@bloxchain/contracts 1.0.0-alpha.15 → 1.0.0-alpha.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/abi/BaseStateMachine.abi.json +5 -0
- package/abi/GuardController.abi.json +5 -0
- package/abi/GuardControllerDefinitions.abi.json +5 -0
- package/abi/IDefinition.abi.json +5 -0
- package/abi/RuntimeRBAC.abi.json +5 -0
- package/abi/RuntimeRBACDefinitions.abi.json +5 -0
- package/abi/SecureOwnable.abi.json +5 -0
- package/abi/SecureOwnableDefinitions.abi.json +5 -0
- package/core/access/lib/definitions/RuntimeRBACDefinitions.sol +290 -288
- package/core/base/BaseStateMachine.sol +947 -943
- package/core/execution/GuardController.sol +1 -0
- package/core/execution/lib/definitions/GuardControllerDefinitions.sol +514 -506
- package/core/lib/EngineBlox.sol +32 -7
- package/core/security/lib/definitions/SecureOwnableDefinitions.sol +802 -786
- package/package.json +1 -1
package/core/lib/EngineBlox.sol
CHANGED
|
@@ -152,6 +152,7 @@ library EngineBlox {
|
|
|
152
152
|
bytes32 operationType;
|
|
153
153
|
string operationName;
|
|
154
154
|
uint16 supportedActionsBitmap; // Bitmap for TxAction enum (9 bits max)
|
|
155
|
+
bool enforceHandlerRelations; // When true, handlerForSelectors in permissions must match schema.handlerForSelectors (except self-reference)
|
|
155
156
|
bool isProtected;
|
|
156
157
|
bytes4[] handlerForSelectors;
|
|
157
158
|
}
|
|
@@ -477,6 +478,8 @@ library EngineBlox {
|
|
|
477
478
|
*/
|
|
478
479
|
function txCancellationWithMetaTx(SecureOperationState storage self, MetaTransaction memory metaTx) public returns (TxRecord memory) {
|
|
479
480
|
uint256 txId = metaTx.txRecord.txId;
|
|
481
|
+
_validateMetaTxAction(metaTx, TxAction.SIGN_META_CANCEL);
|
|
482
|
+
|
|
480
483
|
// Validate both execution and handler selector permissions
|
|
481
484
|
_validateExecutionAndHandlerPermissions(self, msg.sender, metaTx.txRecord.params.executionSelector, metaTx.params.handlerSelector, TxAction.EXECUTE_META_CANCEL);
|
|
482
485
|
_validateTxStatus(self, txId, TxStatus.PENDING);
|
|
@@ -495,6 +498,8 @@ library EngineBlox {
|
|
|
495
498
|
* @return The updated TxRecord.
|
|
496
499
|
*/
|
|
497
500
|
function txApprovalWithMetaTx(SecureOperationState storage self, MetaTransaction memory metaTx) public returns (TxRecord memory) {
|
|
501
|
+
_validateMetaTxAction(metaTx, TxAction.SIGN_META_APPROVE);
|
|
502
|
+
|
|
498
503
|
// Validate both execution and handler selector permissions
|
|
499
504
|
_validateExecutionAndHandlerPermissions(self, msg.sender, metaTx.txRecord.params.executionSelector, metaTx.params.handlerSelector, TxAction.EXECUTE_META_APPROVE);
|
|
500
505
|
|
|
@@ -537,6 +542,8 @@ library EngineBlox {
|
|
|
537
542
|
SecureOperationState storage self,
|
|
538
543
|
MetaTransaction memory metaTx
|
|
539
544
|
) public returns (TxRecord memory) {
|
|
545
|
+
_validateMetaTxAction(metaTx, TxAction.SIGN_META_REQUEST_AND_APPROVE);
|
|
546
|
+
|
|
540
547
|
// Validate both execution and handler selector permissions
|
|
541
548
|
_validateExecutionAndHandlerPermissions(self, msg.sender, metaTx.txRecord.params.executionSelector, metaTx.params.handlerSelector, TxAction.EXECUTE_META_REQUEST_AND_APPROVE);
|
|
542
549
|
|
|
@@ -1113,6 +1120,7 @@ library EngineBlox {
|
|
|
1113
1120
|
* @param functionSelector Hash identifier for the function.
|
|
1114
1121
|
* @param operationName The name of the operation type.
|
|
1115
1122
|
* @param supportedActionsBitmap Bitmap of permissions required to execute this function.
|
|
1123
|
+
* @param enforceHandlerRelations When true, handlerForSelectors in permissions must match schema.handlerForSelectors (except self-reference).
|
|
1116
1124
|
* @param isProtected Whether the function schema is protected from removal.
