add AUTHORIZED_DECRYPTERS_LIST

.env.example

@@ -20,6 +20,7 @@ export FEE_AMOUNT=
 export ADDRESS_FILE=
 export NODE_ENV=
 export AUTHORIZED_DECRYPTERS=
+export AUTHORIZED_DECRYPTERS_LIST=
 export OPERATOR_SERVICE_URL=
 export POLICY_SERVER_URL
 export INTERFACES=

docs/dockerDeployment.md

@@ -91,6 +91,7 @@ services:
       #      ADDRESS_FILE: ''
       #      NODE_ENV: ''
       #      AUTHORIZED_DECRYPTERS: ''
+      #      AUTHORIZED_DECRYPTERS_LIST: ''
       #      OPERATOR_SERVICE_URL: ''
       INTERFACES: '["HTTP","P2P"]'
       #      ALLOWED_VALIDATORS: ''

docs/env.md

@@ -15,6 +15,7 @@ Environmental variables are also tracked in `ENVIRONMENT_VARIABLES` within `src/
 - `ADDRESS_FILE`: File location where Ocean contract addresses are saved. Example: `"ADDRESS_FILE=${HOME}/.ocean/ocean-contracts/artifacts/address.json"`
 - `NODE_ENV`: Typically used to specify the environment (e.g., development, production) the node is running in. Example: `'development'`
 - `AUTHORIZED_DECRYPTERS`: A JSON array of addresses that are authorized to decrypt data. Example: `"['0xe2DD09d719Da89e5a3D0F2549c7E24566e947260']"`
+- `AUTHORIZED_DECRYPTERS_LIST`: AccessList contract addresses (per chain). If present, only accounts present on the given access lists can decrypt data. Example: `"{ \"8996\": [\"0x967da4048cD07aB37855c090aAF366e4ce1b9F48\",\"0x388C818CA8B9251b393131C08a736A67ccB19297\"] }"`
 - `OPERATOR_SERVICE_URL`: Configures C2D cluster URLs for the node. Example: `"[\"http://example.c2d.cluster1.com\",\"http://example.cd2.cluster2.com\"]"`
 - `INTERFACES`: Network interfaces the node supports, e.g., HTTP and P2P. By default, if not specified, both are supported. Example: `"[\"HTTP\",\"P2P\"]"`
 - `ALLOWED_VALIDATORS`: Array of addresses for allowed validators to verify asset signatures before indexing. Example: `"[\"0x123\",\"0x456\"]"`

scripts/ocean-node-quickstart.sh

@@ -147,6 +147,7 @@ services:
 #      ADDRESS_FILE: ''
 #      NODE_ENV: ''
 #      AUTHORIZED_DECRYPTERS: ''
+#      AUTHORIZED_DECRYPTERS_LIST: ''
 #      OPERATOR_SERVICE_URL: ''
 #      POLICY_SERVER_URL: ''
       INTERFACES: '["HTTP","P2P"]'

src/@types/OceanNode.ts

@@ -81,6 +81,7 @@ export interface AccessListContract {
 }
 export interface OceanNodeConfig {
   authorizedDecrypters: string[]
+  authorizedDecryptersList: AccessListContract | null
   allowedValidators: string[]
   allowedValidatorsList: AccessListContract | null
   authorizedPublishers: string[]

src/components/core/handler/ddoHandler.ts

@@ -17,6 +17,7 @@
 import { Blockchain } from '../../../utils/blockchain.js'
 import { ethers, isAddress } from 'ethers'
 import ERC721Template from '@oceanprotocol/contracts/artifacts/contracts/templates/ERC721Template.sol/ERC721Template.json' assert { type: 'json' }
+import AccessListContract from '@oceanprotocol/contracts/artifacts/contracts/accesslists/AccessList.sol/AccessList.json' assert { type: 'json' }
 // import lzma from 'lzma-native'
 import lzmajs from 'lzma-purejs-requirejs'
 import {
@@ -199,6 +200,48 @@
         }
       }
 
