feat: make time bounds validation configurable (#78)

Expiration and Not Valid Before are useful when validating an invocation
as part of deciding whether it should be executed. However, if we just
want to check the validity of a given delegation chain that happened in
the past, we don't care about time bounds.

These changes allow passing a custom time bounds validation function to
decide how expiration and not valid before are validated.

Author: volmedo

server/handler.go

@@ -37,6 +37,7 @@ func Provide[C any, O ipld.Builder, X failure.IPLDBuilderFailure](
 			ictx.ResolveProof,
 			ictx.ParsePrincipal,
 			ictx.ResolveDIDKey,
+			ictx.ValidateTimeBounds,
 			ictx.AuthorityProofs()...,
 		)
 

server/options.go

@@ -25,6 +25,7 @@ type srvConfig struct {
 	resolveProof          validator.ProofResolverFunc
 	parsePrincipal        validator.PrincipalParserFunc
 	resolveDIDKey         validator.PrincipalResolverFunc
+	validateTimeBounds    validator.TimeBoundsValidatorFunc
 	authorityProofs       []delegation.Delegation
 	altAudiences          []ucan.Principal
 	catch                 ErrorHandlerFunc
@@ -123,6 +124,14 @@ func WithPrincipalResolver(fn validator.PrincipalResolverFunc) Option {
 	}
 }
 
+// WithTimeBoundsValidator configures a function that validates the time bounds of a delegation.
+func WithTimeBoundsValidator(fn validator.TimeBoundsValidatorFunc) Option {
+	return func(cfg *srvConfig) error {
+		cfg.validateTimeBounds = fn
+		return nil
+	}
+}
+
 // WithAuthorityProofs allows to provide a list of proofs that designate other
 // principals (beyond the service authority) whose attestations will be recognized as valid.
 func WithAuthorityProofs(proofs ...delegation.Delegation) Option {

server/server.go

@@ -37,6 +37,7 @@ type InvocationContext interface {
 	validator.ProofResolver
 	validator.PrincipalParser
 	validator.PrincipalResolver
+	validator.TimeBoundsValidator
 	validator.AuthorityProver
 	// ID is the DID of the service the invocation was sent to.
 	ID() principal.Signer
@@ -137,7 +138,12 @@ func NewServer(id principal.Signer, options ...Option) (ServerView[Service], err
 		resolveDIDKey = validator.FailDIDKeyResolution
 	}
 
-	ctx := serverContext{id, canIssue, validateAuthorization, resolveProof, parsePrincipal, resolveDIDKey, cfg.authorityProofs, cfg.altAudiences}
+	validateTimeBounds := cfg.validateTimeBounds
+	if validateTimeBounds == nil {
+		validateTimeBounds = validator.NotExpiredNotTooEarly
+	}
+
+	ctx := serverContext{id, canIssue, validateAuthorization, resolveProof, parsePrincipal, resolveDIDKey, validateTimeBounds, cfg.authorityProofs, cfg.altAudiences}
 	svr := &server{id, cfg.service, ctx, codec, catch, cfg.logReceipt}
 	return svr, nil
 }
@@ -154,6 +160,7 @@ type serverContext struct {
 	resolveProof          validator.ProofResolverFunc
 	parsePrincipal        validator.PrincipalParserFunc
 	resolveDIDKey         validator.PrincipalResolverFunc
+	validateTimeBounds    validator.TimeBoundsValidatorFunc
 	authorityProofs       []delegation.Delegation
 	altAudiences          []ucan.Principal
 }
@@ -182,6 +189,10 @@ func (sctx serverContext) ResolveDIDKey(ctx context.Context, did did.DID) (did.D
 	return sctx.resolveDIDKey(ctx, did)
 }
 
+func (sctx serverContext) ValidateTimeBounds(dlg delegation.Delegation) validator.InvalidProof {
+	return sctx.validateTimeBounds(dlg)
+}
+
 func (sctx serverContext) AuthorityProofs() []delegation.Delegation {
 	return sctx.authorityProofs
 }

validator/lib.go

@@ -33,6 +33,17 @@ func FailDIDKeyResolution(ctx context.Context, d did.DID) (did.DID, UnresolvedDI
 	return did.Undef, NewDIDKeyResolutionError(d, fmt.Errorf("no DID resolver configured"))
 }
 
