@chainlink/ace 0.5.0 → 1.0.0

package/packages/policy-management/test/policies/BypassPolicy.t.sol

@@ -1,16 +1,16 @@
 // SPDX-License-Identifier: BUSL-1.1
-pragma solidity 0.8.26;
+pragma solidity ^0.8.20;
 
 import {IPolicyEngine, PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
 import {ERC20TransferExtractor} from "@chainlink/policy-management/extractors/ERC20TransferExtractor.sol";
 import {BypassPolicy} from "@chainlink/policy-management/policies/BypassPolicy.sol";
-import {MockToken} from "../helpers/MockToken.sol";
+import {MockTokenUpgradeable} from "../helpers/MockTokenUpgradeable.sol";
 import {ERC3643MintBurnExtractor} from "@chainlink/policy-management/extractors/ERC3643MintBurnExtractor.sol";
 import {BaseProxyTest} from "../helpers/BaseProxyTest.sol";
 
 contract BypassPolicyTest is BaseProxyTest {
   PolicyEngine public policyEngine;
-  MockToken public token;
+  MockTokenUpgradeable public token;
   BypassPolicy public bypassPolicy;
   address public deployer;
   address public account;
@@ -30,26 +30,31 @@ contract BypassPolicyTest is BaseProxyTest {
     // add account by default
     bypassPolicy.allowAddress(account);
 
-    token = MockToken(_deployMockToken(address(policyEngine)));
+    token = MockTokenUpgradeable(_deployMockToken(address(policyEngine)));
 
     // set up the bypassPolicy to check the recipient and origin address of token transfers
     ERC20TransferExtractor transferExtractor = new ERC20TransferExtractor();
     bytes32[] memory transferPolicyParams = new bytes32[](2);
     transferPolicyParams[0] = transferExtractor.PARAM_TO();
     transferPolicyParams[1] = transferExtractor.PARAM_FROM();
-    policyEngine.setExtractor(MockToken.transfer.selector, address(transferExtractor));
-    policyEngine.addPolicy(address(token), MockToken.transfer.selector, address(bypassPolicy), transferPolicyParams);
+    policyEngine.setExtractor(MockTokenUpgradeable.transfer.selector, address(transferExtractor));
+    policyEngine.addPolicy(
+      address(token), MockTokenUpgradeable.transfer.selector, address(bypassPolicy), transferPolicyParams
+    );
     // set up the bypassPolicy to check the mint account (single account)
     ERC3643MintBurnExtractor mintBurnExtractor = new ERC3643MintBurnExtractor();
     bytes32[] memory mintPolicyParams = new bytes32[](1);
     mintPolicyParams[0] = mintBurnExtractor.PARAM_ACCOUNT();
-    policyEngine.setExtractor(MockToken.mint.selector, address(mintBurnExtractor));
-    policyEngine.addPolicy(address(token), MockToken.mint.selector, address(bypassPolicy), mintPolicyParams);
+    policyEngine.setExtractor(MockTokenUpgradeable.mint.selector, address(mintBurnExtractor));
+    policyEngine.addPolicy(address(token), MockTokenUpgradeable.mint.selector, address(bypassPolicy), mintPolicyParams);
   }
 
   function test_allowAddress_succeeds() public {
     vm.startPrank(deployer, deployer);
 
+    vm.expectEmit(true, true, true, true);
+    emit BypassPolicy.AddressAllowed(recipient);
+
     // add the address to the allow list
     bypassPolicy.allowAddress(recipient);
     vm.assertEq(bypassPolicy.addressAllowed(recipient), true);
@@ -74,6 +79,9 @@ contract BypassPolicyTest is BaseProxyTest {
     bypassPolicy.allowAddress(recipient);
     vm.assertEq(bypassPolicy.addressAllowed(recipient), true);
 
+    vm.expectEmit(true, true, true, true);
+    emit BypassPolicy.AddressDisallowed(recipient);
+
     // remove the address from the bypass list
     bypassPolicy.disallowAddress(recipient);
     vm.assertEq(bypassPolicy.addressAllowed(recipient), false);
@@ -105,7 +113,13 @@ contract BypassPolicyTest is BaseProxyTest {
     vm.startPrank(account, account);
 
