fix: trust attestations from trusted authorities (#23)

* fix: trust attestations from trusted authorities

* test the actual validation context created by the consolidator

Author: volmedo

cmd/etracker/start.go

@@ -134,6 +134,13 @@ func init() {
 		"List of known provider DIDs (defaults to presets if not specified)",
 	)
 	cobra.CheckErr(viper.BindPFlag("known_providers", startCmd.Flags().Lookup("known-providers")))
+
+	startCmd.Flags().StringSlice(
+		"trusted-authorities",
+		[]string{},
+		"List of trusted authorities, identified by their DIDs (comma-separated)",
+	)
+	cobra.CheckErr(viper.BindPFlag("trusted_authorities", startCmd.Flags().Lookup("trusted-authorities")))
 }
 
 func startService(cmd *cobra.Command, args []string) error {
@@ -218,7 +225,8 @@ func startService(cmd *cobra.Command, args []string) error {
 		cfg.KnownProviders,
 		interval,
 		batchSize,
-		presolver,
+		presolver.ResolveDIDKey,
+		cfg.TrustedAuthorities,
 	)
 	if err != nil {
 		return fmt.Errorf("creating consolidator: %w", err)

deploy/.env.production.local.tpl

@@ -10,6 +10,8 @@ if [ "$TF_WORKSPACE" == "forge-prod" ]; then
   CONSUMER_TABLE_REGION="us-west-2"
   CONSUMER_CONSUMER_INDEX_NAME="consumer"
   CONSUMER_CUSTOMER_INDEX_NAME="customer"
+
+  TRUSTED_AUTHORITIES="did:web:up.forge.storacha.network"
 else
   STORAGE_PROVIDER_TABLE_NAME="staging-warm-upload-api-storage-provider"
   STORAGE_PROVIDER_TABLE_REGION="us-east-2"
@@ -21,11 +23,11 @@ else
   CONSUMER_TABLE_REGION="us-east-2"
   CONSUMER_CONSUMER_INDEX_NAME="consumer"
   CONSUMER_CUSTOMER_INDEX_NAME="customer"
+
+  TRUSTED_AUTHORITIES="did:web:staging.up.forge.storacha.network,did:web:staging.up.warm.storacha.network"
 fi
 %>
 
-ETRACKER_METRICS_ENVIRONMENT=<%= $TF_WORKSPACE %>
-
 STORAGE_PROVIDER_TABLE_NAME=<%= $STORAGE_PROVIDER_TABLE_NAME %>
 STORAGE_PROVIDER_TABLE_REGION=<%= $STORAGE_PROVIDER_TABLE_REGION %>
 
@@ -36,3 +38,6 @@ CONSUMER_TABLE_NAME=<%= $CONSUMER_TABLE_NAME %>
 CONSUMER_TABLE_REGION=<%= $CONSUMER_TABLE_REGION %>
 CONSUMER_CONSUMER_INDEX_NAME=<%= $CONSUMER_CONSUMER_INDEX_NAME %>
 CONSUMER_CUSTOMER_INDEX_NAME=<%= $CONSUMER_CUSTOMER_INDEX_NAME %>
+
+ETRACKER_METRICS_ENVIRONMENT=<%= $TF_WORKSPACE %>
+ETRACKER_TRUSTED_AUTHORITIES=<%= $TRUSTED_AUTHORITIES %>

go.mod

@@ -3,7 +3,7 @@ module github.com/storacha/etracker
 go 1.24.4
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.39.1
+	github.com/aws/aws-sdk-go-v2 v1.39.2
 	github.com/aws/aws-sdk-go-v2/config v1.31.10
 	github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.20.3
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.47.0
@@ -14,8 +14,8 @@ require (
 	github.com/prometheus/client_golang v1.23.2
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/viper v1.8.1
-	github.com/storacha/go-libstoracha v0.2.9
-	github.com/storacha/go-ucanto v0.6.8-0.20251103120651-427b55a78410
+	github.com/storacha/go-libstoracha v0.4.0
+	github.com/storacha/go-ucanto v0.7.1
 	github.com/stretchr/testify v1.11.1
 	go.opentelemetry.io/otel v1.38.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.60.0
@@ -26,13 +26,13 @@ require (
 require (
 	github.com/aws/aws-sdk-go-v2/credentials v1.18.14 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/dynamodbstreams v1.29.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 // indirect

