil1, validUntil2);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
 
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil((valKeys.size() - 3) * 0.8f));
 
            for (auto const& val : valKeys)
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
 
            hash_set<NodeID> added;
            for (std::size_t i = 0; i < maxKeys; ++i)
            {
                auto const& val = valKeys[i];
                if (i >= 1 && i < maxKeys - 2)
                {
                    BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                    added.insert(calcNodeID(val.masterPublic));
                }
                else
                    BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire locals[1]
            env.timeKeeper().set(validUntil1);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
 
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil((valKeys.size() - 6) * 0.8f));
 
            for (auto const& val : valKeys)
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
 
            hash_set<NodeID> removed;
            for (std::size_t i = 0; i < maxKeys; ++i)
            {
                auto const& val = valKeys[i];
                if (i >= 2 && i < maxKeys - 4)
                    BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                else
                {
                    BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                    if (i >= 1 && i < maxKeys - 2)
                        removed.insert(calcNodeID(val.masterPublic));
                }
            }
 
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
 
            // Expire locals[2], which removes all validators
            env.timeKeeper().set(validUntil2);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
 
            BEAST_EXPECT(trustedKeys->quorum() == std::numeric_limits<std::size_t>::max());
 
            removed.clear();
            for (std::size_t i = 0; i < maxKeys; ++i)
            {
                auto const& val = valKeys[i];
                if (i < maxKeys - 4)
                    BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                else
                    BEAST_EXPECT(!trustedKeys->listed(val.masterPublic));
 
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                if (i >= 2 && i < maxKeys - 4)
                    removed.insert(calcNodeID(val.masterPublic));
            }
 
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
    }
 
    void
    testExpires()
    {
        testcase("Expires");
 
        std::string const siteUri = "testExpires.test";
 
        jtx::Env env(*this);
        auto& app = env.app();
 
        auto toStr = [](PublicKey const& publicKey) { return toBase58(TokenType::NodePublic, publicKey); };
 
        // Config listed keys
        {
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            // Empty list has no expiration
            BEAST_EXPECT(trustedKeys->expires() == std::nullopt);
 
            // Config listed keys have maximum expiry
            PublicKey localCfgListed = randomNode();
            trustedKeys->load({}, {toStr(localCfgListed)}, {});
            BEAST_EXPECT(trustedKeys->expires() && trustedKeys->expires().value() == NetClock::time_point::max());
            BEAST_EXPECT(trustedKeys->listed(localCfgListed));
        }
 
        // Published keys with expirations
        {
            ManifestCache manifests;
            auto trustedKeys = std::make_unique<ValidatorList>(
                manifests, manifests, env.app().timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            std::vector<Validator> validators = {randomValidator()};
            hash_set<NodeID> activeValidators;
            for (Validator const& val : validators)
                activeValidators.insert(calcNodeID(val.masterPublic));
            // Store prepared list data to control when it is applied
            struct PreparedList
            {
                PublicKey publisherPublic;
                std::string manifest;
                std::vector<ValidatorBlobInfo> blobs;
                int version;
                std::vector<NetClock::time_point> expirations;
            };
 
            using namespace std::chrono_literals;
            auto addPublishedList = [this, &env, &trustedKeys, &validators]() {
                auto const publisherSecret = randomSecretKey();
                auto const publisherPublic = derivePublicKey(KeyType::ed25519, publisherSecret);
                auto const pubSigningKeys = randomKeyPair(KeyType::secp256k1);
                auto const manifest = base64_encode(makeManifestString(
                    publisherPublic, publisherSecret, pubSigningKeys.first, pubSigningKeys.second, 1));
 
                std::vector<std::string> cfgPublishers({strHex(publisherPublic)});
                std::vector<std::string> emptyCfgKeys;
 
                BEAST_EXPECT(trustedKeys->load({}, emptyCfgKeys, cfgPublishers));
 
                auto const version = 2;
                auto const sequence1 = 1;
                NetClock::time_point const expiration1 = env.timeKeeper().now() + 1800s;
                auto const blob1 = makeList(validators, sequence1, expiration1.time_since_epoch().count());
                auto const sig1 = signList(blob1, pubSigningKeys);
 
                NetClock::time_point const effective2 = expiration1 - 300s;
                NetClock::time_point const expiration2 = effective2 + 1800s;
                auto const sequence2 = 2;
                auto const blob2 = makeList(
                    validators,
                    sequence2,
                    expiration2.time_since_epoch().count(),
                    effective2.time_since_epoch().count());
                auto const sig2 = signList(blob2, pubSigningKeys);
 
                return PreparedList{
                    publisherPublic,
                    manifest,
                    {{blob1, sig1, {}}, {blob2, sig2, {}}},
                    version,
                    {expiration1, expiration2}};
            };
 
