npm - @etherisc/gif-next - Versions diffs - 0.0.2-4e4966e-474 → 0.0.2-4e99ed1-062 - Mend

@etherisc/gif-next 0.0.2-4e4966e-474 → 0.0.2-4e99ed1-062

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (381) hide show

package/contracts/instance/InstanceAccessManager.sol CHANGED Viewed

@@ -1,315 +1,520 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
+import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import {ShortString, ShortStrings} from "@openzeppelin/contracts/utils/ShortStrings.sol";
-import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
-import {AccessManagerUpgradeableInitializeable} from "../../contracts/instance/AccessManagerUpgradeableInitializeable.sol";
-import {RoleId, RoleIdLib, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, POLICY_SERVICE_ROLE, BUNDLE_SERVICE_ROLE, INSTANCE_SERVICE_ROLE } from "../types/RoleId.sol";
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, INSTANCE_OWNER_ROLE, INSTANCE_ROLE} from "../types/RoleId.sol";
 import {TimestampLib} from "../types/Timestamp.sol";
+import {NftId} from "../types/NftId.sol";
+import {AccessManagerUpgradeableInitializeable} from "./AccessManagerUpgradeableInitializeable.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {IInstance} from "./IInstance.sol";
 import {IAccess} from "./module/IAccess.sol";
 contract InstanceAccessManager is
     AccessManagedUpgradeable
 {
+    event LogRoleCreation(RoleId roleId, ShortString name, IAccess.Type rtype);
+    event LogTargetCreation(address target, ShortString name, IAccess.Type ttype, bool isLocked);
     using RoleIdLib for RoleId;
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
+    string public constant INSTANCE_ROLE_NAME = "InstanceRole";
+    string public constant INSTANCE_OWNER_ROLE_NAME = "InstanceOwnerRole";
-    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000;
+    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
     uint32 public constant EXECUTION_DELAY = 0;
-    error ErrorRoleIdInvalid(RoleId roleId);
-    error ErrorRoleIdTooBig(RoleId roleId);
-    error ErrorRoleIdTooSmall(RoleId roleId);
-    error ErrorRoleIdAlreadyExists(RoleId roleId, ShortString name);
-    error ErrorRoleIdNotActive(RoleId roleId);
-    error ErrorRoleNameEmpty(RoleId roleId);
-    error ErrorRoleNameNotUnique(RoleId roleId, ShortString name);
-    error ErrorRoleInvalidUpdate(RoleId roleId, bool isCustom);
-    error ErrorRoleIsCustomIsImmutable(RoleId roleId, bool isCustom, bool isCustomExisting);
-    error ErrorSetLockedForNonexstentRole(RoleId roleId);
-    error ErrorGrantNonexstentRole(RoleId roleId);
-    error ErrorRevokeNonexstentRole(RoleId roleId);
-    error ErrorRenounceNonexstentRole(RoleId roleId);
-    error ErrorTargetAddressZero();
-    error ErrorTargetAlreadyExists(address target, ShortString name);
-    error ErrorTargetNameEmpty(address target);
-    error ErrorTargetNameExists(address target, address existingTarget, ShortString name);
-    error ErrorSetLockedForNonexstentTarget(address target);
     // role specific state
-    mapping(RoleId roleId => IAccess.RoleInfo info) internal _role;
+    mapping(RoleId roleId => IAccess.RoleInfo info) internal _roleInfo;
     mapping(RoleId roleId => EnumerableSet.AddressSet roleMembers) internal _roleMembers;
-    mapping(ShortString name => RoleId roleId) internal _roleForName;
-    RoleId [] internal _roles;
+    mapping(ShortString name => RoleId roleId) internal _roleIdForName;
+    RoleId [] internal _roleIds;
+    uint64 _idNext;
     // target specific state
-    mapping(address target => IAccess.TargetInfo info) internal _target;
-    mapping(ShortString name => address target) internal _targetForName;
+    mapping(address target => IAccess.TargetInfo info) internal _targetInfo;
+    mapping(ShortString name => address target) internal _targetAddressForName;
     address [] internal _targets;
     AccessManagerUpgradeableInitializeable internal _accessManager;
+    IRegistry internal _registry;
+    modifier restrictedToRoleAdmin(RoleId roleId) {
+        RoleId admin = getRoleAdmin(roleId);
+        (bool inRole, uint32 executionDelay) = _accessManager.hasRole(admin.toInt(), _msgSender());