go.sum

@@ -43,8 +43,8 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aws/aws-sdk-go-v2 v1.39.1 h1:fWZhGAwVRK/fAN2tmt7ilH4PPAE11rDj7HytrmbZ2FE=
-github.com/aws/aws-sdk-go-v2 v1.39.1/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
+github.com/aws/aws-sdk-go-v2 v1.39.2 h1:EJLg8IdbzgeD7xgvZ+I8M1e0fL0ptn/M47lianzth0I=
+github.com/aws/aws-sdk-go-v2 v1.39.2/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY=
 github.com/aws/aws-sdk-go-v2/config v1.31.10 h1:7LllDZAegXU3yk41mwM6KcPu0wmjKGQB1bg99bNdQm4=
 github.com/aws/aws-sdk-go-v2/config v1.31.10/go.mod h1:Ge6gzXPjqu4v0oHvgAwvGzYcK921GU0hQM25WF/Kl+8=
 github.com/aws/aws-sdk-go-v2/credentials v1.18.14 h1:TxkI7QI+sFkTItN/6cJuMZEIVMFXeu2dI1ZffkXngKI=
@@ -53,10 +53,10 @@ github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.20.3 h1:RrxJ6g7+
 github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue v1.20.3/go.mod h1:e4y84j44vA9IFksSDDuAtNj9t3W20iJlsbXhbo/JU10=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8 h1:gLD09eaJUdiszm7vd1btiQUYE0Hj+0I2b8AS+75z9AY=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8/go.mod h1:4RW3oMPt1POR74qVOC4SbubxAwdP4pCT0nSw3jycOU4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8 h1:6bgAZgRyT4RoFWhxS+aoGMFyE0cD1bSzFnEEi4bFPGI=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8/go.mod h1:KcGkXFVU8U28qS4KvLEcPxytPZPBcRawaH2Pf/0jptE=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8 h1:HhJYoES3zOz34yWEpGENqJvRVPqpmJyR3+AFg9ybhdY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8/go.mod h1:JnA+hPWeYAVbDssp83tv+ysAG8lTfLVXvSsyKg/7xNA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 h1:se2vOWGD3dWQUtfn4wEjRQJb1HK1XsNIt825gskZ970=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9/go.mod h1:hijCGH2VfbZQxqCDN7bwz/4dzxV+hkyhjawAtdPWKZA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 h1:6RBnKZLkJM4hQ+kN6E7yWFveOTg8NLPHAkqrs4ZPlTU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9/go.mod h1:V9rQKRmK7AWuEsOMnHzKj8WyrIir1yUJbZxDuZLFvXI=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
 github.com/aws/aws-sdk-go-v2/service/dynamodb v1.47.0 h1:A5zeikrrAgz3YtNzhMat4K8hK/CFzOjFKLVk8pI7Cz8=
@@ -67,8 +67,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebP
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8=
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.3 h1:xMmJPUT0G1q9+I0mzH4B6oN9fB5PkDoD+jvpVIcom1I=
 github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.11.3/go.mod h1:U0JFMTY/gPxV07XTXXz152nX0Hg1eBenzyslKF2j4j4=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 h1:M6JI2aGFEzYxsF6CXIuRBnkge9Wf9a2xU39rNeXgu10=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8/go.mod h1:Fw+MyTwlwjFsSTE31mH211Np+CUslml8mzc0AFEG09s=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 h1:5r34CgVOD4WZudeEKZ9/iKpiT6cM1JyEROpXjOcdWv8=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9/go.mod h1:dB12CEbNWPbzO2uC6QSWHteqOg4JfBVJOojbAoAUb5I=
 github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 h1:FTdEN9dtWPB0EOURNtDPmwGp6GGvMqRJCAihkSl/1No=
 github.com/aws/aws-sdk-go-v2/service/sso v1.29.4/go.mod h1:mYubxV9Ff42fZH4kexj43gFPhgc/LyC7KqvUKt1watc=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 h1:I7ghctfGXrscr7r1Ga/mDqSJKm7Fkpl5Mwq79Z+rZqU=
@@ -517,10 +517,10 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
-github.com/storacha/go-libstoracha v0.2.9 h1:1EMhYNpT72dsNBDrbgnXUN/A2wpyEcUWL63wCiSOZwA=
-github.com/storacha/go-libstoracha v0.2.9/go.mod h1:nkVcVfEVeeGH1dA7SYpvYC6ip1hmoL1k6z/x+QTynXQ=
-github.com/storacha/go-ucanto v0.6.8-0.20251103120651-427b55a78410 h1:ZQb2e/CR4Vll+jIFw/qW0NnVu5D+pWr0EVeAGpVXJ8E=
-github.com/storacha/go-ucanto v0.6.8-0.20251103120651-427b55a78410/go.mod h1:O35Ze4x18EWtz3ftRXXd/mTZ+b8OQVjYYrnadJ/xNjg=
+github.com/storacha/go-libstoracha v0.4.0 h1:QkJKOE4zQ13p478tMr6C5pY3VHQxqaBE8kGDiY3TqTQ=
+github.com/storacha/go-libstoracha v0.4.0/go.mod h1:PLTFCREzKlZMY9cuZDCJUh2DiCWLKQEyTQhYM1muy9M=
+github.com/storacha/go-ucanto v0.7.1 h1:/KRsCltQt57+3sqNqM8ygh9TwA6+0DGC2LIYaOnhcSY=
+github.com/storacha/go-ucanto v0.7.1/go.mod h1:O35Ze4x18EWtz3ftRXXd/mTZ+b8OQVjYYrnadJ/xNjg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=

