feat: add attestation verifier

alanshaw · frrist · commit 1ab1a31aa547 · 2026-05-28T17:36:24.000-07:00
diff --git a/go.sum b/go.sum
@@ -553,14 +553,10 @@ github.com/fil-forge/go-ipni-tools v0.0.0-20260519194815-545b9421aec0 h1:HAfXUPv
 github.com/fil-forge/go-ipni-tools v0.0.0-20260519194815-545b9421aec0/go.mod h1:3NRV/7wc4/0uzzrGdI7NoN/yeF1UvqKRwMyjBqGc5s0=
 github.com/fil-forge/go-ucanto v0.0.0-20260507172450-5cb5d073f8ab h1:2J2cDThqTKP6/0k3SfdlSxfyPa3aLqjTYnmvbEcryfg=
 github.com/fil-forge/go-ucanto v0.0.0-20260507172450-5cb5d073f8ab/go.mod h1:lZF3UXZ2hGLKYmXdquG50JqI9pRlUrV6lubGtgOYfwc=
-github.com/fil-forge/libforge v0.0.0-20260527084616-1c83212df033 h1:Orw344bJoiOnYYXVkt6sH573hYBl/hpyuNri6CeArNY=
-github.com/fil-forge/libforge v0.0.0-20260527084616-1c83212df033/go.mod h1:1ytnrneNEeJcskEbsRDtNZY/Jvgo2Yw5szIUI/9EWPk=
 github.com/fil-forge/libforge v0.0.0-20260527182359-ebb22552c348 h1:roYe4llNv0fpQnvXMontrdt/hy9kH5K/cnNsXmhqId4=
 github.com/fil-forge/libforge v0.0.0-20260527182359-ebb22552c348/go.mod h1:1ytnrneNEeJcskEbsRDtNZY/Jvgo2Yw5szIUI/9EWPk=
 github.com/fil-forge/piri-signing-service v0.0.0-20260527011208-918512802357 h1:sTK8Yc/kds7MkG0cpK5DGDtDCtU1ZwgQWc4OzRf3ZP4=
 github.com/fil-forge/piri-signing-service v0.0.0-20260527011208-918512802357/go.mod h1:fgg5hE/BlnFlR5qXsT0POv6GWVu7cj526s7v2+mdJXo=
-github.com/fil-forge/ucantone v0.0.0-20260522152152-eda937bc2684 h1:kWJLKVltJXPXO7tKS1z0GhzA+c59gwhediGyByEXE0o=
-github.com/fil-forge/ucantone v0.0.0-20260522152152-eda937bc2684/go.mod h1:XAVqsZwYoZ9vncjZoRUAJ+mL/ApLMFn9HHX7ipohVdY=
 github.com/fil-forge/ucantone v0.0.0-20260527115858-517b03bc3c72 h1:FFK4CC7IfLfwa5ZQExdkZayPc6Tg0JgVK4jhn2hd2cY=
 github.com/fil-forge/ucantone v0.0.0-20260527115858-517b03bc3c72/go.mod h1:xQ1oQ2UgA8xFpNxpyj2v+jiW2KVDAi90xjy1OjUkNXI=
 github.com/filecoin-project/filecoin-ffi v1.34.0 h1:OvcsvsFUCwzLOGT949dsJEqSLyGx4d8TPPRrmrzlQbk=
diff --git a/pkg/service/publisher/publisher_test.go b/pkg/service/publisher/publisher_test.go
@@ -141,7 +141,7 @@ func TestPublisherService(t *testing.T) {
 				DID:    testutil.Bob.DID(),
 				Client: httpClient,
 			}),
-			WithIndexingServiceProof(proof),
+			WithIndexingServiceProof([]ucan.Delegation{proof}),
 		)
 		require.NoError(t, err)
 
diff --git a/pkg/ucanhandlers/ucanfx/fx.go b/pkg/ucanhandlers/ucanfx/fx.go
@@ -1,14 +1,17 @@
 package ucanfx
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"time"
 
+	"github.com/fil-forge/libforge/commands/ucan/attest"
 	"github.com/fil-forge/libforge/didresolver"
 	"github.com/fil-forge/ucantone/did"
 	"github.com/fil-forge/ucantone/principal/verifier"
 	"github.com/fil-forge/ucantone/ucan"
+	ucantoken "github.com/fil-forge/ucantone/ucan/token"
 	"github.com/fil-forge/ucantone/validator"
 	"go.uber.org/fx"
 