+        assert(executionDelay == 0); // to be sure no delayed execution functionality is used
+        if (!inRole) {
+            revert IAccess.ErrorIAccessCallerIsNotRoleAdmin(_msgSender(), roleId);
+        }
+        _;
+    }
-    function __InstanceAccessManager_initialize(address initialAdmin) external initializer
+    // instance owner is granted upon instance nft minting in callback function
+    function initialize(address instanceAddress) external initializer
     {
-        // if size of the contract gets too large, this can be externalized which will reduce the contract size considerably
-        _accessManager = new AccessManagerUpgradeableInitializeable();
-        // this service required adin rights to access manager to be able to grant/revoke roles
-        _accessManager.__AccessManagerUpgradeableInitializeable_init(address(this));
-        _accessManager.grantRole(_accessManager.ADMIN_ROLE(), initialAdmin, 0);
+        IInstance instance = IInstance(instanceAddress);
+        IRegistry registry = instance.getRegistry();
+        address authority = instance.authority();
-        __AccessManaged_init(address(_accessManager));
+        __AccessManaged_init(authority);
-        _createRole(RoleIdLib.toRoleId(_accessManager.ADMIN_ROLE()), ADMIN_ROLE_NAME, false, false);
-        _createRole(RoleIdLib.toRoleId(_accessManager.PUBLIC_ROLE()), PUBLIC_ROLE_NAME, false, false);
+        _accessManager = AccessManagerUpgradeableInitializeable(authority);
+        _registry = registry;
+        _idNext = CUSTOM_ROLE_ID_MIN;
-        createDefaultGifRoles();
-    }
+        _createRole(ADMIN_ROLE(), ADMIN_ROLE_NAME, IAccess.Type.Core);
+        _createRole(PUBLIC_ROLE(), PUBLIC_ROLE_NAME, IAccess.Type.Core);
+        _createRole(INSTANCE_ROLE(), INSTANCE_ROLE_NAME, IAccess.Type.Core);
+        _createRole(INSTANCE_OWNER_ROLE(), INSTANCE_OWNER_ROLE_NAME, IAccess.Type.Gif);
-    function createDefaultGifRoles() public restricted() {
-        // DISTRIBUTION_OWNER_ROLE
-        _createRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole", false, true);
-        _createRole(POOL_OWNER_ROLE(), "PoolOwnerRole", false, true);
-        _createRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole", false, true);
+        // assume `this` is already a member of ADMIN_ROLE
+        EnumerableSet.add(_roleMembers[ADMIN_ROLE()], address(this));
-        _createRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole", false, true);
-        _createRole(POOL_SERVICE_ROLE(), "PoolServiceRole", false, true);
-        _createRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole", false, true);
-        _createRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole", false, true);
-        _createRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole", false, true);
-        _createRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole", false, true);
+        grantRole(INSTANCE_ROLE(), instanceAddress);
+        setRoleAdmin(INSTANCE_OWNER_ROLE(), INSTANCE_ROLE());
     }
     //--- Role ------------------------------------------------------//
-    function createDefaultRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, false, true);
+    // ADMIN_ROLE
+    // assume all core roles are know at deployment time
+    // assume core roles are set and granted only during instance cloning
+    // assume core roles are never revoked -> core roles admin is never active after intialization
+    function createCoreRole(RoleId roleId, string memory name)
+        external
+        restricted()
+    {
+        _createRole(roleId, name, IAccess.Type.Core);
     }
-    function createRole(RoleId roleId, string memory name) external restricted() {
-        _createRole(roleId, name, true, true);
+    // ADMIN_ROLE
+    // assume gif roles can be revoked
+    // assume admin is INSTANCE_OWNER_ROLE or INSTANCE_ROLE
+    function createGifRole(RoleId roleId, string memory name, RoleId admin)
+        external
+        restricted()
+    {
+        _createRole(roleId, name, IAccess.Type.Gif);
+        setRoleAdmin(roleId, admin);
     }
-    function setRoleLocked(RoleId roleId, bool locked) external restricted() {