            // Configure two publishers and prepare 2 lists
            PreparedList prep1 = addPublishedList();
            env.timeKeeper().set(env.timeKeeper().now() + 200s);
            PreparedList prep2 = addPublishedList();
 
            // Initially, no list has been published, so no known expiration
            BEAST_EXPECT(trustedKeys->expires() == std::nullopt);
 
            // Apply first list
            checkResult(
                trustedKeys->applyLists(prep1.manifest, prep1.version, prep1.blobs, siteUri),
                prep1.publisherPublic,
                ListDisposition::pending,
                ListDisposition::accepted);
 
            // One list still hasn't published, so expiration is still
            // unknown
            BEAST_EXPECT(trustedKeys->expires() == std::nullopt);
 
            // Apply second list
            checkResult(
                trustedKeys->applyLists(prep2.manifest, prep2.version, prep2.blobs, siteUri),
                prep2.publisherPublic,
                ListDisposition::pending,
                ListDisposition::accepted);
            // We now have loaded both lists, so expiration is known
            BEAST_EXPECT(trustedKeys->expires() && trustedKeys->expires().value() == prep1.expirations.back());
 
            // Advance past the first list's LAST validFrom date. It remains
            // the earliest validUntil, while rotating in the second list
            {
                env.timeKeeper().set(prep1.expirations.front() - 1s);
                auto changes = trustedKeys->updateTrusted(
                    activeValidators,
                    env.timeKeeper().now(),
                    env.app().getOPs(),
                    env.app().overlay(),
                    env.app().getHashRouter());
                BEAST_EXPECT(trustedKeys->expires() && trustedKeys->expires().value() == prep1.expirations.back());
                BEAST_EXPECT(!changes.added.empty());
                BEAST_EXPECT(changes.removed.empty());
            }
 
            // Advance past the first list's LAST validUntil, but it remains
            // the earliest validUntil, while being invalidated
            {
                env.timeKeeper().set(prep1.expirations.back() + 1s);
                auto changes = trustedKeys->updateTrusted(
                    activeValidators,
                    env.timeKeeper().now(),
                    env.app().getOPs(),
                    env.app().overlay(),
                    env.app().getHashRouter());
                BEAST_EXPECT(trustedKeys->expires() && trustedKeys->expires().value() == prep1.expirations.back());
                BEAST_EXPECT(changes.added.empty());
                BEAST_EXPECT(changes.removed.empty());
            }
        }
    }
 
    void
    testNegativeUNL()
    {
        testcase("NegativeUNL");
        jtx::Env env(*this);
        ManifestCache manifests;
 
        auto createValidatorList =
            [&](std::uint32_t vlSize, std::optional<std::size_t> minimumQuorum = {}) -> std::shared_ptr<ValidatorList> {
            auto trustedKeys = std::make_shared<ValidatorList>(
                manifests,
                manifests,
                env.timeKeeper(),
                env.app().config().legacy("database_path"),
                env.journal,
                minimumQuorum);
 
            std::vector<std::string> cfgPublishers;
            std::vector<std::string> cfgKeys;
            hash_set<NodeID> activeValidators;
            cfgKeys.reserve(vlSize);
            while (cfgKeys.size() < cfgKeys.capacity())
            {
                auto const valKey = randomNode();
                cfgKeys.push_back(toBase58(TokenType::NodePublic, valKey));
                activeValidators.emplace(calcNodeID(valKey));
            }
            if (trustedKeys->load({}, cfgKeys, cfgPublishers))
            {
                trustedKeys->updateTrusted(
                    activeValidators,
                    env.timeKeeper().now(),
                    env.app().getOPs(),
                    env.app().overlay(),
                    env.app().getHashRouter());
                if (minimumQuorum == trustedKeys->quorum() || trustedKeys->quorum() == std::ceil(cfgKeys.size() * 0.8f))
                    return trustedKeys;
            }
            return nullptr;
        };
 
        /*
         * Test NegativeUNL
         * == Combinations ==
         * -- UNL size: 34, 35, 57
         * -- nUNL size: 0%, 20%, 30%, 50%
         *
         * == with UNL size 60
         * -- set == get,
         * -- check quorum, with nUNL size: 0, 12, 30, 18
         * -- nUNL overlap: |nUNL - UNL| = 5, with nUNL size: 18
         * -- with command line minimumQuorum = 50%,
         *    seen_reliable affected by nUNL
         */
 
