@chainlink/ace 0.5.0

package/packages/policy-management/test/policies/PausePolicy.t.sol

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {IPolicyEngine, PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {PausePolicy} from "@chainlink/policy-management/policies/PausePolicy.sol";
+import {MockToken} from "../helpers/MockToken.sol";
+import {BaseProxyTest} from "../helpers/BaseProxyTest.sol";
+
+contract PausePolicyTest is BaseProxyTest {
+  PolicyEngine public policyEngine;
+  MockToken public token;
+  PausePolicy public pausePolicy;
+  address public deployer;
+  address public recipient;
+
+  function setUp() public {
+    deployer = makeAddr("deployer");
+    recipient = makeAddr("recipient");
+
+    vm.startPrank(deployer);
+
+    policyEngine = _deployPolicyEngine(true, deployer);
+
+    PausePolicy pausePolicyImpl = new PausePolicy();
+    bytes memory configParamBytes = abi.encode(false); // Initial paused state is false
+    pausePolicy =
+      PausePolicy(_deployPolicy(address(pausePolicyImpl), address(policyEngine), deployer, configParamBytes));
+
+    token = MockToken(_deployMockToken(address(policyEngine)));
+
+    policyEngine.addPolicy(address(token), MockToken.transfer.selector, address(pausePolicy), new bytes32[](0));
+  }
+
+  function test_transfer_whenPaused_reverts() public {
+    vm.startPrank(deployer);
+    pausePolicy.pause();
+
+    vm.expectRevert(_encodeRejectedRevert(MockToken.transfer.selector, address(pausePolicy), "contract is paused"));
+    token.transfer(recipient, 100);
+  }
+
+  function test_transfer_whenNotPaused_succeeds() public {
+    token.transfer(recipient, 100);
+    assert(token.balanceOf(recipient) == 100);
+  }
+
+  function test_transfer_afterUnpause_succeeds() public {
+    vm.startPrank(deployer);
+    pausePolicy.pause();
+    assert(pausePolicy.s_paused() == true);
+    pausePolicy.unpause();
+
+    token.transfer(recipient, 100);
+    assert(token.balanceOf(recipient) == 100);
+  }
+
+  function test_pause_whenAlreadyPaused_reverts() public {
+    vm.startPrank(deployer);
+
+    pausePolicy.pause();
+    assert(pausePolicy.s_paused() == true);
+
+    vm.expectRevert("already paused");
+    pausePolicy.pause();
+  }
+
+  function test_unpause_whenAlreadyUnpaused_reverts() public {
+    vm.startPrank(deployer);
+
+    assert(pausePolicy.s_paused() == false);
+
+    vm.expectRevert("already unpaused");
+    pausePolicy.unpause();
+  }
+}

package/packages/policy-management/test/policies/RejectPolicy.t.sol

@@ -0,0 +1,182 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {IPolicyEngine, PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {ERC20TransferExtractor} from "@chainlink/policy-management/extractors/ERC20TransferExtractor.sol";
+import {RejectPolicy} from "@chainlink/policy-management/policies/RejectPolicy.sol";
+import {MockToken} from "../helpers/MockToken.sol";
+import {ERC3643MintBurnExtractor} from "@chainlink/policy-management/extractors/ERC3643MintBurnExtractor.sol";
+import {BaseProxyTest} from "../helpers/BaseProxyTest.sol";
+
+contract RejectPolicyTest is BaseProxyTest {
+  PolicyEngine public policyEngine;
+  MockToken public token;
+  RejectPolicy public rejectPolicy;
+  address public deployer;
+  address public account;
+  address public recipient;
+
+  function setUp() public {
+    deployer = makeAddr("deployer");
+    account = makeAddr("account");
+    recipient = makeAddr("recipient");
+
+    vm.startPrank(deployer, deployer);
+
+    policyEngine = _deployPolicyEngine(true, deployer);
+
+    RejectPolicy rejectPolicyImpl = new RejectPolicy();
+    rejectPolicy = RejectPolicy(_deployPolicy(address(rejectPolicyImpl), address(policyEngine), deployer, ""));
+
+    token = MockToken(_deployMockToken(address(policyEngine)));
+
+    // set up the rejectPolicy to check the recipient and origin address of token transfers
+    ERC20TransferExtractor transferExtractor = new ERC20TransferExtractor();
+    bytes32[] memory policyParameters = new bytes32[](2);
+    policyParameters[0] = transferExtractor.PARAM_TO();
+    policyParameters[1] = transferExtractor.PARAM_FROM();
+    policyEngine.setExtractor(MockToken.transfer.selector, address(transferExtractor));
+    policyEngine.addPolicy(address(token), MockToken.transfer.selector, address(rejectPolicy), policyParameters);
+    // set up the rejectPolicy to check the mint account (single account)
+    ERC3643MintBurnExtractor mintBurnExtractor = new ERC3643MintBurnExtractor();