internal/config/config.go

@@ -33,7 +33,8 @@ type Config struct {
 	ConsumerTableRegion            string     `mapstructure:"consumer_table_region" validate:"required"`
 	ConsumerConsumerIndexName      string     `mapstructure:"consumer_consumer_index_name" validate:"required"`
 	ConsumerCustomerIndexName      string     `mapstructure:"consumer_customer_index_name" validate:"required"`
-	KnownProviders                 []string   `mapstructure:"known_providers"`
+	KnownProviders                 []string   `mapstructure:"known_providers" validate:"dive,startswith=did:web:"`
+	TrustedAuthorities             []string   `mapstructure:"trusted_authorities" validate:"dive,startswith=did:web:"`
 }
 
 func Load(ctx context.Context) (*Config, error) {

internal/consolidator/consolidator.go

@@ -13,6 +13,7 @@ import (
 	logging "github.com/ipfs/go-log/v2"
 	"github.com/storacha/go-libstoracha/capabilities/space/content"
 	capegress "github.com/storacha/go-libstoracha/capabilities/space/egress"
+	ucancap "github.com/storacha/go-libstoracha/capabilities/ucan"
 	"github.com/storacha/go-ucanto/client"
 	"github.com/storacha/go-ucanto/core/car"
 	"github.com/storacha/go-ucanto/core/dag/blockstore"
@@ -69,8 +70,36 @@ func New(
 	knownProviders []string,
 	interval time.Duration,
 	batchSize int,
-	presolver validator.PrincipalResolver,
+	presolver validator.PrincipalResolverFunc,
+	trustedAuthorities []string,
 ) (*Consolidator, error) {
+	// trust attestations from trusted authorities
+	var authProofs []delegation.Delegation
+	for _, authority := range trustedAuthorities {
+		auth, err := did.Parse(authority)
+		if err != nil {
+			return nil, fmt.Errorf("parsing trusted authority: %w", err)
+		}
+
+		attestDlg, err := delegation.Delegate(
+			id,
+			auth,
+			[]ucan.Capability[ucan.NoCaveats]{
+				ucan.NewCapability(
+					ucancap.AttestAbility,
+					id.DID().String(),
+					ucan.NoCaveats{},
+				),
+			},
+			delegation.WithNoExpiration(),
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		authProofs = append(authProofs, attestDlg)
+	}
+
 	retrieveValidationCtx := validator.NewValidationContext(
 		id.Verifier(),
 		content.Retrieve,
@@ -80,11 +109,12 @@ func New(
 		},
 		validator.ProofUnavailable,
 		verifier.Parse,
-		presolver.ResolveDIDKey,
+		presolver,
 		// ignore expiration and not valid before
 		func(dlg delegation.Delegation) validator.InvalidProof {
 			return nil
 		},
+		authProofs...,
 	)
 
 	c := &Consolidator{