        {
            hash_set<NodeID> activeValidators;
            //== Combinations ==
            std::array<std::uint32_t, 4> unlSizes = {34, 35, 39, 60};
            std::array<std::uint32_t, 4> nUnlPercent = {0, 20, 30, 50};
            for (auto us : unlSizes)
            {
                for (auto np : nUnlPercent)
                {
                    auto validators = createValidatorList(us);
                    BEAST_EXPECT(validators);
                    if (validators)
                    {
                        std::uint32_t nUnlSize = us * np / 100;
                        auto unl = validators->getTrustedMasterKeys();
                        hash_set<PublicKey> nUnl;
                        auto it = unl.begin();
                        for (std::uint32_t i = 0; i < nUnlSize; ++i)
                        {
                            nUnl.insert(*it);
                            ++it;
                        }
                        validators->setNegativeUNL(nUnl);
                        validators->updateTrusted(
                            activeValidators,
                            env.timeKeeper().now(),
                            env.app().getOPs(),
                            env.app().overlay(),
                            env.app().getHashRouter());
                        BEAST_EXPECT(
                            validators->quorum() ==
                            static_cast<std::size_t>(std::ceil(std::max((us - nUnlSize) * 0.8f, us * 0.6f))));
                    }
                }
            }
        }
 
        {
            //== with UNL size 60
            auto validators = createValidatorList(60);
            BEAST_EXPECT(validators);
            if (validators)
            {
                hash_set<NodeID> activeValidators;
                auto unl = validators->getTrustedMasterKeys();
                BEAST_EXPECT(unl.size() == 60);
                {
                    //-- set == get,
                    //-- check quorum, with nUNL size: 0, 30, 18, 12
                    auto nUnlChange = [&](std::uint32_t nUnlSize, std::uint32_t quorum) -> bool {
                        hash_set<PublicKey> nUnl;
                        auto it = unl.begin();
                        for (std::uint32_t i = 0; i < nUnlSize; ++i)
                        {
                            nUnl.insert(*it);
                            ++it;
                        }
                        validators->setNegativeUNL(nUnl);
                        auto nUnl_temp = validators->getNegativeUNL();
                        if (nUnl_temp.size() == nUnl.size())
                        {
                            for (auto& n : nUnl_temp)
                            {
                                if (nUnl.find(n) == nUnl.end())
                                    return false;
                            }
                            validators->updateTrusted(
                                activeValidators,
                                env.timeKeeper().now(),
                                env.app().getOPs(),
                                env.app().overlay(),
                                env.app().getHashRouter());
                            return validators->quorum() == quorum;
                        }
                        return false;
                    };
                    BEAST_EXPECT(nUnlChange(0, 48));
                    BEAST_EXPECT(nUnlChange(30, 36));
                    BEAST_EXPECT(nUnlChange(18, 36));
                    BEAST_EXPECT(nUnlChange(12, 39));
                }
 
                {
                    // nUNL overlap: |nUNL - UNL| = 5, with nUNL size:
                    // 18
                    auto nUnl = validators->getNegativeUNL();
                    BEAST_EXPECT(nUnl.size() == 12);
                    std::size_t ss = 33;
                    std::vector<uint8_t> data(ss, 0);
                    data[0] = 0xED;
                    for (int i = 0; i < 6; ++i)
                    {
                        Slice s(data.data(), ss);
                        data[1]++;
                        nUnl.emplace(s);
                    }
                    validators->setNegativeUNL(nUnl);
                    validators->updateTrusted(
                        activeValidators,
                        env.timeKeeper().now(),
                        env.app().getOPs(),
                        env.app().overlay(),
                        env.app().getHashRouter());
                    BEAST_EXPECT(validators->quorum() == 39);
                }
            }
        }
 
        {
            //== with UNL size 60
            //-- with command line minimumQuorum = 50%,
            //   seen_reliable affected by nUNL
            auto validators = createValidatorList(60, 30);
            BEAST_EXPECT(validators);
            if (validators)
            {
                hash_set<NodeID> activeValidators;
                hash_set<PublicKey> unl = validators->getTrustedMasterKeys();
                auto it = unl.begin();
                for (std::uint32_t i = 0; i < 50; ++i)
                {
                    activeValidators.insert(calcNodeID(*it));
                    ++it;
                }
                validators->updateTrusted(
                    activeValidators,
                    env.timeKeeper().now(),
                    env.app().getOPs(),
                    env.app().overlay(),
                    env.app().getHashRouter());
                BEAST_EXPECT(validators->quorum() == 30);
                hash_set<PublicKey> nUnl;
                it = unl.begin();
                for (std::uint32_t i = 0; i < 20; ++i)
                {
                    nUnl.insert(*it);
                    ++it;
                }
                validators->setNegativeUNL(nUnl);
                validators->updateTrusted(
                    activeValidators,
                    env.timeKeeper().now(),
                    env.app().getOPs(),
                    env.app().overlay(),
                    env.app().getHashRouter());
                BEAST_EXPECT(validators->quorum() == 30);
            }
        }
    }
 