     // transfer from address to recipient (reverts)
-    vm.expectRevert(_encodeRejectedRevert(0, address(0), "no policy allowed the action and default is reject"));
+    _expectRejectedRevert(
+      address(0),
+      "no policy allowed the action and default is reject",
+      MockTokenUpgradeable.transfer.selector,
+      account,
+      abi.encode(recipient, 100)
+    );
     token.transfer(recipient, 100);
   }
 
@@ -125,7 +139,13 @@ contract BypassPolicyTest is BaseProxyTest {
 
     // transfer from address to recipient (should revert after removal)
     vm.startPrank(account, account);
-    vm.expectRevert(_encodeRejectedRevert(0, address(0), "no policy allowed the action and default is reject"));
+    _expectRejectedRevert(
+      address(0),
+      "no policy allowed the action and default is reject",
+      MockTokenUpgradeable.transfer.selector,
+      account,
+      abi.encode(recipient, 100)
+    );
     token.transfer(recipient, 100);
   }
 
@@ -137,7 +157,13 @@ contract BypassPolicyTest is BaseProxyTest {
 
   function test_mint_notInList_defaultReject_failure() public {
     vm.startPrank(deployer, deployer);
-    vm.expectRevert(_encodeRejectedRevert(0, address(0), "no policy allowed the action and default is reject"));
+    _expectRejectedRevert(
+      address(0),
+      "no policy allowed the action and default is reject",
+      MockTokenUpgradeable.mint.selector,
+      deployer,
+      abi.encode(recipient, 100)
+    );
     token.mint(recipient, 100);
   }
 
@@ -145,15 +171,17 @@ contract BypassPolicyTest is BaseProxyTest {
     vm.startPrank(deployer);
     // misconfigure the bypassPolicy to check burn operations (no accounts)
     ERC3643MintBurnExtractor mintBurnExtractor = new ERC3643MintBurnExtractor();
-    policyEngine.setExtractor(MockToken.burn.selector, address(mintBurnExtractor));
-    policyEngine.addPolicy(address(token), MockToken.burn.selector, address(bypassPolicy), new bytes32[](0));
-
-    bytes memory error = abi.encodeWithSignature("Error(string)", "expected at least 1 parameter");
-    vm.expectRevert(
-      abi.encodeWithSelector(
-        IPolicyEngine.PolicyRunError.selector, MockToken.burn.selector, address(bypassPolicy), error
-      )
-    );
+    policyEngine.setExtractor(MockTokenUpgradeable.burn.selector, address(mintBurnExtractor));
+    policyEngine.addPolicy(address(token), MockTokenUpgradeable.burn.selector, address(bypassPolicy), new bytes32[](0));
+
+    IPolicyEngine.Payload memory payload = IPolicyEngine.Payload({
+      selector: MockTokenUpgradeable.burn.selector,
+      sender: deployer,
+      data: abi.encode(account, 100),
+      context: new bytes(0)
+    });
+    bytes memory error = abi.encodeWithSignature("InvalidParameters(string)", "expected at least 1 parameter");
+    _expectRunError(address(bypassPolicy), error, payload);
     token.burn(account, 100);
   }
 }

package/packages/policy-management/test/policies/CertifiedActionDONValidatorPolicy.t.sol

