Validate algorithm for dataset in intializeCompute. (#1012)

mariacarmina · web-flow · commit a8b4d37c6226 · 2025-08-12T08:57:04.000+03:00
* Validate algorithm for dataset in intialize.

* Update samples.

* Add sample with compute asset without access.

* Fix import.

* Update compute test.

* Fix variable.

* Uodate status code.

* Authorize.

* Fix samples w credentials.

* Add new URL for storage.

* Revert URL.
diff --git a/src/components/core/compute/initialize.ts b/src/components/core/compute/initialize.ts
@@ -33,6 +33,7 @@ import { C2DEngineDocker, getAlgorithmImage } from '../../c2d/compute_engine_doc
 import { Credentials, DDOManager } from '@oceanprotocol/ddo-js'
 import { areKnownCredentialTypes, checkCredentials } from '../../../utils/credentials.js'
 import { PolicyServer } from '../../policyServer/index.js'
+import { getAlgoChecksums, validateAlgoForDataset } from './utils.js'
 
 export class ComputeInitializeHandler extends CommandHandler {
   validate(command: ComputeInitializeCommand): ValidateParams {
@@ -88,6 +89,28 @@ export class ComputeInitializeHandler extends CommandHandler {
           }
         }
       }
+
+      const algoChecksums = await getAlgoChecksums(
+        task.algorithm.documentId,
+        task.algorithm.serviceId,
+        node
+      )
+
+      const isRawCodeAlgorithm = task.algorithm.meta?.rawcode
+      const hasValidChecksums = algoChecksums.container && algoChecksums.files
+
+      if (!isRawCodeAlgorithm && !hasValidChecksums) {
+        const errorMessage =
+          'Failed to retrieve algorithm checksums. Both container and files checksums are required.'
+        CORE_LOGGER.error(errorMessage)
+        return {
+          stream: null,
+          status: {
+            httpStatus: 500,
+            error: errorMessage
+          }
+        }
+      }
       if (engine === null) {
         return {
           stream: null,
@@ -201,7 +224,8 @@ export class ComputeInitializeHandler extends CommandHandler {
           const {
             chainId: ddoChainId,
             nftAddress,
-            credentials
+            credentials,
+            metadata
           } = ddoInstance.getDDOFields()
           const isOrdable = isOrderingAllowedForAsset(ddo)
           if (!isOrdable.isOrdable) {
@@ -214,6 +238,30 @@ export class ComputeInitializeHandler extends CommandHandler {
               }
             }
           }
+          if (metadata.type !== 'algorithm') {
+            const index = task.datasets.findIndex(
+              (d) => d.documentId === ddoInstance.getDid()
+            )
+            const safeIndex = index === -1 ? 0 : index
+            const validAlgoForDataset = await validateAlgoForDataset(
+              task.algorithm.documentId,
+              algoChecksums,
+              ddoInstance,
+              task.datasets[safeIndex].serviceId,
+              node
+            )
+            if (!validAlgoForDataset) {
+              return {
+                stream: null,
+                status: {
+                  httpStatus: 400,
+                  error: `Algorithm ${
+                    task.algorithm.documentId
+                  } not allowed to run on the dataset: ${ddoInstance.getDid()}`
+                }
+              }
+            }
+          }
           // check credentials (DDO level)
           let accessGrantedDDOLevel: boolean
           if (credentials) {
diff --git a/src/test/data/assets.ts b/src/test/data/assets.ts
@@ -190,8 +190,14 @@ export const computeAssetWithCredentials = {
       compute: {
         allowRawAlgorithm: false,
         allowNetworkAccess: true,
-        publisherTrustedAlgorithmPublishers: [] as any,
-        publisherTrustedAlgorithms: [] as any
+        publisherTrustedAlgorithmPublishers: ['*'] as any,
+        publisherTrustedAlgorithms: [
+          {
+            did: '*',
+            filesChecksum: '*',
+            containerSectionChecksum: '*'
+          }
+        ] as any
       }
     }
   ],
@@ -287,6 +293,78 @@ export const algoAssetWithCredentials = {
 }
 
 export const computeAsset = {
+  '@context': ['https://w3id.org/did/v1'],
+  id: '',
+  nftAddress: '',
+  version: '4.1.0',
+  chainId: 8996,
+  metadata: {
+    created: '2021-12-20T14:35:20Z',
+    updated: '2021-12-20T14:35:20Z',
+    type: 'dataset',
+    name: 'cli fixed asset',
+    description: 'asset published using ocean.js cli tool',
+    tags: ['test'],
+    author: 'oceanprotocol',
+    license: 'https://market.oceanprotocol.com/terms',
+    additionalInformation: {
+      termsAndConditions: true
+    }
+  },
+  services: [
+    {
+      id: '1155995dda741e93afe4b1c6ced2d01734a6ec69865cc0997daf1f4db7259a36',
+      type: 'compute',
+      files: {
+        files: [
+          {
+            type: 'url',
+            url: 'https://raw.githubusercontent.com/oceanprotocol/testdatasets/main/shs_dataset_test.txt',
+            method: 'GET'
+          }
+        ]
+      },
+      datatokenAddress: '',
+      serviceEndpoint: 'https://v4.provider.oceanprotocol.com',
+      timeout: 86400,
+      compute: {
+        allowRawAlgorithm: false,
+        allowNetworkAccess: true,
+        publisherTrustedAlgorithmPublishers: ['*'] as any,
+        publisherTrustedAlgorithms: [
+          {
+            did: '*',
+            filesChecksum: '*',
+            containerSectionChecksum: '*'
+          }
+        ] as any
+      }
+    }
+  ],
+  event: {},
+  nft: {
+    address: '',
+    name: 'Ocean Data NFT',
+    symbol: 'OCEAN-NFT',
+    state: 5,
+    tokenURI: '',
+    owner: '',
+    created: ''
+  },
+  purgatory: {
+    state: false
+  },
+  datatokens: [] as any,
+  stats: {
+    allocated: 0,
+    orders: 0,
+    price: {
+      value: '0'
+    }
+  }
+}
+
+export const computeAssetWithNoAccess = {
   '@context': ['https://w3id.org/did/v1'],
   id: '',
   nftAddress: '',
diff --git a/src/test/integration/algorithmsAccess.test.ts b/src/test/integration/algorithmsAccess.test.ts