+    bytes32[] memory mintPolicyParams = new bytes32[](1);
+    mintPolicyParams[0] = mintBurnExtractor.PARAM_ACCOUNT();
+    policyEngine.setExtractor(MockToken.mint.selector, address(mintBurnExtractor));
+    policyEngine.addPolicy(address(token), MockToken.mint.selector, address(rejectPolicy), mintPolicyParams);
+  }
+
+  function test_rejectAddress_succeeds() public {
+    vm.startPrank(deployer, deployer);
+
+    // add the sender to the reject list
+    rejectPolicy.rejectAddress(account);
+    vm.assertEq(rejectPolicy.addressRejected(account), true);
+  }
+
+  function test_addressRejected_alreadyInList_fails() public {
+    vm.startPrank(deployer, deployer);
+
+    // add the sender to the reject list (setup and sanity check)
+    rejectPolicy.rejectAddress(account);
+    vm.assertEq(rejectPolicy.addressRejected(account), true);
+
+    // add the sender to the reject list again (reverts)
+    vm.expectRevert("Account already in reject list");
+    rejectPolicy.rejectAddress(account);
+  }
+
+  function test_unrejectAddress_succeeds() public {
+    vm.startPrank(deployer, deployer);
+
+    // add the sender to the reject list (setup and sanity check)
+    rejectPolicy.rejectAddress(account);
+    vm.assertEq(rejectPolicy.addressRejected(account), true);
+
+    // remove the sender from the reject list
+    rejectPolicy.unrejectAddress(account);
+    vm.assertEq(rejectPolicy.addressRejected(account), false);
+  }
+
+  function test_unrejectAddress_notInList_fails() public {
+    vm.startPrank(deployer, deployer);
+
+    // remove the sender from the reject list (reverts)
+    vm.expectRevert("Account not in reject list");
+    rejectPolicy.unrejectAddress(account);
+  }
+
+  function test_transfer_notInList_succeeds() public {
+    vm.startPrank(account, account);
+
+    // transfer from sender to recipient
+    token.transfer(recipient, 100);
+    vm.assertEq(token.balanceOf(recipient), 100);
+  }
+
+  function test_transfer_inList_reverts() public {
+    vm.startPrank(deployer, deployer);
+
+    // add the recipient to the reject list
+    rejectPolicy.rejectAddress(recipient);
+    vm.assertEq(rejectPolicy.addressRejected(recipient), true);
+
+    vm.startPrank(account, account);
+
+    // transfer from sender to recipient (reverts)
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(rejectPolicy), "address is on reject list")
+    );
+    token.transfer(recipient, 100);
+  }
+
+  function test_transfer_allInList_reverts() public {
+    vm.startPrank(deployer, deployer);
+
+    // add the account and recipient to the reject list
+    rejectPolicy.rejectAddress(recipient);
+    vm.assertEq(rejectPolicy.addressRejected(recipient), true);
+    rejectPolicy.rejectAddress(account);
+    vm.assertEq(rejectPolicy.addressRejected(account), true);
+
+    vm.startPrank(account, account);
+
+    // transfer from sender to recipient (reverts)
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(rejectPolicy), "address is on reject list")
+    );
+    token.transfer(recipient, 100);
+  }
+
+  function test_transfer_removedFromList_succeeds() public {
+    // add the address to the reject list (setup)
+    vm.startPrank(deployer, deployer);
+    rejectPolicy.rejectAddress(recipient);
+
+    // transfer from address to recipient (sanity check)
+    vm.startPrank(account, account);
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(rejectPolicy), "address is on reject list")
+    );
+    token.transfer(recipient, 100);
+
+    // remove from the reject list
+    vm.startPrank(deployer, deployer);
+    rejectPolicy.unrejectAddress(recipient);
+
+    // transfer from address to recipient
+    vm.startPrank(account, account);
+    token.transfer(recipient, 100);
+    vm.assertEq(token.balanceOf(recipient), 100);
+  }
+
+  function test_mint_notInList_success() public {
+    vm.startPrank(deployer, deployer);
+    token.mint(account, 100);
+    vm.assertEq(token.balanceOf(account), 100);
+  }
+
+  function test_mint_inList_failure() public {
+    vm.startPrank(deployer, deployer);
+    // add account as rejected
+    rejectPolicy.rejectAddress(account);
+    vm.assertEq(rejectPolicy.addressRejected(account), true);
+    vm.expectRevert(_encodeRejectedRevert(MockToken.mint.selector, address(rejectPolicy), "address is on reject list"));
+    token.mint(account, 100);
+  }
+
+  function test_misconfiguration_failure() public {
+    vm.startPrank(deployer);
+    // misconfigure the rejectPolicy to check mint operations