    void
    testSha512Hash()
    {
        testcase("Sha512 hashing");
        // Tests that ValidatorList hash_append helpers with a single blob
        // returns the same result as xrpl::Sha512Half used by the
        // TMValidatorList protocol message handler
        std::string const manifest = "This is not really a manifest";
        std::string const blob = "This is not really a blob";
        std::string const signature = "This is not really a signature";
        std::uint32_t const version = 1;
 
        auto const global = sha512Half(manifest, blob, signature, version);
        BEAST_EXPECT(!!global);
 
        std::vector<ValidatorBlobInfo> blobVector(1);
        blobVector[0].blob = blob;
        blobVector[0].signature = signature;
        BEAST_EXPECT(global == sha512Half(manifest, blobVector, version));
        BEAST_EXPECT(global != sha512Half(signature, blobVector, version));
 
        {
            std::map<std::size_t, ValidatorBlobInfo> blobMap{{99, blobVector[0]}};
            BEAST_EXPECT(global == sha512Half(manifest, blobMap, version));
            BEAST_EXPECT(global != sha512Half(blob, blobMap, version));
        }
 
        {
            protocol::TMValidatorList msg1;
            msg1.set_manifest(manifest);
            msg1.set_blob(blob);
            msg1.set_signature(signature);
            msg1.set_version(version);
            BEAST_EXPECT(global == sha512Half(msg1));
            msg1.set_signature(blob);
            BEAST_EXPECT(global != sha512Half(msg1));
        }
 
        {
            protocol::TMValidatorListCollection msg2;
            msg2.set_manifest(manifest);
            msg2.set_version(version);
            auto& bi = *msg2.add_blobs();
            bi.set_blob(blob);
            bi.set_signature(signature);
            BEAST_EXPECT(global == sha512Half(msg2));
            bi.set_manifest(manifest);
            BEAST_EXPECT(global != sha512Half(msg2));
        }
    }
 
    void
    testBuildMessages()
    {
        testcase("Build and split messages");
 
        std::uint32_t const manifestCutoff = 7;
        auto extractHeader = [this](Message& message) {
            auto const& buffer = message.getBuffer(compression::Compressed::Off);
 
            boost::beast::multi_buffer buffers;
 
            // simulate multi-buffer
            auto start = buffer.begin();
            auto end = buffer.end();
            std::vector<std::uint8_t> slice(start, end);
            buffers.commit(boost::asio::buffer_copy(buffers.prepare(slice.size()), boost::asio::buffer(slice)));
 
            boost::system::error_code ec;
            auto header = detail::parseMessageHeader(ec, buffers.data(), buffers.size());
            BEAST_EXPECT(!ec);
            return std::make_pair(header, buffers);
        };
        auto extractProtocolMessage1 = [this, &extractHeader](Message& message) {
            auto [header, buffers] = extractHeader(message);
            if (BEAST_EXPECT(header) && BEAST_EXPECT(header->message_type == protocol::mtVALIDATOR_LIST))
            {
                auto const msg = detail::parseMessageContent<protocol::TMValidatorList>(*header, buffers.data());
                BEAST_EXPECT(msg);
                return msg;
            }
            return std::shared_ptr<protocol::TMValidatorList>();
        };
        auto extractProtocolMessage2 = [this, &extractHeader](Message& message) {
            auto [header, buffers] = extractHeader(message);
            if (BEAST_EXPECT(header) && BEAST_EXPECT(header->message_type == protocol::mtVALIDATOR_LIST_COLLECTION))
            {
                auto const msg =
                    detail::parseMessageContent<protocol::TMValidatorListCollection>(*header, buffers.data());
                BEAST_EXPECT(msg);
                return msg;
            }
            return std::shared_ptr<protocol::TMValidatorListCollection>();
        };
        auto verifyMessage = [this, manifestCutoff, &extractProtocolMessage1, &extractProtocolMessage2](
                                 auto const version,
                                 auto const& manifest,
                                 auto const& blobInfos,
                                 auto const& messages,
                                 std::vector<std::pair<std::size_t, std::vector<std::uint32_t>>> expectedInfo) {
            BEAST_EXPECT(messages.size() == expectedInfo.size());
            auto msgIter = expectedInfo.begin();
            for (auto const& messageWithHash : messages)
            {
                if (!BEAST_EXPECT(msgIter != expectedInfo.end()))
                    break;
                if (!BEAST_EXPECT(messageWithHash.message))
                    continue;
                auto const& expectedSeqs = msgIter->second;
                auto seqIter = expectedSeqs.begin();
                auto const size = messageWithHash.message->getBuffer(compression::Compressed::Off).size();
                // This size is arbitrary, but shouldn't change
                BEAST_EXPECT(size == msgIter->first);
                if (expectedSeqs.size() == 1)
                {
                    auto const msg = extractProtocolMessage1(*messageWithHash.message);
                    auto const expectedVersion = 1;
                    if (BEAST_EXPECT(msg))
                    {
                        BEAST_EXPECT(msg->version() == expectedVersion);
                        if (!BEAST_EXPECT(seqIter != expectedSeqs.end()))
                            continue;
                        auto const& expectedBlob = blobInfos.at(*seqIter);
                        BEAST_EXPECT((*seqIter < manifestCutoff) == !!expectedBlob.manifest);
                        auto const expectedManifest =
                            *seqIter < manifestCutoff && expectedBlob.manifest ? *expectedBlob.manifest : manifest;
                        BEAST_EXPECT(msg->manifest() == expectedManifest);
                        BEAST_EXPECT(msg->blob() == expectedBlob.blob);
                        BEAST_EXPECT(msg->signature() == expectedBlob.signature);
                        ++seqIter;
                        BEAST_EXPECT(seqIter == expectedSeqs.end());
 