@@ -0,0 +1,172 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+import {IPolicyEngine, PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {ICertifiedActionValidator} from "@chainlink/policy-management/interfaces/ICertifiedActionValidator.sol";
+import {CertifiedActionValidatorPolicy} from "@chainlink/policy-management/policies/CertifiedActionValidatorPolicy.sol";
+import {CertifiedActionDONValidatorPolicy} from
+  "@chainlink/policy-management/policies/CertifiedActionDONValidatorPolicy.sol";
+import {MockTokenUpgradeable} from "../helpers/MockTokenUpgradeable.sol";
+import {MockTokenExtractor} from "../helpers/MockTokenExtractor.sol";
+import {BaseCertifiedActionTest} from "../helpers/BaseCertifiedActionTest.sol";
+
+contract CertifiedActionDONValidatorPolicyTest is BaseCertifiedActionTest {
+  PolicyEngine public policyEngine;
+  MockTokenUpgradeable public token;
+  CertifiedActionDONValidatorPolicy public policy;
+  address public deployer;
+  address public recipient;
+  address public signer;
+  uint256 public signerKey;
+  address public mockKeystoneForwarder;
+
+  function setUp() public {
+    deployer = makeAddr("deployer");
+    recipient = makeAddr("recipient");
+    (signer, signerKey) = makeAddrAndKey("signer");
+    mockKeystoneForwarder = makeAddr("mockKeystoneForwarder");
+
+    vm.startPrank(deployer);
+
+    policyEngine = _deployPolicyEngine(true, deployer);
+
+    CertifiedActionDONValidatorPolicy policyImpl = new CertifiedActionDONValidatorPolicy();
+    policy = CertifiedActionDONValidatorPolicy(
+      _deployPolicy(address(policyImpl), address(policyEngine), deployer, abi.encode(mockKeystoneForwarder))
+    );
+    policy.allowIssuer(abi.encode(signer));
+    MockTokenExtractor extractor = new MockTokenExtractor();
+    bytes32[] memory parameterOutputFormat = new bytes32[](3);
+    parameterOutputFormat[0] = extractor.PARAM_FROM();
+    parameterOutputFormat[1] = extractor.PARAM_TO();
+    parameterOutputFormat[2] = extractor.PARAM_AMOUNT();
+
+    token = MockTokenUpgradeable(_deployMockToken(address(policyEngine)));
+
+    policyEngine.setExtractor(MockTokenUpgradeable.transfer.selector, address(extractor));
+    policyEngine.setExtractor(MockTokenUpgradeable.transferFrom.selector, address(extractor));
+
+    policyEngine.addPolicy(
+      address(token), MockTokenUpgradeable.transfer.selector, address(policy), parameterOutputFormat
+    );
+    policyEngine.addPolicy(
+      address(token), MockTokenUpgradeable.transferFrom.selector, address(policy), parameterOutputFormat
+    );
+  }
+
+  function test_DONPreActionPermit_validPermit_succeeds() public {
+    vm.startPrank(mockKeystoneForwarder);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), MockTokenUpgradeable.transfer.selector, params);
+
+    policy.onReport(_ocrMetadata(), abi.encode(permit));
+    uint256 usage = policy.getUsage(permit.permitId);
+
+    vm.stopPrank();
+    vm.startPrank(deployer);
+
+    vm.assertEq(token.balanceOf(recipient), 0);
+    token.transfer(recipient, 100);
+    vm.assertEq(token.balanceOf(recipient), 100);
+    vm.assertEq(policy.getUsage(permit.permitId), usage + 1);
+  }
+
+  function test_InvalidDONPreActionPermit_validPermit_succeeds() public {
+    address bogus = makeAddr("bogus");
+    vm.startPrank(bogus);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), MockTokenUpgradeable.transfer.selector, params);
+
+    vm.expectRevert(
+      abi.encodeWithSelector(CertifiedActionDONValidatorPolicy.UnauthorizedKeystoneForwarder.selector, bogus)
+    );
+    policy.onReport(_ocrMetadata(), abi.encode(permit));
+  }
+
+  function test_check_fromKeystoneForwarder_returnsTrue() public {
+    vm.startPrank(mockKeystoneForwarder);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), MockTokenUpgradeable.transfer.selector, params);
+
+    policy.onReport(_ocrMetadata(), abi.encode(permit));
+
+    vm.assertEq(policy.check(permit, abi.encode(signer)), true);
+  }
+
+  function test_check_invalidAddress_fromKeystoneForwarder_returnsFalse() public {
+    vm.startPrank(mockKeystoneForwarder);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), MockTokenUpgradeable.transfer.selector, params);
+
+    policy.onReport(_ocrMetadata(), abi.encode(permit));
+
+    vm.assertEq(policy.check(permit, abi.encode(makeAddr("randomAddress"))), false);
+  }
+
+  function test_contextualPermit_reverts() public {
+    vm.startPrank(deployer);
+
+    MockTokenExtractor extractor = new MockTokenExtractor();
+    bytes32[] memory parameterOutputFormat = new bytes32[](3);
+    parameterOutputFormat[0] = extractor.PARAM_FROM();
+    parameterOutputFormat[1] = extractor.PARAM_TO();
+    parameterOutputFormat[2] = extractor.PARAM_AMOUNT();
+
+    policyEngine.setExtractor(MockTokenUpgradeable.transferWithContext.selector, address(extractor));
+    policyEngine.addPolicy(
+      address(token), MockTokenUpgradeable.transferWithContext.selector, address(policy), parameterOutputFormat
+    );
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), MockTokenUpgradeable.transferWithContext.selector, params);
+
+    bytes memory context = abi.encode(ICertifiedActionValidator.SignedPermit(permit, abi.encode(signer)));
+    _expectRejectedRevert(
+      address(policy),
+      "invalid signed permit in context",
+      MockTokenUpgradeable.transferWithContext.selector,
+      deployer,
+      abi.encode(recipient, 100, context),
+      context
+    );
+    token.transferWithContext(recipient, 100, context);
+  }
+
+  function _ocrMetadata() internal returns (bytes memory) {
+    return abi.encodePacked(
+      uint256(1234), // workflow_cid (32 bytes)
+      "AAAAAAAAAA", // workflow_name (10 bytes)
+      signer, // workflow_owner (20 bytes)
+      "BB" // report_name (2 bytes)
+    );
+  }
+}