-        if (!roleExists(roleId)) {
-            revert ErrorSetLockedForNonexstentRole(roleId);
-        }
+    // INSTANCE_OWNER_ROLE
+    function createRole(string memory roleName, string memory adminName)
+        external
+        restricted()
+        returns(RoleId roleId, RoleId admin)
+    {
+        (roleId, admin) = _getNextCustomRoleId();
-        _role[roleId].isLocked = locked;
-        _role[roleId].updatedAt = TimestampLib.blockTimestamp();
-    }
+        _createRole(roleId, roleName, IAccess.Type.Custom);
+        _createRole(admin, adminName, IAccess.Type.Custom);
-    function roleExists(RoleId roleId) public view returns (bool exists) {
-        return _role[roleId].createdAt.gtz();
+        // TODO works without this -> why?
+        setRoleAdmin(roleId, admin);
+        setRoleAdmin(admin, INSTANCE_OWNER_ROLE());
     }
-    function grantRole(RoleId roleId, address member) external restricted() returns (bool granted) {
+    // ADMIN_ROLE
+    // assume used by instance service only during instance cloning
+    // assume used only by this.createRole(), this.createGifRole() afterwards
+    function setRoleAdmin(RoleId roleId, RoleId admin)
+        public
+        restricted()
+    {
         if (!roleExists(roleId)) {
-            revert ErrorGrantNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
         }
-        if (_role[roleId].isLocked) {
-            revert ErrorRoleIdNotActive(roleId);
+        if(_roleInfo[roleId].rtype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
         }
-        if (!EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.grantRole(roleId.toInt(), member, EXECUTION_DELAY);
-            EnumerableSet.add(_roleMembers[roleId], member);
-            return true;
-        }
+        if (!roleExists(admin)) {
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(admin);
+        }
-        return false;
+        _roleInfo[roleId].admin = admin;
     }
-    function revokeRole(RoleId roleId, address member) external restricted() returns (bool revoked) {
+    function grantRole(RoleId roleId, address member)
+        public
+        restrictedToRoleAdmin(roleId)
+        returns (bool granted)
+    {
         if (!roleExists(roleId)) {
-            revert ErrorRevokeNonexstentRole(roleId);
-        }
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            _accessManager.revokeRole(roleId.toInt(), member);
-            EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
         }
-        return false;
+        granted = EnumerableSet.add(_roleMembers[roleId], member);
+        if(granted) {
+            _accessManager.grantRole(roleId.toInt(), member, EXECUTION_DELAY);
+        }
     }
-    /// @dev not restricted function by intention
-    /// the restriction to role members is already enforced by the call to the access manger
-    function renounceRole(RoleId roleId) external returns (bool revoked) {
-        address member = msg.sender;
+    function revokeRole(RoleId roleId, address member)
+        external
+        restrictedToRoleAdmin(roleId)
+        returns (bool)
+    {
+        return _revokeRole(roleId, member);
+    }
+    // INSTANCE_OWNER_ROLE
+    // IMPORTANT: unbounded function, revoke all or revert
+    // Instance owner role decides what to do in case of custom role admin bening revoked, e.g.:
+    // 1) revoke custom role from ALL members
+    // 2) revoke custom role admin from ALL members
+    // 3) 1) + 2)
+    // 4) revoke only 1 member of custom role admin
+    function revokeRoleAllMembers(RoleId roleId)
+        external
+        restrictedToRoleAdmin(roleId)
+        returns (bool revoked)
+    {
         if (!roleExists(roleId)) {
-            revert ErrorRenounceNonexstentRole(roleId);
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
         }
-        if (EnumerableSet.contains(_roleMembers[roleId], member)) {
-            // cannot use accessManger.renounce as it directly checks against msg.sender
-            _accessManager.revokeRole(roleId.toInt(), member);
+        uint memberCount = EnumerableSet.length(_roleMembers[roleId]);
+        for(uint memberIdx = 0; memberIdx < memberCount; memberIdx++)
+        {