                        BEAST_EXPECT(
                            messageWithHash.hash ==
                            sha512Half(expectedManifest, expectedBlob.blob, expectedBlob.signature, expectedVersion));
                    }
                }
                else
                {
                    std::vector<ValidatorBlobInfo> hashingBlobs;
                    hashingBlobs.reserve(msgIter->second.size());
 
                    auto const msg = extractProtocolMessage2(*messageWithHash.message);
                    if (BEAST_EXPECT(msg))
                    {
                        BEAST_EXPECT(msg->version() == version);
                        BEAST_EXPECT(msg->manifest() == manifest);
                        for (auto const& blobInfo : msg->blobs())
                        {
                            if (!BEAST_EXPECT(seqIter != expectedSeqs.end()))
                                break;
                            auto const& expectedBlob = blobInfos.at(*seqIter);
                            hashingBlobs.push_back(expectedBlob);
                            BEAST_EXPECT(blobInfo.has_manifest() == !!expectedBlob.manifest);
                            BEAST_EXPECT(blobInfo.has_manifest() == (*seqIter < manifestCutoff));
 
                            if (*seqIter < manifestCutoff)
                                BEAST_EXPECT(blobInfo.manifest() == *expectedBlob.manifest);
                            BEAST_EXPECT(blobInfo.blob() == expectedBlob.blob);
                            BEAST_EXPECT(blobInfo.signature() == expectedBlob.signature);
                            ++seqIter;
                        }
                        BEAST_EXPECT(seqIter == expectedSeqs.end());
                    }
                    BEAST_EXPECT(messageWithHash.hash == sha512Half(manifest, hashingBlobs, version));
                }
                ++msgIter;
            }
            BEAST_EXPECT(msgIter == expectedInfo.end());
        };
        auto verifyBuildMessages = [this](
                                       std::pair<std::size_t, std::size_t> const& result,
                                       std::size_t expectedSequence,
                                       std::size_t expectedSize) {
            BEAST_EXPECT(result.first == expectedSequence);
            BEAST_EXPECT(result.second == expectedSize);
        };
 
        std::string const manifest = "This is not a manifest";
        std::uint32_t const version = 2;
        // Mutable so items can be removed in later tests.
        auto const blobInfos = [manifestCutoff = manifestCutoff]() {
            std::map<std::size_t, ValidatorBlobInfo> bis;
 
            for (auto seq : {5, 6, 7, 10, 12})
            {
                auto& b = bis[seq];
                std::stringstream s;
                s << "This is not a blob with sequence " << seq;
                b.blob = s.str();
                s.str(std::string());
                s << "This is not a signature for sequence " << seq;
                b.signature = s.str();
                if (seq < manifestCutoff)
                {
                    // add a manifest for the "early" blobs
                    s.str(std::string());
                    s << "This is not manifest " << seq;
                    b.manifest = s.str();
                }
            }
            return bis;
        }();
        auto const maxSequence = blobInfos.rbegin()->first;
        BEAST_EXPECT(maxSequence == 12);
 
        std::vector<ValidatorList::MessageWithHash> messages;
 
        // Version 1
 
        // This peer has a VL ahead of our "current"
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(1, 8, maxSequence, version, manifest, blobInfos, messages), 0, 0);
        BEAST_EXPECT(messages.size() == 0);
 
        // Don't repeat the work if messages is populated, even though the
        // peerSequence provided indicates it should. Note that this
        // situation is contrived for this test and should never happen in
        // real code.
        messages.emplace_back();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(1, 3, maxSequence, version, manifest, blobInfos, messages), 5, 0);
        BEAST_EXPECT(messages.size() == 1 && !messages.front().message);
 