+func NotExpiredNotTooEarly(dlg delegation.Delegation) InvalidProof {
+	if ucan.IsExpired(dlg) {
+		return NewExpiredError(dlg)
+	}
+	if ucan.IsTooEarly(dlg) {
+		return NewNotValidBeforeError(dlg)
+	}
+
+	return nil
+}
+
 // PrincipalParser provides verifier instances that can validate UCANs issued
 // by a given principal.
 type PrincipalParser interface {
@@ -108,6 +119,12 @@ type Validator interface {
 	Authority() principal.Verifier
 }
 
+type TimeBoundsValidator interface {
+	ValidateTimeBounds(dlg delegation.Delegation) InvalidProof
+}
+
+type TimeBoundsValidatorFunc func(dlg delegation.Delegation) InvalidProof
+
 type ClaimContext interface {
 	Validator
 	RevocationChecker[any]
@@ -116,6 +133,7 @@ type ClaimContext interface {
 	PrincipalParser
 	PrincipalResolver
 	AuthorityProver
+	TimeBoundsValidator
 }
 
 type claimContext struct {
@@ -125,6 +143,7 @@ type claimContext struct {
 	resolveProof          ProofResolverFunc
 	parsePrincipal        PrincipalParserFunc
 	resolveDIDKey         PrincipalResolverFunc
+	validateTimeBounds    TimeBoundsValidatorFunc
 	authorityProofs       []delegation.Delegation
 }
 
@@ -135,6 +154,7 @@ func NewClaimContext(
 	resolveProof ProofResolverFunc,
 	parsePrincipal PrincipalParserFunc,
 	resolveDIDKey PrincipalResolverFunc,
+	validateTimeBounds TimeBoundsValidatorFunc,
 	authorityProofs ...delegation.Delegation,
 ) ClaimContext {
 	return claimContext{
@@ -144,6 +164,7 @@ func NewClaimContext(
 		resolveProof,
 		parsePrincipal,
 		resolveDIDKey,
+		validateTimeBounds,
 		authorityProofs,
 	}
 }
@@ -172,6 +193,10 @@ func (cc claimContext) ResolveDIDKey(ctx context.Context, did did.DID) (did.DID,
 	return cc.resolveDIDKey(ctx, did)
 }
 
+func (cc claimContext) ValidateTimeBounds(dlg delegation.Delegation) InvalidProof {
+	return cc.validateTimeBounds(dlg)
+}
+
 func (cc claimContext) AuthorityProofs() []delegation.Delegation {
 	return cc.authorityProofs
 }
@@ -194,6 +219,7 @@ func NewValidationContext[Caveats any](
 	resolveProof ProofResolverFunc,
 	parsePrincipal PrincipalParserFunc,
 	resolveDIDKey PrincipalResolverFunc,
+	validateTimeBounds TimeBoundsValidatorFunc,
 	authorityProofs ...delegation.Delegation,
 ) ValidationContext[Caveats] {
 	return validationContext[Caveats]{
@@ -204,6 +230,7 @@ func NewValidationContext[Caveats any](
 			resolveProof,
 			parsePrincipal,
 			resolveDIDKey,
+			validateTimeBounds,
 			authorityProofs,
 		},
 		capability,
@@ -310,12 +337,10 @@ func ResolveProofs(ctx context.Context, proofs []delegation.Proof, resolver Proo
 // Validate a delegation to check it is within the time bound and that it is
 // authorized by the issuer.
 func Validate(ctx context.Context, dlg delegation.Delegation, prfs []delegation.Delegation, cctx ClaimContext) (delegation.Delegation, InvalidProof) {
-	if ucan.IsExpired(dlg) {
-		return nil, NewExpiredError(dlg)
-	}
-	if ucan.IsTooEarly(dlg) {
-		return nil, NewNotValidBeforeError(dlg)
+	if invalid := cctx.ValidateTimeBounds(dlg); invalid != nil {
+		return nil, invalid
 	}
+
 	return VerifyAuthorization(ctx, dlg, prfs, cctx)
 }
 