+            address member = EnumerableSet.at(_roleMembers[roleId], memberIdx);
             EnumerableSet.remove(_roleMembers[roleId], member);
-            return true;
+            _accessManager.revokeRole(roleId.toInt(), member);
+        }
+    }
+    /// @dev not restricted function by intention
+    /// the restriction to role members is already enforced by the call to the access manager
+    function renounceRole(RoleId roleId)
+        external
+        returns (bool)
+    {
+        IAccess.Type rtype = _roleInfo[roleId].rtype;
+        if(rtype == IAccess.Type.Core || rtype == IAccess.Type.Gif) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, rtype);
         }
-        return false;
+        address member = msg.sender;
+        // cannot use accessManger.renounce as it directly checks against msg.sender
+        return _revokeRole(roleId, member);
     }
-    function roles() external view returns (uint256 numberOfRoles) {
-        return _roles.length;
+    function roleExists(RoleId roleId) public view returns (bool exists) {
+        return _roleInfo[roleId].createdAt.gtz();
+    }
+    // TODO returns ADMIN_ROLE id for non existent roleId
+    function getRoleAdmin(RoleId roleId) public view returns(RoleId admin) {
+        return _roleInfo[roleId].admin;
+    }
+    function getRoleInfo(RoleId roleId) external view returns (IAccess.RoleInfo memory info) {
+        return _roleInfo[roleId];
+    }
+    function roleMembers(RoleId roleId) public view returns (uint256 numberOfMembers) {
+        return EnumerableSet.length(_roleMembers[roleId]);
     }
     function getRoleId(uint256 idx) external view returns (RoleId roleId) {
-        return _roles[idx];
+        return _roleIds[idx];
     }
+    // TODO now: for non existent name returns ADMIN_ROLE id
     function getRoleIdForName(string memory name) external view returns (RoleId roleId) {
-        return _roleForName[ShortStrings.toShortString(name)];
+        return _roleIdForName[ShortStrings.toShortString(name)];
     }
-    function getRole(RoleId roleId) external view returns (IAccess.RoleInfo memory role) {
-        return _role[roleId];
+    function roleMember(RoleId roleId, uint256 idx) external view returns (address member) {
+        return EnumerableSet.at(_roleMembers[roleId], idx);
     }
     function hasRole(RoleId roleId, address account) external view returns (bool accountHasRole) {
         (accountHasRole, ) = _accessManager.hasRole(roleId.toInt(), account);
     }
-    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
-        return EnumerableSet.length(_roleMembers[roleId]);
+    function roles() external view returns (uint256 numberOfRoles) {
+        return _roleIds.length;
     }
-    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address roleMember) {
-        return EnumerableSet.at(_roleMembers[roleId], idx);
+    //--- Target ------------------------------------------------------//
+    // ADMIN_ROLE
+    // assume some core targets are registred (instance) while others are not (instance accesss manager, instance reader, bundle manager)
+    function createCoreTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, IAccess.Type.Core);
     }
+    // INSTANCE_SERVICE_ROLE
+    // assume gif target is registered and belongs to the same instance as instance access manager
+    function createGifTarget(address target, string memory name) external restricted()
+    {
+        if(!_registry.isRegistered(target)) {
+            revert IAccess.ErrorIAccessTargetNotRegistered(target);
+        }
-    //--- Target ------------------------------------------------------//
-    function createTarget(address target, string memory name) external restricted() {
-        _createTarget(target, name, true, true);
+        _createTarget(target, name, IAccess.Type.Gif);
+    }
+    // INSTANCE_OWNER_ROLE
+    // assume custom target.authority() is constant -> target MUST not be used with different instance access manager
+    // assume custom target can not be registered as component -> each service which is doing component registration MUST register a gif target
+    // assume custom target can not be registered as instance or service -> why?