        // Generate a version 1 message
        messages.clear();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(1, 3, maxSequence, version, manifest, blobInfos, messages), 5, 1);
        if (BEAST_EXPECT(messages.size() == 1) && BEAST_EXPECT(messages.front().message))
        {
            auto const& messageWithHash = messages.front();
            auto const msg = extractProtocolMessage1(*messageWithHash.message);
            auto const size = messageWithHash.message->getBuffer(compression::Compressed::Off).size();
            // This size is arbitrary, but shouldn't change
            BEAST_EXPECT(size == 108);
            auto const& expected = blobInfos.at(5);
            if (BEAST_EXPECT(msg))
            {
                BEAST_EXPECT(msg->version() == 1);
                BEAST_EXPECT(msg->manifest() == *expected.manifest);
                BEAST_EXPECT(msg->blob() == expected.blob);
                BEAST_EXPECT(msg->signature() == expected.signature);
            }
            BEAST_EXPECT(messageWithHash.hash == sha512Half(*expected.manifest, expected.blob, expected.signature, 1));
        }
 
        // Version 2
 
        messages.clear();
 
        // This peer has a VL ahead of us.
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(
                2, maxSequence * 2, maxSequence, version, manifest, blobInfos, messages),
            0,
            0);
        BEAST_EXPECT(messages.size() == 0);
 
        // Don't repeat the work if messages is populated, even though the
        // peerSequence provided indicates it should. Note that this
        // situation is contrived for this test and should never happen in
        // real code.
        messages.emplace_back();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(2, 3, maxSequence, version, manifest, blobInfos, messages),
            maxSequence,
            0);
        BEAST_EXPECT(messages.size() == 1 && !messages.front().message);
 
        // Generate a version 2 message. Don't send the current
        messages.clear();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(2, 5, maxSequence, version, manifest, blobInfos, messages),
            maxSequence,
            4);
        verifyMessage(version, manifest, blobInfos, messages, {{372, {6, 7, 10, 12}}});
 
        // Test message splitting on size limits.
 
        // Set a limit that should give two messages
        messages.clear();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(2, 5, maxSequence, version, manifest, blobInfos, messages, 300),
            maxSequence,
            4);
        verifyMessage(version, manifest, blobInfos, messages, {{212, {6, 7}}, {192, {10, 12}}});
 
        // Set a limit between the size of the two earlier messages so one
        // will split and the other won't
        messages.clear();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(2, 5, maxSequence, version, manifest, blobInfos, messages, 200),
            maxSequence,
            4);
        verifyMessage(version, manifest, blobInfos, messages, {{108, {6}}, {108, {7}}, {192, {10, 12}}});
 
        // Set a limit so that all the VLs are sent individually
        messages.clear();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(2, 5, maxSequence, version, manifest, blobInfos, messages, 150),
            maxSequence,
            4);
        verifyMessage(version, manifest, blobInfos, messages, {{108, {6}}, {108, {7}}, {110, {10}}, {110, {12}}});
 
        // Set a limit smaller than some of the messages. Because single
        // messages send regardless, they will all still be sent
        messages.clear();
        verifyBuildMessages(
            ValidatorList::buildValidatorListMessages(2, 5, maxSequence, version, manifest, blobInfos, messages, 108),
            maxSequence,
            4);
        verifyMessage(version, manifest, blobInfos, messages, {{108, {6}}, {108, {7}}, {110, {10}}, {110, {12}}});
    }
 
    void
    testQuorumDisabled()
    {
        testcase("Test quorum disabled");
 
        std::string const siteUri = "testQuorumDisabled.test";
        jtx::Env env(*this);
        auto& app = env.app();
 
        constexpr std::size_t maxKeys = 20;
        hash_set<NodeID> activeValidators;
        std::vector<Validator> valKeys;
        while (valKeys.size() != maxKeys)
        {
            valKeys.push_back(randomValidator());
            activeValidators.emplace(calcNodeID(valKeys.back().masterPublic));
        }
 
        struct Publisher
        {
            bool revoked;
            PublicKey pubKey;
            std::pair<PublicKey, SecretKey> signingKeys;
            std::string manifest;
            NetClock::time_point expiry = {};
        };
 
