[API] Add support for encrypted transaction filtering.

Author: JoshLind

crates/aptos-transaction-filters/src/tests/transaction_filter.rs

@@ -140,6 +140,28 @@ fn test_all_filter() {
     }
 }
 
+#[test]
+fn test_encrypted_transaction_filter() {
+    // Create a filter that only allows encrypted transactions
+    let transactions = utils::create_encrypted_and_plaintext_transactions();
+    let filter = TransactionFilter::empty()
+        .add_encrypted_transaction_filter(true)
+        .add_all_filter(false);
+
+    // Verify that the filter returns only encrypted transactions (txn 0, 1 and 2)
+    let filtered_transactions = filter.filter_transactions(transactions.clone());
+    assert_eq!(filtered_transactions, transactions[0..3].to_vec());
+
+    // Create a filter that denies encrypted transactions
+    let filter = TransactionFilter::empty()
+        .add_encrypted_transaction_filter(false)
+        .add_all_filter(true);
+
+    // Verify that the filter returns only plaintext transactions (txn 3 onwards)
+    let filtered_transactions = filter.filter_transactions(transactions.clone());
+    assert_eq!(filtered_transactions, transactions[3..].to_vec());
+}
+
 #[test]
 fn test_empty_filter() {
     for use_new_txn_payload_format in [false, true] {

crates/aptos-transaction-filters/src/tests/transaction_filter_config.rs

@@ -118,3 +118,28 @@ fn test_transaction_filter_config_multiple_matchers() {
         assert_eq!(filtered_transactions, transactions[4..].to_vec());
     }
 }
+
+#[test]
+fn test_transaction_filter_config_multiple_matchers_encrypted() {
+    // Create a set of transactions (encrypted and plaintext)
+    let transactions = utils::create_encrypted_and_plaintext_transactions();
+
+    // Create a filter that denies encrypted transactions from the first transaction sender only
+    let transaction_filter_string = format!(
+        r#"
+            transaction_rules:
+                - Deny:
+                    - EncryptedTransaction
+                    - Sender: "{}"
+                - Allow:
+                    - All
+          "#,
+        transactions[0].sender().to_standard_string()
+    );
+    let transaction_filter =
+        serde_yaml::from_str::<TransactionFilter>(&transaction_filter_string).unwrap();
+
+    // Verify that the first transaction is denied
+    let filtered_transactions = transaction_filter.filter_transactions(transactions.clone());
+    assert_eq!(filtered_transactions, transactions[1..].to_vec());
+}

crates/aptos-transaction-filters/src/tests/utils.rs

@@ -12,6 +12,7 @@ use aptos_types::{
     quorum_store::BatchId,
     transaction::{
         authenticator::{AccountAuthenticator, AnyPublicKey, TransactionAuthenticator},
+        encrypted_payload::EncryptedPayload,
         EntryFunction, Multisig, MultisigTransactionPayload, RawTransaction, Script,
         SignedTransaction, TransactionExecutable, TransactionExecutableRef, TransactionExtraConfig,
         TransactionPayload, TransactionPayloadInner,
@@ -29,6 +30,73 @@ pub fn create_account_authenticator(public_key: Ed25519PublicKey) -> AccountAuth
     }
 }
 