+    // TODO check target associated with instance owner or instance or instance components or components helpers
+    function createTarget(address target, string memory name) external restricted()
+    {
+        _createTarget(target, name, IAccess.Type.Custom);
     }
-    function setTargetLocked(string memory targetName, bool locked) external restricted() {
-        address target = _targetForName[ShortStrings.toShortString(targetName)];
-        if (target == address(0)) {
-            revert ErrorSetLockedForNonexstentTarget(target);
+    // INSTANCE_SERVICE_ROLE
+    // IMPORTANT: instance access manager MUST be of Core type -> otherwise will be locked forever
+    function setTargetLocked(address target, bool locked)
+        external
+        restricted()
+    {
+        IAccess.Type targetType = _targetInfo[target].ttype;
+        if(target == address(0) || targetType == IAccess.Type.NotInitialized) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(target);
+        }
+        if(targetType == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, targetType);
         }
-        _target[target].isLocked = locked;
+        // TODO isLocked is redundant but makes getTargetInfo() faster
+        _targetInfo[target].isLocked = locked;
         _accessManager.setTargetClosed(target, locked);
     }
-    function targetExists(address target) public view returns (bool exists) {
-        return _target[target].createdAt.gtz();
+    // allowed combinations of roles and targets:
+    //1) set core role for core target
+    //2) set gif role for gif target
+    //3) set custom role for gif target
+    //4) set custom role for custom target
+    // ADMIN_ROLE if used only during initialization, works with:
+    //      any roles for any targets
+    // INSTANCE_SERVICE_ROLE if used not only during initilization, works with:
+    //      core roles for core targets
+    //      gif roles for gif targets
+    function setCoreTargetFunctionRole(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    )
+        public
+        virtual
+        restricted()
+    {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        address target = _targetAddressForName[nameShort];
+        // not custom target
+        if(_targetInfo[target].ttype == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Custom);
+        }
+        // not custom role
+        if(_roleInfo[roleId].rtype == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Custom);
+        }
+        _setTargetFunctionRole(target, nameShort, selectors, roleId);
     }
-    //--- internal view/pure functions --------------------------------------//
+    // INSTANCE_OWNER_ROLE
+    // gif role for gif target
+    // gif role for custom target
+    // custom role for gif target
+    // custom role for custom target
+    // TODO instance owner can mess with gif target (component) -> e.g. set custom role for function intendent to work with gif role
+    function setTargetFunctionRole(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    )
+        public
+        virtual
+        restricted()
+    {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        address target = _targetAddressForName[nameShort];
-    function _createRole(RoleId roleId, string memory name, bool isCustom, bool validateParameters) internal {
-        if (validateParameters) {
-            _validateRoleParameters(roleId, name, isCustom);
+        // not core target
+        if(_targetInfo[target].ttype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Core);
         }
-        IAccess.RoleInfo memory role = IAccess.RoleInfo(
-            ShortStrings.toShortString(name),
-            isCustom,
-            false, // role un-locked,
-            TimestampLib.blockTimestamp(),
-            TimestampLib.blockTimestamp());
+        // not core role
+        if(_roleInfo[roleId].rtype == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
+        }
+        _setTargetFunctionRole(target, nameShort, selectors, roleId);
+    }