        // Create ValidatorList with a set of countTotal publishers, of which
        // first countRevoked are revoked and the last one expires early
        auto makeValidatorList = [&, this](
                                     std::size_t countTotal,
                                     std::size_t countRevoked,
                                     std::size_t listThreshold,
                                     ManifestCache& pubManifests,
                                     ManifestCache& valManifests,
                                     std::optional<Validator> self,
                                     std::vector<Publisher>& publishers  // out
                                     ) -> std::unique_ptr<ValidatorList> {
            auto result = std::make_unique<ValidatorList>(
                valManifests, pubManifests, env.timeKeeper(), app.config().legacy("database_path"), env.journal);
 
            std::vector<std::string> cfgPublishers;
            for (std::size_t i = 0; i < countTotal; ++i)
            {
                auto const publisherSecret = randomSecretKey();
                auto const publisherPublic = derivePublicKey(KeyType::ed25519, publisherSecret);
                auto const pubSigningKeys = randomKeyPair(KeyType::secp256k1);
                cfgPublishers.push_back(strHex(publisherPublic));
 
                constexpr auto revoked = std::numeric_limits<std::uint32_t>::max();
                auto const manifest = base64_encode(makeManifestString(
                    publisherPublic,
                    publisherSecret,
                    pubSigningKeys.first,
                    pubSigningKeys.second,
                    i < countRevoked ? revoked : 1));
                publishers.push_back(Publisher{i < countRevoked, publisherPublic, pubSigningKeys, manifest});
            }
 
            std::vector<std::string> const emptyCfgKeys;
            auto threshold = listThreshold > 0 ? std::optional(listThreshold) : std::nullopt;
            if (self)
            {
                valManifests.applyManifest(*deserializeManifest(base64_decode(self->manifest)));
                BEAST_EXPECT(result->load(self->signingPublic, emptyCfgKeys, cfgPublishers, threshold));
            }
            else
            {
                BEAST_EXPECT(result->load({}, emptyCfgKeys, cfgPublishers, threshold));
            }
 
            for (std::size_t i = 0; i < countTotal; ++i)
            {
                using namespace std::chrono_literals;
                publishers[i].expiry = env.timeKeeper().now() + (i == countTotal - 1 ? 60s : 3600s);
                auto const blob = makeList(valKeys, 1, publishers[i].expiry.time_since_epoch().count());
                auto const sig = signList(blob, publishers[i].signingKeys);
 
                BEAST_EXPECT(
                    result->applyLists(publishers[i].manifest, 1, {{blob, sig, {}}}, siteUri).bestDisposition() ==
                    (publishers[i].revoked ? ListDisposition::untrusted : ListDisposition::accepted));
            }
 
            return result;
        };
 
        // Test cases use 5 publishers.
        constexpr auto quorumDisabled = std::numeric_limits<std::size_t>::max();
        {
            // List threshold = 5 (same as number of trusted publishers)
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                5,  //
                0,
                5,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 5);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 5 (same as number of trusted publishers)
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                5,  //
                0,
                5,
                pubManifests,
                valManifests,
                {},
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 5);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no trusted validators
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 0);
 
            hash_set<NodeID> removed;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 4, 1 publisher is revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is in UNL
            auto const self = valKeys[1];
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                5,  //
                1,
                4,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 4);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 1);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                if (val.masterPublic != self.masterPublic)
                {
                    BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                    removed.insert(calcNodeID(val.masterPublic));
                }
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 3 (default), 2 publishers are revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                5,  //
                2,
                0,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 3);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 2);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 3 (default), 2 publishers are revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is in UNL
            auto const self = valKeys[5];
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                5,  //
                2,
                0,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 3);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 2);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                if (val.masterPublic != self.masterPublic)
                {
                    BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                    removed.insert(calcNodeID(val.masterPublic));
                }
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 3 (default), 2 publishers are revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                5,  //
                2,
                0,
                pubManifests,
                valManifests,
                {},
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 3);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 2);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, no trusted validators
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 0);
 
            hash_set<NodeID> removed;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 2, 1 publisher is revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                5,  //
                1,
                2,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 1);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed.empty());
        }
        {
            // List threshold = 1
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                5,  //
                0,
                1,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed.empty());
        }
        {
            // List threshold = 1
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is in UNL
            auto const self = valKeys[7];
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                5,  //
                0,
                1,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed.empty());
        }
        {
            // List threshold = 1
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                5,  //
                0,
                1,
                pubManifests,
                valManifests,
                {},
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed.empty());
        }
 