+      // access lit checks, needs blockchain connection
+      const { authorizedDecryptersList } = config
+      if (authorizedDecryptersList && Object.keys(authorizedDecryptersList).length > 0) {
+        // check accessList
+        const chainsListed = Object.keys(authorizedDecryptersList)
+        // check the access lists for this chain
+        if (chainsListed.length > 0 && chainsListed.includes(chainId)) {
+          let isAllowed = false
+          for (const accessListAddress of authorizedDecryptersList[chainId]) {
+            // instantiate contract and check balanceOf
+            const accessListContract = new ethers.Contract(
+              accessListAddress,
+              AccessListContract.abi,
+              blockchain.getSigner()
+            )
+
+            // check access list contract
+            const balance = await accessListContract.balanceOf(
+              await blockchain.getSigner().getAddress()
+            )
+            if (Number(balance) > 0) {
+              isAllowed = true
+              break
+            }
+          }
+
+          if (!isAllowed) {
+            CORE_LOGGER.logMessage(
+              'Decrypt DDO: Decrypter not authorized per access list',
+              true
+            )
+            return {
+              stream: null,
+              status: {
+                httpStatus: 403,
+                error: 'Decrypt DDO: Decrypter not authorized per access list'
+              }
+            }
+          }
+        }
+      }
+
       const transactionId = task.transactionId ? String(task.transactionId) : ''
       let encryptedDocument: Uint8Array
       let flags: number
@@ -239,7 +282,7 @@
         try {
           encryptedDocument = ethers.getBytes(task.encryptedDocument)
           flags = Number(task.flags)
           documentHash = task.documentHash
         } catch (error) {
           CORE_LOGGER.logMessage(`Decrypt DDO: error ${error}`, true)
           return {

src/utils/config.ts

@@ -201,6 +201,22 @@ function getAuthorizedDecrypters(isStartup?: boolean): string[] {
     isStartup
   )
 }
+
+function getAuthorizedDecryptersList(isStartup?: boolean): AccessListContract | null {
+  if (
+    existsEnvironmentVariable(ENVIRONMENT_VARIABLES.AUTHORIZED_DECRYPTERS_LIST, isStartup)
+  ) {
+    try {
+      const decryptersAccessList = JSON.parse(
+        ENVIRONMENT_VARIABLES.AUTHORIZED_DECRYPTERS_LIST.value
+      ) as AccessListContract
+      return decryptersAccessList
+    } catch (err) {
+      CONFIG_LOGGER.error(err.message)
+    }
+  }
+  return null
+}
 // allowed validators
 export function getAllowedValidators(isStartup?: boolean): string[] {
   return readAddressListFromEnvVariable(
@@ -607,6 +623,7 @@ async function getEnvConfig(isStartup?: boolean): Promise<OceanNodeConfig> {
 
   const config: OceanNodeConfig = {
     authorizedDecrypters: getAuthorizedDecrypters(isStartup),
+    authorizedDecryptersList: getAuthorizedDecryptersList(isStartup),
     allowedValidators: getAllowedValidators(isStartup),
     allowedValidatorsList: getAllowedValidatorsList(isStartup),
     authorizedPublishers: getAuthorizedPublishers(isStartup),

src/utils/constants.ts

@@ -219,6 +219,11 @@ export const ENVIRONMENT_VARIABLES: Record<any, EnvVariable> = {
     value: process.env.AUTHORIZED_DECRYPTERS,
     required: false
   },
+  AUTHORIZED_DECRYPTERS_LIST: {
+    name: 'AUTHORIZED_DECRYPTERS_LIST',
+    value: process.env.AUTHORIZED_DECRYPTERS_LIST,
+    required: false
+  },
   OPERATOR_SERVICE_URL: {
     name: 'OPERATOR_SERVICE_URL',
     value: process.env.OPERATOR_SERVICE_URL,