+    function getTargetAddress(string memory targetName) public view returns(address targetAddress) {
+        ShortString nameShort = ShortStrings.toShortString(targetName);
+        return _targetAddressForName[nameShort];
+    }
+    function isTargetLocked(address target) public view returns (bool locked) {
+        return _accessManager.isTargetClosed(target);
+    }
+    function targetExists(address target) public view returns (bool exists) {
+        return _targetInfo[target].createdAt.gtz();
+    }
-        _role[roleId] = role;
-        _roleForName[role.name] = roleId;
-        _roles.push(roleId);
+    function getTargetInfo(address target) public view returns (IAccess.TargetInfo memory) {
+        return _targetInfo[target];
     }
-    function _validateRoleParameters(
-        RoleId roleId,
-        string memory name,
-        bool isCustom
-    )
+    //--- Role internal view/pure functions --------------------------------------//
+    function _createRole(RoleId roleId, string memory roleName, IAccess.Type rtype)
         internal
-        view
-        returns (IAccess.RoleInfo memory existingRole)
     {
-        // check role id
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if(roleIdInt == _accessManager.ADMIN_ROLE() || roleIdInt == _accessManager.PUBLIC_ROLE()) {
-            revert ErrorRoleIdInvalid(roleId);
+        ShortString name = ShortStrings.toShortString(roleName);
+        _validateRole(roleId, name, rtype);
+        if(roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdExists(roleId);
         }
-        // prevent changing isCustom for existing roles
-        existingRole = _role[roleId];
+        if (_roleIdForName[name].gtz()) {
+            revert IAccess.ErrorIAccessRoleNameExists(roleId, _roleIdForName[name], name);
+        }
-        if (existingRole.createdAt.gtz() && isCustom != existingRole.isCustom) {
-            revert ErrorRoleIsCustomIsImmutable(roleId, isCustom, existingRole.isCustom);
+        _roleInfo[roleId] = IAccess.RoleInfo(
+            name,
+            rtype,
+            ADMIN_ROLE(),
+            TimestampLib.blockTimestamp(),
+            TimestampLib.blockTimestamp()
+        );
+        _roleIdForName[name] = roleId;
+        _roleIds.push(roleId);
+        emit LogRoleCreation(roleId, name, rtype);
+    }
+    function _validateRole(RoleId roleId, ShortString name, IAccess.Type rtype)
+        internal
+        view
+    {
+        uint roleIdInt = roleId.toInt();
+        if(rtype == IAccess.Type.Custom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
+            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId);
         }
-        if (isCustom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooSmall(roleId);
-        } else if (!isCustom && roleIdInt >= CUSTOM_ROLE_ID_MIN) {
-            revert ErrorRoleIdTooBig(roleId);
+        if(
+            rtype != IAccess.Type.Custom &&
+            roleIdInt >= CUSTOM_ROLE_ID_MIN &&
+            roleIdInt != PUBLIC_ROLE().toInt())
+        {
+            revert IAccess.ErrorIAccessRoleIdTooBig(roleId);
         }
         // role name checks
-        ShortString nameShort = ShortStrings.toShortString(name);
-        if (ShortStrings.byteLength(nameShort) == 0) {
-            revert ErrorRoleNameEmpty(roleId);
+        if (ShortStrings.byteLength(name) == 0) {
+            revert IAccess.ErrorIAccessRoleNameEmpty(roleId);
+        }
+    }
+    function _revokeRole(RoleId roleId, address member)
+        internal
+        returns(bool revoked)
+    {
+        if (!roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
         }
-        if (_roleForName[nameShort] != RoleIdLib.zero() && _roleForName[nameShort] != roleId) {
-            revert ErrorRoleNameNotUnique(_roleForName[nameShort], nameShort);
+        revoked = EnumerableSet.remove(_roleMembers[roleId], member);
+        if(revoked) {
+            _accessManager.revokeRole(roleId.toInt(), member);
         }
     }
-    function _createTarget(address target, string memory name, bool isCustom, bool validateParameters) internal {
