Verify fee claims and persist the grant on register

Wires the claim verifier into register_node. The service now holds a set of
trusted issuer keys and a long-lived verification context; when a peer
registers, any fee_claim it presented is verified against those keys and the
granted policy is persisted onto the peer's SCID record before the response
is enqueued, so the policy is in place by the time the SCID is handed out.

The feature is inert by default. An empty issuer_pubkeys set short-circuits
before any crypto and resolves every peer to the standard policy, byte for
byte identical to today. Population of the key set is the operator's job
downstream; nothing in-tree sets it.

A grant is only ever upserted, never downgraded. An absent or unverifiable
claim returns None and leaves an existing record untouched, so a transient
miss or a malformed claim can't wipe a live grant; a brand-new record falls
back to standard. This deviates from a literal "else standard" on purpose:
once a node has been granted zero-fee, a dropped claim on a later
re-registration must not silently restore the 2% skim.

The verifier borrows the service's context rather than allocating per call,
and resolve_claim_policy logs and swallows verification failures rather than
failing the registration: a bad claim should cost the node its discount, not
its channel.

add_intercepted_scid is removed. It only built a standard-policy record,
which the new persist path now does directly with the resolved policy, so
the old helper had no remaining caller.

Author: amackillop

lightning-liquidity/src/lsps4/scid_store.rs

@@ -184,13 +184,6 @@ where L::Target: Logger, KV::Target: KVStoreSync {
 		Ok(())
 	}
 
-	pub fn add_intercepted_scid(
-		&self, scid: u64, peer_id: PublicKey,
-	) -> Result<bool, io::Error> {
-		let scid = ScidWithPeer::new(scid, peer_id, FeePolicy::Flat(FeeTier::Standard));
-		self.insert(scid)
-	}
-
 	pub fn get_peer(&self, scid: u64) -> Option<PublicKey> {
 		use lightning::log_debug;
 		let result = self.peer_by_scid.read().unwrap().get(&scid).cloned();
@@ -307,7 +300,7 @@ mod tests {
 	#[test]
 	fn default_record_resolves_to_standard_policy() {
 		let store = test_store();
-		store.add_intercepted_scid(42, test_peer()).unwrap();
+		store.insert(ScidWithPeer::new(42, test_peer(), FeePolicy::Flat(FeeTier::Standard))).unwrap();
 
 		assert_eq!(store.get_policy(&test_peer()), Some(FeePolicy::Flat(FeeTier::Standard)));
 	}

lightning-liquidity/src/lsps4/service.rs

@@ -15,10 +15,11 @@ use crate::lsps0::ser::{
 	JSONRPC_INTERNAL_ERROR_ERROR_CODE, JSONRPC_INTERNAL_ERROR_ERROR_MESSAGE,
 	LSPS0_CLIENT_REJECTED_ERROR_CODE,
 };
+use crate::lsps4::claim::verify_claim;
 use crate::lsps4::event::LSPS4ServiceEvent;
 use crate::lsps4::htlc_store::{HTLCStore, InterceptedHtlc};
 use crate::lsps4::fee_policy::{resolve_skim, FeePolicy, FeeTier};
-use crate::lsps4::scid_store::ScidStore;
+use crate::lsps4::scid_store::{ScidStore, ScidWithPeer};
 use crate::message_queue::MessageQueue;
 use crate::prelude::hash_map::Entry;
 use crate::prelude::{new_hash_map, HashMap};
@@ -34,7 +35,7 @@ use lightning::util::logger::{Level, Logger};
 use lightning::util::persist::{KVStore, KVStoreSync};
 use lightning_types::payment::PaymentHash;
 
-use bitcoin::secp256k1::PublicKey;
+use bitcoin::secp256k1::{PublicKey, Secp256k1, VerifyOnly, XOnlyPublicKey};
 
 use core::ops::Deref;
 use core::sync::atomic::{AtomicUsize, Ordering};
@@ -89,6 +90,10 @@ pub struct LSPS4ServiceConfig {
 	pub cltv_expiry_delta: u32,
 	/// The proportional fee, in millionths, to skim from forwarded payments.
 	pub forwarding_fee_proportional_millionths: u64,
+	/// Issuer keys trusted to sign fee-policy grants. Empty disables the feature: every claim is
+	/// rejected and every peer resolves to the standard policy. A claim signed by any one of these
+	/// keys is honoured.
+	pub issuer_pubkeys: Vec<XOnlyPublicKey>,
 }
 
