feat: server side support for authorized retrievals

[alanshaw]

This PR add server side support for authorized retrievals. This involves 2 different authorized retrieval types:

1. Users can send a delegation for retrieving data from a space (per feat: client support for authorized retrievals #249) and it will now be used by the indexer to make a UCAN authorized retrieval (space/content/retrieve) from the relevant node (if not cached).
2. When an upload service invokes assert/index, the indexer will now obtain a service delegation from the node that is storing the index (using access/grant) before making a UCAN authorized retrieval (blob/retrieve) to obtain the index. See rfc: on-demand service authorization RFC#68 for details of on-demand service retrievals.

TODO: a test for (2)

[codecov]

Codecov Report

❌ Patch coverage is 61.35458% with 97 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
pkg/service/service.go	68.00%	28 Missing and 12 partials ⚠️
pkg/service/blobindexlookup/simplelookup.go	57.53%	22 Missing and 9 partials ⚠️
cmd/query.go	0.00%	11 Missing ⚠️
pkg/construct/construct.go	0.00%	9 Missing ⚠️
pkg/server/server.go	66.66%	4 Missing and 2 partials ⚠️

Files with missing lines	Coverage Δ
pkg/service/blobindexlookup/cachinglookup.go	100.00% <100.00%> (ø)
pkg/types/types.go	94.87% <100.00%> (+2.56%)	⬆️
pkg/server/server.go	38.66% <66.66%> (+1.41%)	⬆️
pkg/construct/construct.go	0.00% <0.00%> (ø)
cmd/query.go	0.00% <0.00%> (ø)
pkg/service/blobindexlookup/simplelookup.go	58.88% <57.53%> (-16.12%)	⬇️
pkg/service/service.go	77.73% <68.00%> (-3.10%)	⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[volmedo]

this looks good overall. I think the code is becoming a bit unwieldy but and it'd be nice to do a refactor at some point.

to confirm: the indexing-service can be authorized to retrieve (index) blobs by the node that has the blob or directly by the client, yes? In the latter scenario, Alice would issue a delegation to the indexing-service so it can retrieve from a space they have access to, right?

[alanshaw]

to confirm: the indexing-service can be authorized to retrieve (index) blobs by the node that has the blob or directly by the client, yes? In the latter scenario, Alice would issue a delegation to the indexing-service so it can retrieve from a space they have access to, right?

Yes exactly right.