-        if (validateParameters) {
-            _validateTargetParameters(target, name, isCustom);
+    function _getNextCustomRoleId()
+        internal
+        returns(RoleId roleId, RoleId admin)
+    {
+        uint64 roleIdInt = _idNext;
+        uint64 adminInt = roleIdInt + 1;
+        _idNext = roleIdInt + 2;
+        roleId = RoleIdLib.toRoleId(roleIdInt);
+        admin = RoleIdLib.toRoleId(adminInt);
+    }
+    //--- Target internal view/pure functions --------------------------------------//
+    function _createTarget(address target, string memory targetName, IAccess.Type ttype)
+        internal
+    {
+        ShortString name = ShortStrings.toShortString(targetName);
+        _validateTarget(target, name, ttype);
+        if (_targetInfo[target].createdAt.gtz()) {
+            revert IAccess.ErrorIAccessTargetExists(target, _targetInfo[target].name);
         }
-        IAccess.TargetInfo memory info = IAccess.TargetInfo(
-            ShortStrings.toShortString(name),
-            isCustom,
-            _accessManager.isTargetClosed(target), // sync with state in access manager
-            TimestampLib.blockTimestamp(),
-            TimestampLib.blockTimestamp());
+        if (_targetAddressForName[name] != address(0)) {
+            revert IAccess.ErrorIAccessTargetNameExists(
+                target,
+                _targetAddressForName[name],
+                name);
+        }
-        _target[target] = info;
-        _targetForName[info.name] = target;
+        bool isLocked = _accessManager.isTargetClosed(target);// sync with state in access manager
+        _targetInfo[target] = IAccess.TargetInfo(
+            name,
+            ttype,
+            isLocked,
+            TimestampLib.blockTimestamp(),
+            TimestampLib.blockTimestamp()
+        );
+        _targetAddressForName[name] = target;
         _targets.push(target);
-    }
-    function _validateTargetParameters(address target, string memory name, bool isCustom) internal view {
-        // TODO: implement
+        emit LogTargetCreation(target, name, ttype, isLocked);
     }
-    function setTargetFunctionRole(
-        address target,
-        bytes4[] calldata selectors,
-        uint64 roleId
-    ) public virtual restricted() {
-        _accessManager.setTargetFunctionRole(target, selectors, roleId);
+    function _validateTarget(address target, ShortString name, IAccess.Type ttype)
+        internal
+        view
+    {
+        address targetAuthority = AccessManagedUpgradeable(target).authority();
+        if(targetAuthority != authority()) {
+            revert IAccess.ErrorIAccessTargetAuthorityInvalid(target, targetAuthority);
+        }
+        if (ShortStrings.byteLength(name) == 0) {
+            revert IAccess.ErrorIAccessTargetNameEmpty(target);
+        }
     }
-    function setTargetFunctionRole(
-        string memory targetName,
+    function _setTargetFunctionRole(
+        address target,
+        ShortString name,
         bytes4[] calldata selectors,
         RoleId roleId
-    ) public virtual restricted() {
-        address target = _targetForName[ShortStrings.toShortString(targetName)];
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
-    }
+    )
+        internal
+    {
+        if (target == address(0)) {
+            revert IAccess.ErrorIAccessTargetDoesNotExist(target);
+        }
-    function getAccessManager() public restricted() returns (AccessManagerUpgradeableInitializeable) {
-        return _accessManager;
-    }
+        if (!roleExists(roleId)) {
+            revert IAccess.ErrorIAccessRoleIdDoesNotExist(roleId);
+        }
-    function setTargetClosed(string memory targetName, bool closed) public restricted() {
-        address target = _targetForName[ShortStrings.toShortString(targetName)];
-        _accessManager.setTargetClosed(target, closed);
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        _accessManager.setTargetFunctionRole(target, selectors, roleIdInt);
     }
     function canCall(