@@ -47,14 +50,11 @@ var Module = fx.Module("ucan",
 			)
 			if cfg.InsecureDIDResolution {
 				httpResolver, err = didresolver.NewHTTPResolver(didresolver.InsecureResolution())
-				if err != nil {
-					return nil, fmt.Errorf("could not create http resolver: %w", err)
-				}
 			} else {
 				httpResolver, err = didresolver.NewHTTPResolver()
-				if err != nil {
-					return nil, fmt.Errorf("could not create http resolver: %w", err)
-				}
+			}
+			if err != nil {
+				return nil, fmt.Errorf("could not create http resolver: %w", err)
 			}
 
 			cachedRes, err := didresolver.NewCachedResolver(httpResolver.Resolve, 24*time.Hour)
@@ -73,6 +73,11 @@ var Module = fx.Module("ucan",
 			}, nil
 		},
 
+		// Trust attestations issued by the Forge upload service
+		func(cfg app.UCANServiceConfig, resolvers validator.VerifierResolverMap) validator.NonStandardSignatureVerifierFunc {
+			return newAttestationVerifier(cfg.Services.Upload.DID, resolvers)
+		},
+
 		// Server-wide options. Both transports need the DID verifier
 		// resolvers so they can validate UCANs signed by did:web identities
 		// (e.g. did:web:indexer, did:web:upload). Without the retrieval
@@ -84,11 +89,17 @@ var Module = fx.Module("ucan",
 		// hidden in the X-UCAN-Container header — which downstream
 		// clients (the indexer's blobindexlookup) mis-read as
 		// success-with-empty-body and then choke on CAR decode EOF.
-		ucanhandlers.ProvideRPCOption(func(resolver validator.VerifierResolverMap) server.HTTPOption {
-			return server.WithValidationOptions(validator.WithDIDVerifierResolvers(resolver))
+		ucanhandlers.ProvideRPCOption(func(resolver validator.VerifierResolverMap, verifyNonStandardSig validator.NonStandardSignatureVerifierFunc) server.HTTPOption {
+			return server.WithValidationOptions(
+				validator.WithDIDVerifierResolvers(resolver),
+				validator.WithNonStandardSignatureVerifier(verifyNonStandardSig),
+			)
 		}),
-		ucanhandlers.ProvideRetrievalOption(func(resolver validator.VerifierResolverMap) server.HTTPOption {
-			return server.WithValidationOptions(validator.WithDIDVerifierResolvers(resolver))
+		ucanhandlers.ProvideRetrievalOption(func(resolver validator.VerifierResolverMap, verifyNonStandardSig validator.NonStandardSignatureVerifierFunc) server.HTTPOption {
+			return server.WithValidationOptions(
+				validator.WithDIDVerifierResolvers(resolver),
+				validator.WithNonStandardSignatureVerifier(verifyNonStandardSig),
+			)
 		}),
 	),
 
@@ -98,3 +109,48 @@ var Module = fx.Module("ucan",
 	content.Module,
 	pdp.Module,
 )
+
+// newAttestationVerifier creates a [validator.NonStandardSignatureVerifierFunc]
+// that validates that a delegation is attested by the given authority.
+func newAttestationVerifier(authority did.DID, resolvers validator.VerifierResolverMap) validator.NonStandardSignatureVerifierFunc {
+	return func(ctx context.Context, token ucan.Token, meta ucan.Container) error {
+		resolver, ok := resolvers[authority.Method()]
+		if !ok {
+			return fmt.Errorf("no resolver for DID method: %s", authority.Method())
+		}
+		verifier, err := resolver(ctx, authority)
+		if err != nil {
+			return fmt.Errorf("could not resolve DID: %w", err)
+		}
+		// We only support attestations as delegations - attested delegation MUST
+		// delegate to an agent DID which is then used in the invocation.
+		dlg, ok := token.(ucan.Delegation)
+		if !ok {
+			return fmt.Errorf("token is not a delegation")
+		}
+		for _, inv := range meta.Invocations() {
+			if inv.Command() != attest.Proof.Command {
+				continue
+			}
+			// only trust attestations authority issued
+			if inv.Issuer() != authority || inv.Subject() == did.Undef || inv.Subject() != authority {
+				continue
+			}
+			var args attest.ProofArguments
+			if err := args.UnmarshalCBOR(bytes.NewReader(inv.ArgumentsBytes())); err != nil {
+				continue
+			}
+			// make sure the attestation is for the delegation in question
+			if args.Proof != dlg.Link() {
+				continue
+			}
+			// finally, make sure the signature is valid
+			ok, err := ucantoken.VerifySignature(inv, verifier)
+			if !ok || err != nil {
+				continue
+			}
+			return nil
+		}
+		return fmt.Errorf("no valid attestation found for delegation")
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,7 @@ func TestPublisherService(t *testing.T) {`
`141`	`141`	`DID: testutil.Bob.DID(),`
`142`	`142`	`Client: httpClient,`
`143`	`143`	`}),`
`144`		`- WithIndexingServiceProof(proof),`
	`144`	`+ WithIndexingServiceProof([]ucan.Delegation{proof}),`
`145`	`145`	`)`
`146`	`146`	`require.NoError(t, err)`
`147`	`147`