package/packages/policy-management/test/policies/CertifiedActionERC20TransferValidatorPolicy.t.sol

@@ -0,0 +1,217 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity ^0.8.20;
+
+import {IPolicyEngine, PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {ICertifiedActionValidator} from "@chainlink/policy-management/interfaces/ICertifiedActionValidator.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+import {Policy} from "@chainlink/policy-management/core/Policy.sol";
+import {CertifiedActionValidatorPolicy} from "@chainlink/policy-management/policies/CertifiedActionValidatorPolicy.sol";
+import {CertifiedActionERC20TransferValidatorPolicy} from
+  "@chainlink/policy-management/policies/CertifiedActionERC20TransferValidatorPolicy.sol";
+import {MockTokenUpgradeable} from "../helpers/MockTokenUpgradeable.sol";
+import {MockTokenExtractor} from "../helpers/MockTokenExtractor.sol";
+import {BaseCertifiedActionTest} from "../helpers/BaseCertifiedActionTest.sol";
+
+contract CertifiedActionERC20TransferValidatorPolicyTest is BaseCertifiedActionTest {
+  PolicyEngine public policyEngine;
+  MockTokenUpgradeable public token;
+  CertifiedActionValidatorPolicy public policy;
+  address public deployer;
+  address public recipient;
+  address public signer;
+  uint256 public signerKey;
+
+  function setUp() public {
+    deployer = makeAddr("deployer");
+    recipient = makeAddr("recipient");
+    (signer, signerKey) = makeAddrAndKey("signer");
+
+    vm.startPrank(deployer);
+
+    policyEngine = _deployPolicyEngine(true, deployer);
+
+    CertifiedActionERC20TransferValidatorPolicy policyImpl = new CertifiedActionERC20TransferValidatorPolicy();
+    policy = CertifiedActionERC20TransferValidatorPolicy(
+      _deployPolicy(address(policyImpl), address(policyEngine), deployer, "")
+    );
+    policy.allowIssuer(abi.encode(signer));
+    MockTokenExtractor extractor = new MockTokenExtractor();
+    bytes32[] memory parameterOutputFormat = new bytes32[](3);
+    parameterOutputFormat[0] = extractor.PARAM_FROM();
+    parameterOutputFormat[1] = extractor.PARAM_TO();
+    parameterOutputFormat[2] = extractor.PARAM_AMOUNT();
+
+    token = MockTokenUpgradeable(_deployMockToken(address(policyEngine)));
+
+    policyEngine.setExtractor(MockTokenUpgradeable.transfer.selector, address(extractor));
+    policyEngine.setExtractor(MockTokenUpgradeable.transferWithContext.selector, address(extractor));
+    policyEngine.setExtractor(MockTokenUpgradeable.transferFrom.selector, address(extractor));
+
+    policyEngine.addPolicy(
+      address(token), MockTokenUpgradeable.transfer.selector, address(policy), parameterOutputFormat
+    );
+    policyEngine.addPolicy(
+      address(token), MockTokenUpgradeable.transferWithContext.selector, address(policy), parameterOutputFormat
+    );
+    policyEngine.addPolicy(
+      address(token), MockTokenUpgradeable.transferFrom.selector, address(policy), parameterOutputFormat
+    );
+  }
+
+  function test_preActionPermit_validPermitExact_succeeds() public {
+    vm.startPrank(deployer);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), IERC20.transfer.selector, params);
+
+    bytes memory signature = _signPermit(policy, permit, signerKey);
+
+    policy.present(permit, signature);
+    uint256 usage = policy.getUsage(permit.permitId);
+
+    vm.assertEq(token.balanceOf(recipient), 0);
+    token.transfer(recipient, 100);
+    vm.assertEq(token.balanceOf(recipient), 100);
+    vm.assertEq(policy.getUsage(permit.permitId), usage + 1);
+  }
+
+  function test_preActionPermit_validPermitUnderMax_succeeds() public {