+    ERC3643MintBurnExtractor mintExtractor = new ERC3643MintBurnExtractor();
+    policyEngine.setExtractor(MockToken.burn.selector, address(mintExtractor));
+    policyEngine.addPolicy(address(token), MockToken.burn.selector, address(rejectPolicy), new bytes32[](0));
+
+    bytes memory error = abi.encodeWithSignature("Error(string)", "expected at least 1 parameter");
+    vm.expectRevert(
+      abi.encodeWithSelector(
+        IPolicyEngine.PolicyRunError.selector, MockToken.burn.selector, address(rejectPolicy), error
+      )
+    );
+    token.burn(recipient, 100);
+  }
+}

package/packages/policy-management/test/policies/RoleBasedAccessControlPolicy.t.sol

@@ -0,0 +1,223 @@
+// SPDX-License-Identifier: BUSL-1.1
+pragma solidity 0.8.26;
+
+import {IAccessControl} from "@openzeppelin/contracts/access/IAccessControl.sol";
+import {RoleBasedAccessControlPolicy} from "@chainlink/policy-management/policies/RoleBasedAccessControlPolicy.sol";
+import {IPolicyEngine} from "@chainlink/policy-management/interfaces/IPolicyEngine.sol";
+import {PolicyEngine} from "@chainlink/policy-management/core/PolicyEngine.sol";
+import {MockToken} from "../helpers/MockToken.sol";
+import {BaseProxyTest} from "../helpers/BaseProxyTest.sol";
+
+contract RoleBasedAccessControlPolicyTest is BaseProxyTest {
+  RoleBasedAccessControlPolicy policy;
+  PolicyEngine public policyEngine;
+  MockToken public token;
+  address public deployer;
+  address public txSender;
+  address public recipient;
+
+  function setUp() public {
+    deployer = makeAddr("deployer");
+    txSender = makeAddr("txSender");
+
+    vm.startPrank(deployer);
+
+    policyEngine = _deployPolicyEngine(true, deployer);
+
+    token = MockToken(_deployMockToken(address(policyEngine)));
+
+    RoleBasedAccessControlPolicy policyImpl = new RoleBasedAccessControlPolicy();
+    policy = RoleBasedAccessControlPolicy(_deployPolicy(address(policyImpl), address(policyEngine), deployer, ""));
+
+    policyEngine.addPolicy(address(token), MockToken.transfer.selector, address(policy), new bytes32[](0));
+  }
+
+  function test_grantRoleRevokeRole_deployer_succeeds() public {
+    bytes32 someRole = keccak256("someRole");
+
+    vm.startPrank(deployer);
+
+    vm.expectEmit();
+    emit IAccessControl.RoleGranted(someRole, txSender, deployer);
+    policy.grantRole(someRole, txSender);
+    assertEq(policy.hasRole(someRole, txSender), true);
+    vm.expectEmit();
+    emit IAccessControl.RoleRevoked(someRole, txSender, deployer);
+    policy.revokeRole(someRole, txSender);
+    assertEq(policy.hasRole(someRole, txSender), false);
+  }
+
+  function test_grantRoleRevokeRole_nonDeployer_fails() public {
+    bytes32 someRole = keccak256("someRole");
+    address nonDeployer = makeAddr("nonDeployer");
+
+    vm.startPrank(nonDeployer);
+
+    vm.expectRevert(abi.encodeWithSelector(IAccessControl.AccessControlUnauthorizedAccount.selector, nonDeployer, 0x00));
+    policy.grantRole(someRole, txSender);
+    vm.expectRevert(abi.encodeWithSelector(IAccessControl.AccessControlUnauthorizedAccount.selector, nonDeployer, 0x00));
+    policy.revokeRole(someRole, txSender);
+  }
+
+  function test_grantRoleRevokeRole_roleAdmin_succeeds() public {
+    bytes32 someRole = keccak256("someRole");
+    address admin = makeAddr("admin");
+
+    // grant admin role of "someRole" to admin
+    vm.startPrank(deployer);
+    policy.grantRole(policy.getRoleAdmin(someRole), admin);
+
+    vm.startPrank(admin);
+    vm.expectEmit();
+    emit IAccessControl.RoleGranted(someRole, txSender, admin);
+    policy.grantRole(someRole, txSender);
+    assertEq(policy.hasRole(someRole, txSender), true);
+    vm.expectEmit();
+    emit IAccessControl.RoleRevoked(someRole, txSender, admin);
+    policy.revokeRole(someRole, txSender);
+    assertEq(policy.hasRole(someRole, txSender), false);
+  }
+
+  function test_grantOperationAllowanceToRole_succeeds() public {
+    bytes32 role = keccak256("role");
+    vm.startPrank(deployer);
+
+    // grant operation allowance to role
+    vm.expectEmit();
+    emit RoleBasedAccessControlPolicy.OperationAllowanceGrantedToRole(MockToken.transfer.selector, role);
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, role);
+  }
+
+  function test_grantOperationAllowanceToRole_alreadyExist_fails() public {
+    bytes32 role = keccak256("role");
+    vm.startPrank(deployer);
+
+    // grant operation allowance to role (sanity check)
+    vm.expectEmit();
