added multi-attester block plus additional attestation validations and tests

Author: thehenrytsai

README.md

@@ -3,7 +3,7 @@
 # Decentralized Web Node (DWN) SDK
 
 Code Coverage
-![Statements](https://img.shields.io/badge/statements-94.56%25-brightgreen.svg?style=flat) ![Branches](https://img.shields.io/badge/branches-93.93%25-brightgreen.svg?style=flat) ![Functions](https://img.shields.io/badge/functions-91.51%25-brightgreen.svg?style=flat) ![Lines](https://img.shields.io/badge/lines-94.56%25-brightgreen.svg?style=flat)
+![Statements](https://img.shields.io/badge/statements-94.63%25-brightgreen.svg?style=flat) ![Branches](https://img.shields.io/badge/branches-94.12%25-brightgreen.svg?style=flat) ![Functions](https://img.shields.io/badge/functions-91.61%25-brightgreen.svg?style=flat) ![Lines](https://img.shields.io/badge/lines-94.63%25-brightgreen.svg?style=flat)
 
 ## Introduction
 

src/core/auth.ts

@@ -28,8 +28,8 @@ export async function canonicalAuth(
 }
 
 /**
- * Validates the data integrity of the `authorization` property.
- * NOTE signature is not verified.
+ * Validates the structural integrity of the `authorization` property.
+ * NOTE: signature is not verified.
  */
 export async function validateAuthorizationIntegrity(
   message: BaseMessage,

src/interfaces/records/handlers/records-write.ts

@@ -111,7 +111,10 @@ export async function constructRecordsWriteIndexes(
     ...descriptor
   };
 
-  // add `contextId` to additional index if given
+  // add additional indexes to optional values if given
+  // TODO: only indexing 1 attester, multi-attesters to be unblocked by
+  // #205 - Revisit database interfaces (https://github.com/TBD54566975/dwn-sdk-js/issues/205)
+  if (recordsWrite.attesters.length > 0) { indexes.attester = recordsWrite.attesters[0]; }
   if (message.contextId !== undefined) { indexes.contextId = message.contextId; }
 
   // add `published` index

src/interfaces/records/messages/records-write.ts

@@ -11,7 +11,7 @@ import { ProtocolAuthorization } from '../../../core/protocol-authorization.js';
 import { removeUndefinedProperties } from '../../../utils/object.js';
 
 import { authorize, validateAuthorizationIntegrity } from '../../../core/auth.js';
-import { computeCid, getDagPbCid } from '../../../utils/cid.js';
+import { computeCid, getDagPbCid, parseCid } from '../../../utils/cid.js';
 import { DwnInterfaceName, DwnMethodName } from '../../../core/message.js';
 import { GeneralJws, SignatureInput } from '../../../jose/jws/general/types.js';
 
@@ -47,15 +47,20 @@ export class RecordsWrite extends Message {
    * RecordsWrite message adhering to the DWN specification.
    */
   readonly message: RecordsWriteMessage;
+  readonly attesters: string[];
 
   private constructor(message: RecordsWriteMessage) {
     super(message);
 
+    this.attesters = RecordsWrite.getAttesters(message);
+
     // consider converting isInitialWrite() & getEntryId() into properties for performance and convenience
   }
 
   public static async parse(message: RecordsWriteMessage): Promise<RecordsWrite> {
+    // asynchronous checks that are required by the constructor to initialize members properly
     await validateAuthorizationIntegrity(message, { allowedProperties: new Set(['recordId', 'contextId', 'attestationCid']) });
+    await RecordsWrite.validateAttestationIntegrity(message);
 
     const recordsWrite = new RecordsWrite(message);
 
