feat: optional multi-authorizer

.gitignore

@@ -1,7 +1,6 @@
 db/
 tmp/
 bin/
-identity/
 event_initiator.identity.json
 event_initiator.key
 event_initiator.key.age

config.prod.yaml.template

@@ -17,3 +17,19 @@ backup_dir: backups
 max_concurrent_keygen: 2
 max_concurrent_signing: 10
 session_warm_up_delay_ms: 100
+
+# Authorization (optional)
+authorization:
+  enabled: false
+  default_threshold: 0
+  operation_policies:
+    keygen:
+      required_authorizers: 0
+      authorizer_ids: []
+    signing:
+      required_authorizers: 0
+      authorizer_ids: []
+    reshare:
+      required_authorizers: 0
+      authorizer_ids: []
+  authorizers: {}

config.yaml.template

@@ -14,3 +14,23 @@ backup_dir: backups
 max_concurrent_keygen: 2
 max_concurrent_signing: 10
 session_warm_up_delay_ms: 100
+
+# Authorization (optional)
+authorization:
+  enabled: false
+  required_authorizers: 0
+  # Authorizer public keys configuration (applies to all operations: keygen, signing, reshare)
+  authorizer_public_keys: {}
+    # Example:
+    # auth1:
+    #   public_key: "deadbeef..."
+    #   algorithm: "ed25519"
+    # auth2:
+    #   public_key: "cafebabe..."
+    #   algorithm: "p256"
+  # Global authorizers (backward compatibility)
+  authorizers: {}
+    # Example:
+    # auth1:
+    #   pubkey: "deadbeef..."
+    #   algorithm: "ed25519"

go.mod

@@ -19,6 +19,7 @@ require (
 	github.com/spf13/viper v1.18.0
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/cli/v3 v3.3.2
+	golang.org/x/crypto v0.37.0
 	golang.org/x/term v0.31.0
 )
 
@@ -80,7 +81,6 @@ require (
 	go.uber.org/goleak v1.3.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/net v0.39.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect

pkg/eventconsumer/event_consumer.go

@@ -166,6 +166,13 @@ func (ec *eventConsumer) handleKeyGenEvent(natMsg *nats.Msg) {
 		return
 	}
 
+	// Optional multi-authorizer check for keygen
+	if err := ec.identityStore.AuthorizeInitiatorMessage("keygen", &msg); err != nil {
+		logger.Error("Authorization failed for keygen", err)
+		ec.handleKeygenSessionError(msg.WalletID, err, "Authorization failed for keygen", natMsg)
+		return
+	}
+
 	walletID := msg.WalletID
 	ecdsaSession, err := ec.node.CreateKeyGenSession(mpc.SessionTypeECDSA, walletID, ec.mpcThreshold, ec.genKeyResultQueue)
 	if err != nil {
@@ -353,6 +360,12 @@ func (ec *eventConsumer) handleSigningEvent(natMsg *nats.Msg) {
 		return
 	}
 
+	// Optional multi-authorizer check for signing
+	if err := ec.identityStore.AuthorizeInitiatorMessage("signing", &msg); err != nil {
+		logger.Error("Authorization failed for signing", err)
+		return
+	}
+
 	logger.Info(
 		"Received signing event",
 		"waleltID",
@@ -589,6 +602,13 @@ func (ec *eventConsumer) consumeReshareEvent() error {
 			return
 		}
 
+		// Optional multi-authorizer check for reshare
+		if err := ec.identityStore.AuthorizeInitiatorMessage("reshare", &msg); err != nil {
+			logger.Error("Authorization failed for reshare", err)
+			ec.handleReshareSessionError(msg.WalletID, msg.KeyType, msg.NewThreshold, err, "Authorization failed for reshare", natMsg)
+			return
+		}
+
 		walletID := msg.WalletID
 		keyType := msg.KeyType
 

pkg/eventconsumer/events.go

@@ -17,20 +17,30 @@ type InitiatorMessage interface {
 	Sig() []byte
 	// InitiatorID returns the ID whose public key we have to look up.
 	InitiatorID() string
+	// AuthorizerSigs returns the optional list of authorizer signatures.
+	AuthorizerSigs() []AuthorizerSignature
+}
+
+// AuthorizerSignature represents an approval signature from an external authorizer.
+type AuthorizerSignature struct {
+	AuthorizerID string `json:"authorizer_id"`
+	Signature    []byte `json:"signature"`
 }
 
 type GenerateKeyMessage struct {
-	WalletID  string `json:"wallet_id"`
-	Signature []byte `json:"signature"`
+	WalletID             string                `json:"wallet_id"`
+	Signature            []byte                `json:"signature"`
+	AuthorizerSignatures []AuthorizerSignature `json:"authorizer_signatures,omitempty"`
 }
 
 type SignTxMessage struct {
-	KeyType             KeyType `json:"key_type"`
-	WalletID            string  `json:"wallet_id"`
-	NetworkInternalCode string  `json:"network_internal_code"`
-	TxID                string  `json:"tx_id"`
-	Tx                  []byte  `json:"tx"`
-	Signature           []byte  `json:"signature"`
+	KeyType              KeyType               `json:"key_type"`
+	WalletID             string                `json:"wallet_id"`
+	NetworkInternalCode  string                `json:"network_internal_code"`
+	TxID                 string                `json:"tx_id"`
+	Tx                   []byte                `json:"tx"`
+	Signature            []byte                `json:"signature"`
+	AuthorizerSignatures []AuthorizerSignature `json:"authorizer_signatures,omitempty"`
 }
 
 func (m *SignTxMessage) Raw() ([]byte, error) {
@@ -59,6 +69,10 @@ func (m *SignTxMessage) InitiatorID() string {
 	return m.TxID
 }
 
+func (m *SignTxMessage) AuthorizerSigs() []AuthorizerSignature {
+	return m.AuthorizerSignatures
+}
+
 func (m *GenerateKeyMessage) Raw() ([]byte, error) {
 	return []byte(m.WalletID), nil
 }
@@ -70,3 +84,7 @@ func (m *GenerateKeyMessage) Sig() []byte {
 func (m *GenerateKeyMessage) InitiatorID() string {
 	return m.WalletID
 }
+
+func (m *GenerateKeyMessage) AuthorizerSigs() []AuthorizerSignature {
+	return m.AuthorizerSignatures
+}