+    emit RoleBasedAccessControlPolicy.OperationAllowanceGrantedToRole(MockToken.transfer.selector, role);
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, role);
+
+    // grant again (revert)
+    vm.expectRevert("Role already has operation allowance");
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, role);
+  }
+
+  function test_removeOperationAllowanceFromRole_succeeds() public {
+    bytes32 role = keccak256("role");
+    vm.startPrank(deployer);
+
+    // grant operation allowance to role (sanity check)
+    vm.expectEmit();
+    emit RoleBasedAccessControlPolicy.OperationAllowanceGrantedToRole(MockToken.transfer.selector, role);
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, role);
+
+    // remove operation allowance from role
+    vm.expectEmit();
+    emit RoleBasedAccessControlPolicy.OperationAllowanceRemovedFromRole(MockToken.transfer.selector, role);
+    policy.removeOperationAllowanceFromRole(MockToken.transfer.selector, role);
+  }
+
+  function test_removeOperationAllowanceFromRole_invalidOperation_fails() public {
+    bytes32 role = keccak256("role");
+    vm.startPrank(deployer);
+
+    // remove invalid operation allowance from role (revert)
+    vm.expectRevert("Role does not have operation allowance");
+    policy.removeOperationAllowanceFromRole(MockToken.transfer.selector, role);
+  }
+
+  function test_transfer_senderWithoutRole_reverts() public {
+    vm.startPrank(txSender);
+
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(policy), "caller lacks required role for operation")
+    );
+    token.transfer(recipient, 100);
+  }
+
+  function test_transfer_withRoleAssociatedToOperation_succeeds() public {
+    vm.startPrank(deployer);
+    bytes32 allowedRole = keccak256("allowedRole");
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, allowedRole);
+    policy.grantRole(allowedRole, txSender);
+
+    vm.startPrank(txSender);
+
+    token.transfer(recipient, 100);
+
+    assert(token.balanceOf(recipient) == 100);
+  }
+
+  function test_transfer_withRoleAssignedToUserButNotAssociatedToOperation_reverts() public {
+    vm.startPrank(deployer);
+    bytes32 someRole = keccak256("someRole");
+    policy.grantRole(someRole, txSender);
+
+    vm.startPrank(txSender);
+
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(policy), "caller lacks required role for operation")
+    );
+    token.transfer(recipient, 100);
+  }
+
+  function test_transfer_withRoleAssignedToUserAndRevokedFromOperation_reverts() public {
+    vm.startPrank(deployer);
+    bytes32 allowedRole = keccak256("allowedRole");
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, allowedRole);
+    policy.grantRole(allowedRole, txSender);
+
+    // sanity check
+    vm.startPrank(txSender);
+    token.transfer(recipient, 100);
+    assertEq(token.balanceOf(recipient), 100);
+
+    vm.startPrank(deployer);
+    policy.removeOperationAllowanceFromRole(MockToken.transfer.selector, allowedRole);
+
+    vm.startPrank(txSender);
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(policy), "caller lacks required role for operation")
+    );
+    token.transfer(recipient, 100);
+    assertEq(token.balanceOf(recipient), 100);
+  }
+
+  function test_transfer_senderWithRoleAssociatedToOperationButRevoked_reverts() public {
+    vm.startPrank(deployer);
+    bytes32 allowedRole = keccak256("allowedRole");
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, allowedRole);
+    policy.grantRole(allowedRole, txSender);
+
+    // sanity check
+    vm.startPrank(txSender);
+    token.transfer(recipient, 100);
+    assert(token.balanceOf(recipient) == 100);
+
+    vm.startPrank(deployer);
+    policy.revokeRole(allowedRole, txSender);
+
+    vm.startPrank(txSender);
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(policy), "caller lacks required role for operation")
+    );
+    token.transfer(recipient, 100);
+
+    assert(token.balanceOf(recipient) == 100);
+  }
+
+  function test_transfer_senderWithDifferentRole_reverts() public {
+    vm.startPrank(deployer);
+    bytes32 allowedRole = keccak256("allowedRole");
+    policy.grantOperationAllowanceToRole(MockToken.transfer.selector, allowedRole);
+
+    bytes32 anotherRole = keccak256("anotherRole");
+    policy.grantRole(anotherRole, txSender);
+
+    vm.startPrank(txSender);
+    vm.expectRevert(
+      _encodeRejectedRevert(MockToken.transfer.selector, address(policy), "caller lacks required role for operation")
+    );
+    token.transfer(recipient, 100);
+  }
+}