        // Test cases use 2 publishers
        {
            // List threshold = 1, 1 publisher revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                2,  //
                1,
                1,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 1);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(!trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 1, 1 publisher revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is in UNL
            auto const self = valKeys[5];
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                2,  //
                1,
                1,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 1);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                if (val.masterPublic != self.masterPublic)
                {
                    BEAST_EXPECT(!trustedKeys->listed(val.masterPublic));
                    BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                    removed.insert(calcNodeID(val.masterPublic));
                }
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 1, 1 publisher revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                2,  //
                1,
                1,
                pubManifests,
                valManifests,
                {},
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 1);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, no trusted validators
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 0);
 
            hash_set<NodeID> removed;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(!trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 2 (same as number of trusted publishers)
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                2,  //
                0,
                2,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 2 (same as number of trusted publishers)
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is in UNL
            auto const self = valKeys[5];
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                2,  //
                0,
                2,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                if (val.masterPublic != self.masterPublic)
                {
                    BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                    BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                    removed.insert(calcNodeID(val.masterPublic));
                }
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
        {
            // List threshold = 2 (same as number of trusted publishers)
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                2,  //
                0,
                2,
                pubManifests,
                valManifests,
                {},
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no trusted validators
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 0);
 
            hash_set<NodeID> removed;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
 
        // Test case for 1 publisher
        {
            // List threshold = 1 (default), no publisher revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                1,  //
                0,
                0,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 1);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(!trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
 
        // Test case for 3 publishers (for 2 is a block above)
        {
            // List threshold = 2 (default), no publisher revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is in UNL
            auto const self = valKeys[2];
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                3,  //
                0,
                0,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 2);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
        }
 
        // Test case for 4 publishers
        {
            // List threshold = 3 (default), no publisher revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                4,  //
                0,
                0,
                pubManifests,
                valManifests,
                {},
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 3);
            for (auto const& p : publishers)
                BEAST_EXPECT(trustedKeys->trustedPublisher(p.pubKey));
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
        }
 
        // Test case for 6 publishers (for 5 is a large block above)
        {
            // List threshold = 4 (default), 2 publishers revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is a random validator
            auto const self = randomValidator();
            auto const keysTotal = valKeys.size() + 1;
            auto trustedKeys = makeValidatorList(
                6,  //
                2,
                0,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 4);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 2);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            added.insert(calcNodeID(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - no quorum, only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                removed.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
 
        // Test case for 7 publishers
        {
            // List threshold = 4 (default), 3 publishers revoked
            ManifestCache pubManifests;
            ManifestCache valManifests;
            std::vector<Publisher> publishers;
            // Self is in UNL
            auto const self = valKeys[2];
            auto const keysTotal = valKeys.size();
            auto trustedKeys = makeValidatorList(
                7,  //
                3,
                0,
                pubManifests,
                valManifests,
                self,
                publishers);
            BEAST_EXPECT(trustedKeys->getListThreshold() == 4);
            int untrustedCount = 0;
            for (auto const& p : publishers)
            {
                bool const trusted = trustedKeys->trustedPublisher(p.pubKey);
                BEAST_EXPECT(p.revoked ^ trusted);
                untrustedCount += trusted ? 0 : 1;
            }
            BEAST_EXPECT(untrustedCount == 3);
 
            TrustChanges changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == std::ceil(keysTotal * 0.8f));
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == keysTotal);
 
            hash_set<NodeID> added;
            for (auto const& val : valKeys)
            {
                BEAST_EXPECT(trustedKeys->trusted(val.masterPublic));
                added.insert(calcNodeID(val.masterPublic));
            }
            BEAST_EXPECT(changes.added == added);
            BEAST_EXPECT(changes.removed.empty());
 
            // Expire one publisher - only trusted validator is self
            env.timeKeeper().set(publishers.back().expiry);
            changes = trustedKeys->updateTrusted(
                activeValidators,
                env.timeKeeper().now(),
                env.app().getOPs(),
                env.app().overlay(),
                env.app().getHashRouter());
            BEAST_EXPECT(trustedKeys->quorum() == quorumDisabled);
            BEAST_EXPECT(trustedKeys->getTrustedMasterKeys().size() == 1);
 
            hash_set<NodeID> removed;
            BEAST_EXPECT(trustedKeys->trusted(self.masterPublic));
            for (auto const& val : valKeys)
            {
                if (val.masterPublic != self.masterPublic)
                {
                    BEAST_EXPECT(trustedKeys->listed(val.masterPublic));
                    BEAST_EXPECT(!trustedKeys->trusted(val.masterPublic));
                    removed.insert(calcNodeID(val.masterPublic));
                }
            }
            BEAST_EXPECT(changes.added.empty());
            BEAST_EXPECT(changes.removed == removed);
        }
    }
 
public:
    void
    run() override
    {
        testGenesisQuorum();
        testConfigLoad();
        testApplyLists();
        testGetAvailable();
        testUpdateTrusted();
        testExpires();
        testNegativeUNL();
        testSha512Hash();
        testBuildMessages();
        testQuorumDisabled();
    }
};  // namespace test
 
BEAST_DEFINE_TESTSUITE(ValidatorList, app, xrpl);
 
}  // namespace test
}  // namespace xrpl