 /// The main object allowing to send and receive LSPS4 messages.
@@ -106,6 +111,8 @@ where
 	htlc_store: HTLCStore<L, K>,
 	connected_peers: RwLock<HashSet<PublicKey>>,
 	config: LSPS4ServiceConfig,
+	/// Long-lived context for verifying fee-claim signatures during registration.
+	secp_ctx: Secp256k1<VerifyOnly>,
 }
 
 impl<CM: Deref + Clone, K: Deref + Clone, L: Deref + Clone> LSPS4ServiceHandler<CM, K, L>
@@ -132,6 +139,7 @@ where
 			config,
 			logger,
 			connected_peers: RwLock::new(HashSet::new()),
+			secp_ctx: Secp256k1::verification_only(),
 		})
 	}
 
@@ -305,8 +313,56 @@ where
 		self.connected_peers.write().unwrap().remove(counterparty_node_id);
 	}
 
+	/// Resolve any fee-policy grant the registering node presented.
+	///
+	/// Returns `None` when the feature is off (no issuer keys configured), when no claim was
+	/// presented, or when the claim does not verify. A `None` must never downgrade a live grant, so
+	/// the caller only upserts on `Some`; a new record falls back to the standard policy.
+	fn resolve_claim_policy(
+		&self, counterparty: &PublicKey, fee_claim: &Option<String>,
+	) -> Option<FeePolicy> {
+		if self.config.issuer_pubkeys.is_empty() {
+			return None;
+		}
+		let fee_claim = fee_claim.as_ref()?;
+		match verify_claim(&self.secp_ctx, fee_claim, &self.config.issuer_pubkeys, counterparty) {
+			Ok(policy) => Some(policy),
+			Err(e) => {
+				log_error!(
+					self.logger,
+					"[LSPS4] Rejected fee claim from {}: {:?}",
+					counterparty,
+					e
+				);
+				None
+			},
+		}
+	}
+
+	/// Persist (upsert) a SCID record carrying the resolved fee policy for a peer.
+	fn persist_scid_policy(
+		&self, intercept_scid: u64, peer: &PublicKey, policy: FeePolicy,
+	) -> Result<(), LightningError> {
+		self.scid_store
+			.insert(ScidWithPeer::new(intercept_scid, peer.clone(), policy))
+			.map(|_| ())
+			.map_err(|e| {
+				log_error!(
+					self.logger,
+					"[LSPS4] Failed to persist intercept SCID {} for peer {}: {}",
+					intercept_scid,
+					peer,
+					e
+				);
+				LightningError {
+					err: format!("Failed to add intercepted SCID: {}", e),
+					action: ErrorAction::IgnoreAndLog(Level::Error),
+				}
+			})
+	}
+
 	fn handle_register_node_request(
-		&self, request_id: LSPSRequestId, counterparty_node_id: &PublicKey, _params: RegisterNodeRequest,
+		&self, request_id: LSPSRequestId, counterparty_node_id: &PublicKey, params: RegisterNodeRequest,
 	) -> Result<(), LightningError> {
 		let fn_start = Instant::now();
 		log_info!(
@@ -317,6 +373,8 @@ where
 		);
 
 		let step_start = Instant::now();
+		let granted_policy = self.resolve_claim_policy(counterparty_node_id, &params.fee_claim);
+
 		let intercept_scid = match self.scid_store.get_scid(counterparty_node_id) {
 			Some(intercept_scid) => {
 				log_info!(
@@ -326,6 +384,11 @@ where
 					intercept_scid,
 					counterparty_node_id
 				);
+				// Upsert a verified grant onto the existing record. An absent or invalid claim
+				// leaves the live policy untouched so a transient miss can't wipe a grant.
+				if let Some(policy) = granted_policy {
+					self.persist_scid_policy(intercept_scid, counterparty_node_id, policy)?;
+				}
 				intercept_scid
 			},
 			None => {
@@ -344,20 +407,8 @@ where
 					counterparty_node_id
 				);
 				let store_start = Instant::now();
-				self.scid_store.add_intercepted_scid(intercept_scid, counterparty_node_id.clone())
-					.map_err(|e| {
-						log_error!(
-							self.logger,
-							"[LSPS4] Failed to persist intercept SCID {} for peer {}: {}",
-							intercept_scid,
-							counterparty_node_id,
-							e
-						);
-						LightningError {
-							err: format!("Failed to add intercepted SCID: {}", e),
-							action: ErrorAction::IgnoreAndLog(Level::Error),
-						}
-					})?;
+				let policy = granted_policy.unwrap_or(FeePolicy::Flat(FeeTier::Standard));
+				self.persist_scid_policy(intercept_scid, counterparty_node_id, policy)?;
 				log_info!(
 					self.logger,
 					"TIMING: [LSPS4] handle_register_node_request scid_store.add_intercepted_scid() took {}ms - Successfully stored intercept SCID {} for peer {}",