the UCAN server trusts attestations from trusted authorities

volmedo · volmedo · commit b694f96081bd · 2026-01-22T13:14:35.000+01:00
diff --git a/cmd/etracker/start.go b/cmd/etracker/start.go
@@ -11,9 +11,12 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/dynamodb"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	ucancap "github.com/storacha/go-libstoracha/capabilities/ucan"
+	"github.com/storacha/go-ucanto/core/delegation"
 	"github.com/storacha/go-ucanto/did"
 	ed25519 "github.com/storacha/go-ucanto/principal/ed25519/signer"
 	"github.com/storacha/go-ucanto/principal/signer"
+	"github.com/storacha/go-ucanto/ucan"
 
 	"github.com/storacha/etracker/internal/config"
 	"github.com/storacha/etracker/internal/consolidator"
@@ -211,6 +214,33 @@ func startService(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("creating principal resolver: %w", err)
 	}
 
+	// Trust attestations from trusted authorities
+	var authProofs []delegation.Delegation
+	for _, authority := range cfg.TrustedAuthorities {
+		auth, err := did.Parse(authority)
+		if err != nil {
+			return fmt.Errorf("parsing trusted authority: %w", err)
+		}
+
+		attestDlg, err := delegation.Delegate(
+			id,
+			auth,
+			[]ucan.Capability[ucan.NoCaveats]{
+				ucan.NewCapability(
+					ucancap.AttestAbility,
+					id.DID().String(),
+					ucan.NoCaveats{},
+				),
+			},
+			delegation.WithNoExpiration(),
+		)
+		if err != nil {
+			return err
+		}
+
+		authProofs = append(authProofs, attestDlg)
+	}
+
 	// Create and start consolidator
 	interval := time.Duration(cfg.ConsolidationInterval) * time.Second
 	batchSize := cfg.ConsolidationBatchSize
@@ -226,7 +256,7 @@ func startService(cmd *cobra.Command, args []string) error {
 		interval,
 		batchSize,
 		presolver.ResolveDIDKey,
-		cfg.TrustedAuthorities,
+		authProofs,
 	)
 	if err != nil {
 		return fmt.Errorf("creating consolidator: %w", err)
@@ -243,6 +273,7 @@ func startService(cmd *cobra.Command, args []string) error {
 		server.WithMetricsEndpoint(cfg.MetricsAuthToken),
 		server.WithAdminCreds(cfg.AdminDashboardUser, cfg.AdminDashboardPassword),
 		server.WithPrincipalResolver(presolver),
+		server.WithAuthorityProofs(authProofs...),
 	)
 	if err != nil {
 		return fmt.Errorf("creating server: %w", err)
diff --git a/internal/consolidator/consolidator.go b/internal/consolidator/consolidator.go
@@ -13,7 +13,6 @@ import (
 	logging "github.com/ipfs/go-log/v2"
 	"github.com/storacha/go-libstoracha/capabilities/space/content"
 	capegress "github.com/storacha/go-libstoracha/capabilities/space/egress"
-	ucancap "github.com/storacha/go-libstoracha/capabilities/ucan"
 	"github.com/storacha/go-ucanto/client"
 	"github.com/storacha/go-ucanto/core/car"
 	"github.com/storacha/go-ucanto/core/dag/blockstore"
@@ -71,35 +70,8 @@ func New(
 	interval time.Duration,
 	batchSize int,
 	presolver validator.PrincipalResolverFunc,
-	trustedAuthorities []string,
+	authProofs []delegation.Delegation,
 ) (*Consolidator, error) {
-	// trust attestations from trusted authorities
-	var authProofs []delegation.Delegation
-	for _, authority := range trustedAuthorities {
-		auth, err := did.Parse(authority)
-		if err != nil {
-			return nil, fmt.Errorf("parsing trusted authority: %w", err)
-		}
-
-		attestDlg, err := delegation.Delegate(
-			id,
-			auth,
-			[]ucan.Capability[ucan.NoCaveats]{
-				ucan.NewCapability(
-					ucancap.AttestAbility,
-					id.DID().String(),
-					ucan.NoCaveats{},
-				),
-			},
-			delegation.WithNoExpiration(),
-		)
-		if err != nil {
-			return nil, err
-		}
-
-		authProofs = append(authProofs, attestDlg)
-	}
-
 	retrieveValidationCtx := validator.NewValidationContext(
 		id.Verifier(),
 		content.Retrieve,
diff --git a/internal/consolidator/consolidator_test.go b/internal/consolidator/consolidator_test.go
@@ -61,6 +61,19 @@ func TestValidateRetrievalReceipt(t *testing.T) {
 
 	// trust attestations from the upload service
 	uploadServiceID := testutil.WebService
+	attestDlg, err := delegation.Delegate(
+		consolidatorID,
+		uploadServiceID,
+		[]ucan.Capability[ucan.NoCaveats]{
+			ucan.NewCapability(
+				ucancap.AttestAbility,
+				consolidatorID.DID().String(),
+				ucan.NoCaveats{},
+			),
+		},
+		delegation.WithNoExpiration(),
+	)
+	require.NoError(t, err)
 
 	knownProvider, err := did.Parse("did:web:up.test.storacha.network")
 	require.NoError(t, err)
@@ -85,7 +98,7 @@ func TestValidateRetrievalReceipt(t *testing.T) {
 
 			return did.Undef, validator.NewDIDKeyResolutionError(input, fmt.Errorf("%s not found in mapping", input.String()))
 		},
-		[]string{uploadServiceID.DID().String()},
+		[]delegation.Delegation{attestDlg},
 	)
 	require.NoError(t, err)
 
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	logging "github.com/ipfs/go-log/v2"
+	"github.com/storacha/go-ucanto/core/delegation"
 	"github.com/storacha/go-ucanto/principal"
 	ucanto "github.com/storacha/go-ucanto/server"
 	"github.com/storacha/go-ucanto/validator"
@@ -22,6 +23,7 @@ type config struct {
 	adminUser            string
 	adminPassword        string
 	principalResolver    validator.PrincipalResolver
+	authProofs           []delegation.Delegation
 }
 
 type Option func(*config)
@@ -45,6 +47,12 @@ func WithPrincipalResolver(resolver validator.PrincipalResolver) Option {
 	}
 }
 
+func WithAuthorityProofs(authProofs ...delegation.Delegation) Option {
+	return func(c *config) {
+		c.authProofs = authProofs
+	}
+}
+
 type Server struct {
 	cfg       *config
 	ucantoSrv ucanto.ServerView[ucanto.Service]
@@ -64,6 +72,8 @@ func New(id principal.Signer, svc *service.Service, cons *consolidator.Consolida
 		ucantoOpts = append(ucantoOpts, ucanto.WithPrincipalResolver(cfg.principalResolver.ResolveDIDKey))
 	}
 
+	ucantoOpts = append(ucantoOpts, ucanto.WithAuthorityProofs(cfg.authProofs...))
+
 	ucantoSrv, err := ucanto.NewServer(id, ucantoOpts...)
 	if err != nil {
 		return nil, err