validator/lib_test.go

@@ -105,6 +105,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -141,6 +142,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -186,6 +188,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -237,6 +240,7 @@ func TestAccess(t *testing.T) {
 				},
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -251,6 +255,40 @@ func TestAccess(t *testing.T) {
 			require.Equal(t, fixtures.Alice.DID(), a.Proofs()[0].Issuer().DID())
 			require.Equal(t, fixtures.Bob.DID(), a.Proofs()[0].Audience().DID())
 		})
+
+		t.Run("expiration and not valid before can be ignored", func(t *testing.T) {
+			exp := ucan.Now() - 5
+			nbf := ucan.Now() + 500
+			inv, err := storeAdd.Invoke(
+				fixtures.Alice,
+				fixtures.Service,
+				fixtures.Alice.DID().String(),
+				storeAddCaveats{Link: testLink},
+				delegation.WithExpiration(exp),
+				delegation.WithNotBefore(nbf),
+			)
+			require.NoError(t, err)
+
+			vctx := NewValidationContext(
+				fixtures.Service.Verifier(),
+				storeAdd,
+				IsSelfIssued,
+				validateAuthOk,
+				ProofUnavailable,
+				parseEdPrincipal,
+				FailDIDKeyResolution,
+				func(dlg delegation.Delegation) InvalidProof {
+					return nil
+				},
+			)
+
+			a, x := Access(t.Context(), inv, vctx)
+			require.NoError(t, x)
+			require.Equal(t, storeAdd.Can(), a.Capability().Can())
+			require.Equal(t, fixtures.Alice.DID().String(), a.Capability().With())
+			require.Equal(t, fixtures.Alice.DID(), a.Issuer().DID())
+			require.Equal(t, fixtures.Service.DID(), a.Audience().DID())
+		})
 	})
 
 	t.Run("unauthorized", func(t *testing.T) {
@@ -273,6 +311,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -305,6 +344,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -337,6 +377,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -370,6 +411,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -404,6 +446,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -447,6 +490,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -491,6 +535,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -554,6 +599,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -597,6 +643,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -641,6 +688,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -684,6 +732,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -727,6 +776,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -770,6 +820,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			a, x := Access(t.Context(), inv, vctx)
@@ -822,6 +873,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			cstr := fmt.Sprintf(`{"can":"%s","with":"%s","nb":{"Link":{"/":"%s"},"Origin":null}}`, storeAdd.Can(), fixtures.Service.DID(), testLink)
@@ -869,6 +921,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			cstr := fmt.Sprintf(`{"can":"%s","with":"%s","nb":{"Link":{"/":"%s"},"Origin":null}}`, storeAdd.Can(), fixtures.Alice.DID(), testLink)
@@ -915,6 +968,7 @@ func TestAccess(t *testing.T) {
 				ProofUnavailable,
 				parseEdPrincipal,
 				FailDIDKeyResolution,
+				NotExpiredNotTooEarly,
 			)
 
 			cstr := fmt.Sprintf(`{"can":"%s","with":"%s","nb":{"Link":{"/":"%s"},"Origin":null}}`, storeAdd.Can(), space.DID(), testLink)
@@ -952,6 +1006,7 @@ func TestClaim(t *testing.T) {
 			ProofUnavailable,
 			parseEdPrincipal,
 			FailDIDKeyResolution,
+			NotExpiredNotTooEarly,
 		)
 
 		a, x := Claim(t.Context(), storeAdd, []delegation.Proof{delegation.FromLink(dlg.Link())}, vctx)
@@ -992,6 +1047,7 @@ func TestClaim(t *testing.T) {
 			ProofUnavailable,
 			parseEdPrincipal,
 			FailDIDKeyResolution,
+			NotExpiredNotTooEarly,
 		)
 
 		a, x := Claim(t.Context(), storeAdd, []delegation.Proof{delegation.FromDelegation(dlg)}, vctx)