Added credentials check for free start compute. Use download endpoint from policy server.

Author: mariacarmina

src/@types/commands.ts

@@ -196,10 +196,10 @@ export interface FreeComputeStartCommand extends Command {
   output?: ComputeOutput
   resources?: ComputeResourceRequest[]
   maxJobDuration?: number
+  policyServer?: any // object to pass to policy server
 }
 export interface PaidComputeStartCommand extends FreeComputeStartCommand {
   payment: ComputePayment
-  policyServer?: any // object to pass to policy server
 }
 
 export interface ComputeStopCommand extends Command {

src/components/core/compute/startCompute.ts

@@ -596,6 +596,105 @@ export class FreeComputeStartHandler extends CommandHandler {
           }
         }
       }
+      for (const elem of [...[task.algorithm], ...task.datasets]) {
+        const ddo = await new FindDdoHandler(this.getOceanNode()).findAndFormatDdo(
+          elem.documentId
+        )
+        if (!ddo) {
+          const error = `DDO ${elem.documentId} not found`
+          return {
+            stream: null,
+            status: {
+              httpStatus: 500,
+              error
+            }
+          }
+        }
+        // check credentials (DDO level)
+        let accessGrantedDDOLevel: boolean
+        if (ddo.credentials) {
+          // if POLICY_SERVER_URL exists, then ocean-node will NOT perform any checks.
+          // It will just use the existing code and let PolicyServer decide.
+          if (isPolicyServerConfigured() && task.policyServer) {
+            accessGrantedDDOLevel = await (
+              await new PolicyServer().checkStartCompute(
+                ddo.id,
+                ddo,
+                elem.serviceId,
+                0,
+                elem.transferTxId,
+                task.consumerAddress,
+                task.policyServer
+              )
+            ).success
+          } else {
+            accessGrantedDDOLevel = areKnownCredentialTypes(ddo.credentials)
+              ? checkCredentials(ddo.credentials, task.consumerAddress)
+              : true
+          }
+          if (!accessGrantedDDOLevel) {
+            CORE_LOGGER.logMessage(`Error: Access to asset ${ddo.id} was denied`, true)
+            return {
+              stream: null,
+              status: {
+                httpStatus: 403,
+                error: `Error: Access to asset ${ddo.id} was denied`
+              }
+            }
+          }
+        }
+        const service = AssetUtils.getServiceById(ddo, elem.serviceId)
+        if (!service) {
+          const error = `Cannot find service ${elem.serviceId} in DDO ${elem.documentId}`
+          return {
+            stream: null,
+            status: {
+              httpStatus: 500,
+              error
+            }
+          }
+        }
+        // check credentials on service level
+        // if using a policy server and we are here it means that access was granted (they are merged/assessed together)
+        if (service.credentials) {
+          let accessGrantedServiceLevel: boolean
+          if (isPolicyServerConfigured() && task.policyServer) {
+            // we use the previous check or we do it again
+            // (in case there is no DDO level credentials and we only have Service level ones)
+            accessGrantedServiceLevel =
+              accessGrantedDDOLevel ||
+              (await (
+                await new PolicyServer().checkStartCompute(
+                  ddo.id,
+                  ddo,
+                  elem.serviceId,
+                  0,
+                  elem.transferTxId,
+                  task.consumerAddress,
+                  task.policyServer
+                )
+              ).success)
+          } else {
+            accessGrantedServiceLevel = areKnownCredentialTypes(service.credentials)
+              ? checkCredentials(service.credentials, task.consumerAddress)
+              : true
+          }
+
+          if (!accessGrantedServiceLevel) {
+            CORE_LOGGER.logMessage(
+              `Error: Access to service with id ${service.id} was denied`,
+              true
+            )
+            return {
+              stream: null,
+              status: {
+                httpStatus: 403,
+                error: `Error: Access to service with id ${service.id} was denied`
+              }
+            }
+          }
+        }
+      }
       try {
         const env = await engine.getComputeEnvironment(null, task.environment)
         if (!env) {

src/components/core/compute/utils.ts

@@ -76,6 +76,7 @@ export async function validateAlgoForDataset(
     const datasetService = services.find(
       (service: any) => service.id === datasetServiceId
     )
+    CORE_LOGGER.logMessage(`datasetService: ${JSON.stringify(datasetService)}`)
     if (!datasetService) {
       throw new Error('Dataset service not found')
     }
@@ -85,13 +86,27 @@ export async function validateAlgoForDataset(
     }
 
     if (algoDID) {
+      CORE_LOGGER.logMessage(`has algoDid: ${algoDID}`)
+      CORE_LOGGER.logMessage(
+        `is array1: ${Array.isArray(compute.publisherTrustedAlgorithms)}`
+      )
+      CORE_LOGGER.logMessage(
+        `is array2: ${Array.isArray(compute.publisherTrustedAlgorithmPublishers)}`
+      )
+      CORE_LOGGER.logMessage(
+        `check length 1: ${compute.publisherTrustedAlgorithms.length}`
+      )
+      CORE_LOGGER.logMessage(
+        `check length 2: ${compute.publisherTrustedAlgorithmPublishers.length}`
+      )
       if (
         // if not set allow them all
         (!Array.isArray(compute.publisherTrustedAlgorithms) ||
           compute.publisherTrustedAlgorithms.length === 0) &&
         (!Array.isArray(compute.publisherTrustedAlgorithmPublishers) ||
           compute.publisherTrustedAlgorithmPublishers.length === 0)
       ) {
+        CORE_LOGGER.logMessage(`has algoDid: ${algoDID}`)
         return true
       }
       // if is set only allow if match

src/components/policyServer/index.ts

@@ -109,9 +109,8 @@ export class PolicyServer {
     return await this.askServer(command)
   }
 
-  // TODO: when commands for initializeCompute and startCompute will be
-  // implemented in policy server, we'll update these functions
-  // eslint-disable-next-line require-await
+  // use checkDownload functionality for initializeCompute and startCompute,
+  // it will do the same credentials checks
   async checkInitializeCompute(
     documentId: string,
     ddo: DDO,
@@ -121,10 +120,17 @@ export class PolicyServer {
     consumerAddress: string,
     policyServer: any
   ): Promise<PolicyServerResult> {
-    throw new Error('Not implemented yet in policy server')
+    return await this.checkDownload(
+      documentId,
+      ddo,
+      serviceId,
+      fileIndex,
+      transferTxId,
+      consumerAddress,
+      policyServer
+    )
   }
 
-  // eslint-disable-next-line require-await
   async checkStartCompute(
     documentId: string,
     ddo: DDO,
@@ -134,7 +140,15 @@ export class PolicyServer {
     consumerAddress: string,
     policyServer: any
   ): Promise<PolicyServerResult> {
-    throw new Error('Not implemented yet in policy server')
+    return await this.checkDownload(
+      documentId,
+      ddo,
+      serviceId,
+      fileIndex,
+      transferTxId,
+      consumerAddress,
+      policyServer
+    )
   }
 
   async passThrough(request: any): Promise<PolicyServerResult> {