+    vm.startPrank(deployer);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), IERC20.transfer.selector, params);
+
+    bytes memory signature = _signPermit(policy, permit, signerKey);
+
+    policy.present(permit, signature);
+    uint256 usage = policy.getUsage(permit.permitId);
+
+    vm.assertEq(token.balanceOf(recipient), 0);
+    token.transfer(recipient, 99);
+    vm.assertEq(token.balanceOf(recipient), 99);
+    vm.assertEq(policy.getUsage(permit.permitId), usage + 1);
+  }
+
+  function test_preActionPermit_validPermitOverMaxAmount_reverts() public {
+    vm.startPrank(deployer);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), IERC20.transfer.selector, params);
+
+    bytes memory signature = _signPermit(policy, permit, signerKey);
+
+    policy.present(permit, signature);
+
+    _expectRejectedRevert(
+      address(policy),
+      "no valid pre-presented permit found",
+      MockTokenUpgradeable.transfer.selector,
+      deployer,
+      abi.encode(recipient, 101)
+    );
+    token.transfer(recipient, 101);
+  }
+
+  function test_preActionPermit_invalidSelector_reverts() public {
+    vm.startPrank(deployer);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), IERC20.approve.selector, params);
+
+    bytes memory signature = _signPermit(policy, permit, signerKey);
+
+    vm.expectRevert(abi.encodeWithSelector(Policy.InvalidParameters.selector, "unsupported selector"));
+    policy.present(permit, signature);
+  }
+
+  function test_no_permit_reverts() public {
+    vm.startPrank(deployer);
+
+    _expectRejectedRevert(
+      address(policy),
+      "no valid permit found",
+      MockTokenUpgradeable.transfer.selector,
+      deployer,
+      abi.encode(recipient, 100)
+    );
+    token.transfer(recipient, 100);
+  }
+
+  function test_check_validPermit_returnsTrue() public {
+    vm.startPrank(deployer);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    // permit for transfer
+    ICertifiedActionValidator.Permit memory permit1 =
+      _generatePermit(deployer, address(token), IERC20.transfer.selector, params);
+
+    bytes memory signature1 = _signPermit(policy, permit1, signerKey);
+
+    policy.present(permit1, signature1);
+    vm.assertEq(policy.check(permit1, signature1), true);
+
+    // permit for transferFrom
+    ICertifiedActionValidator.Permit memory permit2 =
+      _generatePermit(deployer, address(token), IERC20.transferFrom.selector, params);
+
+    bytes memory signature2 = _signPermit(policy, permit2, signerKey);
+
+    policy.present(permit2, signature2);
+    vm.assertEq(policy.check(permit2, signature2), true);
+  }
+
+  function test_check_invalidSelector_returnsFalse() public {
+    vm.startPrank(deployer);
+
+    bytes[] memory params = new bytes[](3);
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+    params[2] = abi.encode(uint256(100));
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), IERC20.approve.selector, params);
+
+    bytes memory signature = _signPermit(policy, permit, signerKey);
+
+    vm.assertEq(policy.check(permit, signature), false);
+  }
+
+  function test_check_invalidParameters_returnsFalse() public {
+    vm.startPrank(deployer);
+
+    bytes[] memory params = new bytes[](2); // missing amount parameter
+    params[0] = abi.encode(deployer);
+    params[1] = abi.encode(recipient);
+
+    ICertifiedActionValidator.Permit memory permit =
+      _generatePermit(deployer, address(token), IERC20.transfer.selector, params);
+
+    bytes memory signature = _signPermit(policy, permit, signerKey);
+
+    vm.assertEq(policy.check(permit, signature), false);
+  }
+}