|
|
1117
1125
|
* @param handlerForSelectors Non-empty array required - execution selectors must contain self-reference, handler selectors must point to execution selectors
|
|
1118
1126
|
*/
|
|
@@ -1122,6 +1130,7 @@ library EngineBlox {
|
|
|
1122
1130
|
bytes4 functionSelector,
|
|
1123
1131
|
string memory operationName,
|
|
1124
1132
|
uint16 supportedActionsBitmap,
|
|
1133
|
+
bool enforceHandlerRelations,
|
|
1125
1134
|
bool isProtected,
|
|
1126
1135
|
bytes4[] memory handlerForSelectors
|
|
1127
1136
|
) public {
|
|
@@ -1173,6 +1182,7 @@ library EngineBlox {
|
|
|
1173
1182
|
schema.operationType = derivedOperationType;
|
|
1174
1183
|
schema.operationName = operationName;
|
|
1175
1184
|
schema.supportedActionsBitmap = supportedActionsBitmap;
|
|
1185
|
+
schema.enforceHandlerRelations = enforceHandlerRelations;
|
|
1176
1186
|
schema.isProtected = isProtected;
|
|
1177
1187
|
schema.handlerForSelectors = handlerForSelectors;
|
|
1178
1188
|
|
|
@@ -1640,10 +1650,9 @@ library EngineBlox {
|
|
|
1640
1650
|
}
|
|
1641
1651
|
|
|
1642
1652
|
// Authorization check - verify signer has meta-transaction signing permissions for the function and action
|
|
1643
|
-
bool isSignAction = metaTx.params.action == TxAction.SIGN_META_REQUEST_AND_APPROVE || metaTx.params.action == TxAction.SIGN_META_APPROVE || metaTx.params.action == TxAction.SIGN_META_CANCEL;
|
|
1644
1653
|
bool isHandlerAuthorized = hasActionPermission(self, metaTx.params.signer, metaTx.params.handlerSelector, metaTx.params.action);
|
|
1645
1654
|
bool isExecutionAuthorized = hasActionPermission(self, metaTx.params.signer, metaTx.txRecord.params.executionSelector, metaTx.params.action);
|
|
1646
|
-
if (!
|
|
1655
|
+
if (!isHandlerAuthorized || !isExecutionAuthorized) {
|
|
1647
1656
|
revert SharedValidation.SignerNotAuthorized(metaTx.params.signer);
|
|
1648
1657
|
}
|
|
1649
1658
|
|
|
@@ -2152,14 +2161,14 @@ library EngineBlox {
|
|
|
2152
2161
|
|
|
2153
2162
|
FunctionSchema storage schema = self.functions[functionSelector];
|
|
2154
2163
|
|
|
2164
|
+
// If this function schema does not enforce handler relations, skip validation.
|
|
2165
|
+
if (!schema.enforceHandlerRelations) {
|
|
2166
|
+
return;
|
|
2167
|
+
}
|
|
2168
|
+
|
|
2155
2169
|
// Validate each handlerForSelector in the array
|
|
2156
2170
|
for (uint256 j = 0; j < handlerForSelectors.length; j++) {
|
|
2157
2171
|
bytes4 handlerForSelector = handlerForSelectors[j];
|
|
2158
|
-
|
|
2159
|
-
// Special case: execution function permissions use handlerForSelector == functionSelector (self-reference)
|
|
2160
|
-
if (handlerForSelector == functionSelector) {
|
|
2161
|
-
continue; // Valid execution function permission
|
|
2162
|
-
}
|
|
2163
2172
|
|
|
2164
2173
|
bool found = false;
|
|
2165
2174
|
for (uint256 i = 0; i < schema.handlerForSelectors.length; i++) {
|
|
@@ -2215,6 +2224,22 @@ library EngineBlox {
|
|
|
2215
2224
|
_validateActionsSupportedByFunction(self, functionPermission.functionSelector, bitmap);
|
|
2216
2225
|
}
|
|
2217
2226
|
|
|
2227
|
+
/**
|
|
2228
|
+
* @dev Validates that the meta-transaction uses the expected signer action for the current workflow.
|
|
2229
|
+
* @param metaTx The meta-transaction to validate.
|
|
2230
|
+
* @param expectedAction The TxAction that must be used as the signer action.
|
|
2231
|
+
* @custom:security Enforces strict separation between SIGN_META_REQUEST_AND_APPROVE,
|
|
2232
|
+
* SIGN_META_APPROVE and SIGN_META_CANCEL workflows.
|
|
2233
|
+
*/
|
|
2234
|
+
function _validateMetaTxAction(
|
|
2235
|
+
MetaTransaction memory metaTx,
|
|
2236
|
+
TxAction expectedAction
|
|
2237
|
+
) internal pure {
|
|
2238
|
+
if (metaTx.params.action != expectedAction) {
|
|
2239
|
+
revert SharedValidation.NotSupported();
|
|
2240
|
+
}
|
|
2241
|
+
}
|
|
2242
|
+
|
|
2218
2243
|
/**
|
|
2219
2244
|
* @dev Validates that all actions present in the bitmap are supported by the function schema.
|
|
2220
2245
|
* @param self The SecureOperationState to check.
|