+/// Creates and returns a list of transactions (3 encrypted and 5 plaintext)
+pub fn create_encrypted_and_plaintext_transactions() -> Vec<SignedTransaction> {
+    let mut transactions = vec![];
+
+    // Create 3 encrypted transactions (all in different states)
+    transactions.push(create_encrypted_transaction());
+    transactions.push(create_encrypted_transaction_failed_state());
+    transactions.push(create_encrypted_transaction_plaintext_state());
+
+    // Create 5 plaintext transactions
+    for _ in 0..5 {
+        let transaction = create_fee_payer_transaction();
+        transactions.push(transaction)
+    }
+
+    transactions
+}
+
+/// Creates and returns an encrypted transaction
+pub fn create_encrypted_transaction() -> SignedTransaction {
+    let encrypted_payload = EncryptedPayload::Encrypted {
+        ciphertext: vec![],
+        extra_config: TransactionExtraConfig::V1 {
+            multisig_address: None,
+            replay_protection_nonce: None,
+        },
+        payload_hash: HashValue::random(),
+    };
+
+    let transaction_payload = TransactionPayload::EncryptedPayload(encrypted_payload);
+    create_signed_transaction(transaction_payload, false)
+}
+
+/// Creates and returns an encrypted transaction in a failed decryption state
+pub fn create_encrypted_transaction_failed_state() -> SignedTransaction {
+    let encrypted_payload = EncryptedPayload::FailedDecryption {
+        ciphertext: vec![],
+        extra_config: TransactionExtraConfig::V1 {
+            multisig_address: None,
+            replay_protection_nonce: None,
+        },
+        payload_hash: HashValue::random(),
+        eval_proof: vec![],
+    };
+
+    let transaction_payload = TransactionPayload::EncryptedPayload(encrypted_payload);
+    create_signed_transaction(transaction_payload, false)
+}
+
+/// Creates and returns an encrypted transaction in a plaintext state
+pub fn create_encrypted_transaction_plaintext_state() -> SignedTransaction {
+    let encrypted_payload = EncryptedPayload::Decrypted {
+        ciphertext: vec![],
+        extra_config: TransactionExtraConfig::V1 {
+            multisig_address: None,
+            replay_protection_nonce: None,
+        },
+        payload_hash: HashValue::random(),
+        eval_proof: vec![],
+        executable: TransactionExecutable::Empty,
+        decryption_nonce: 0,
+    };
+
+    let transaction_payload = TransactionPayload::EncryptedPayload(encrypted_payload);
+    create_signed_transaction(transaction_payload, false)
+}
+
 /// Creates and returns an entry function with the given member ID
 pub fn create_entry_function(function: MemberId) -> EntryFunction {
     let MemberId {

crates/aptos-transaction-filters/src/transaction_filter.rs

@@ -101,6 +101,12 @@ impl TransactionFilter {
         self.add_multiple_matchers_filter(allow, vec![transaction_matcher])
     }
 
+    /// Adds an encrypted transaction matcher to the filter
+    pub fn add_encrypted_transaction_filter(self, allow: bool) -> Self {
+        let transaction_matcher = TransactionMatcher::EncryptedTransaction;
+        self.add_multiple_matchers_filter(allow, vec![transaction_matcher])
+    }
+
     /// Adds an entry function matcher to the filter
     pub fn add_entry_function_filter(
         self,
@@ -170,6 +176,7 @@ pub enum TransactionMatcher {
     EntryFunction(AccountAddress, String, String), // Matches any transaction that calls a specific entry function in a module
     AccountAddress(AccountAddress), // Matches any transaction that involves a specific account address
     PublicKey(AnyPublicKey),        // Matches any transaction that involves a specific public key
+    EncryptedTransaction,           // Matches any encrypted transaction
 }
 
 impl TransactionMatcher {
@@ -197,6 +204,9 @@ impl TransactionMatcher {
             TransactionMatcher::PublicKey(public_key) => {
                 matches_transaction_authenticator_public_key(signed_transaction, public_key)
             },
+            TransactionMatcher::EncryptedTransaction => {
+                matches_encrypted_transaction(signed_transaction)
+            },
         }
     }
 }
@@ -313,6 +323,14 @@ fn matches_any_public_key_address(any_public_key: &AnyPublicKey, address: &Accou
     }
 }
 
+/// Returns true iff the transaction is an encrypted transaction
+fn matches_encrypted_transaction(signed_transaction: &SignedTransaction) -> bool {
+    matches!(
+        signed_transaction.payload(),
+        TransactionPayload::EncryptedPayload(_)
+    )
+}
+
 /// Returns true iff the transaction's entry function matches the given account address, module name, and function name
 fn matches_entry_function(
     signed_transaction: &SignedTransaction,