@@ -278,6 +283,37 @@ export class RecordsWrite extends Message {
     }
   }
 
+  /**
+   * Validates the structural integrity of the `attestation` property.
+   * NOTE: signature is not verified.
+   */
+  private static async validateAttestationIntegrity(message: RecordsWriteMessage): Promise<void> {
+    if (message.attestation === undefined) {
+      return;
+    }
+
+    // TODO: multi-attesters to be unblocked by #205 - Revisit database interfaces (https://github.com/TBD54566975/dwn-sdk-js/issues/205)
+    if (message.attestation.signatures.length !== 1) {
+      throw new Error(`Currently implementation only supports 1 attester, but got ${message.attestation.signatures.length}`);
+    }
+
+    const payloadJson = GeneralJwsVerifier.decodePlainObjectPayload(message.attestation);
+    const { descriptorCid } = payloadJson;
+
+    // `descriptorCid` validation - ensure that the provided descriptorCid matches the CID of the actual message
+    const providedDescriptorCid = parseCid(descriptorCid); // parseCid throws an exception if parsing fails
+    const expectedDescriptorCid = await computeCid(message.descriptor);
+    if (!providedDescriptorCid.equals(expectedDescriptorCid)) {
+      throw new Error(`descriptorCid ${providedDescriptorCid} does not match expected descriptorCid ${expectedDescriptorCid}`);
+    }
+
+    // check to ensure that no other unexpected properties exist in payload.
+    const propertyCount = Object.keys(payloadJson).length;
+    if (propertyCount > 1) {
+      throw new Error(`Only 'descriptorCid' is allowed in attestation payload, but got ${propertyCount} properties.`);
+    }
+  };
+
   /**
    * Computes the deterministic Entry ID of this message.
    */
@@ -403,4 +439,13 @@ export class RecordsWrite extends Message {
 
     return true;
   }
+
+  /**
+   * Gets the DID of the author of the given message.
+   */
+  public static getAttesters(message: RecordsWriteMessage): string[] {
+    const attestationSignatures = message.attestation?.signatures ?? [];
+    const attesters = attestationSignatures.map((signature) => GeneralJwsVerifier.getDid(signature));
+    return attesters;
+  }
 }

tests/interfaces/protocols/handlers/protocols-configure.spec.ts

@@ -42,7 +42,7 @@ describe('handleProtocolsQuery()', () => {
       await messageStore.close();
     });
 
-    it('should return 400 if failed to parse the message', async () => {
+    it('should return 400 if more than 1 signature is provided in `authorization`', async () => {
       const { requester, message, protocolsConfigure } = await TestDataGenerator.generateProtocolsConfigure();
       const tenant = requester.did;
 

tests/interfaces/protocols/handlers/protocols-query.spec.ts

@@ -77,7 +77,7 @@ describe('handleProtocolsQuery()', () => {
       expect(reply2.entries?.length).to.equal(3); // expecting all 3 entries written above match the query
     });
 
-    it('should return 400 if failed to parse the message', async () => {
+    it('should fail with 400 if `authorization` is referencing a different message (`descriptorCid`)', async () => {
       const { requester, message, protocolsQuery } = await TestDataGenerator.generateProtocolsQuery();
       const tenant = requester.did;
 

tests/interfaces/records/handlers/records-query.spec.ts

@@ -109,8 +109,7 @@ describe('handleRecordsQuery()', () => {
       // scenario: alice and bob attest to a message alice authored
 
       const alice = await DidKeyResolver.generate();
-      const bob = await DidKeyResolver.generate();
-      const { message } = await TestDataGenerator.generateRecordsWrite({ requester: alice, attesters: [alice, bob] });
+      const { message } = await TestDataGenerator.generateRecordsWrite({ requester: alice, attesters: [alice] });
 
       const writeReply = await handleRecordsWrite(alice.did, message, messageStore, didResolver);
       expect(writeReply.status.code).to.equal(202);
@@ -125,8 +124,7 @@ describe('handleRecordsQuery()', () => {
       expect(queryReply.entries?.length).to.equal(1);
 
       const recordsWriteMessage = queryReply.entries[0] as any;
-      expect(recordsWriteMessage.attestation?.signatures?.length).to.equal(2);
-      expect(recordsWriteMessage.attestation.signatures[0]).to.not.equal(recordsWriteMessage.attestation.signatures[1]);
+      expect(recordsWriteMessage.attestation?.signatures?.length).to.equal(1);
     });
 
     it('should omit records that are not published if `dateSort` sorts on `datePublished`', async () => {