@etherisc/gif-next 0.0.2-7ca6cd9-950 → 0.0.2-7dc3cd3-858

package/contracts/registry/ReleaseManager.sol

@@ -10,7 +10,7 @@ import {Math} from "@openzeppelin/contracts/utils/math/Math.sol";
 
 import {NftId} from "../type/NftId.sol";
 import {RoleId, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
-import {ObjectType, ObjectTypeLib, RELEASE, REGISTRY, SERVICE, STAKING} from "../type/ObjectType.sol";
+import {ObjectType, ObjectTypeLib, POOL, RELEASE, REGISTRY, SERVICE, STAKING} from "../type/ObjectType.sol";
 import {Version, VersionLib, VersionPart, VersionPartLib} from "../type/Version.sol";
 import {Timestamp, TimestampLib, zeroTimestamp, ltTimestamp} from "../type/Timestamp.sol";
 import {Seconds, SecondsLib} from "../type/Seconds.sol";
@@ -18,7 +18,6 @@ import {StateId, INITIAL, SCHEDULED, DEPLOYING, ACTIVE} from "../type/StateId.so
 import {Version, VersionLib, VersionPart, VersionPartLib} from "../type/Version.sol";
 
 import {IService} from "../shared/IService.sol";
-import {AccessManagerExtendedWithDisableInitializeable} from "../shared/AccessManagerExtendedWithDisableInitializeable.sol";
 import {ILifecycle} from "../shared/ILifecycle.sol";
 import {INftOwnable} from "../shared/INftOwnable.sol";
 import {IRegisterable} from "../shared/IRegisterable.sol";
@@ -26,12 +25,14 @@ import {IRegisterable} from "../shared/IRegisterable.sol";
 import {IRegistry} from "./IRegistry.sol";
 import {IRegistryLinked} from "../shared/IRegistryLinked.sol";
 import {IRegistryService} from "./IRegistryService.sol";
+import {IServiceAuthorization} from "../authorization/IServiceAuthorization.sol";
+import {IAccessAdmin} from "../authorization/IAccessAdmin.sol";
 import {RegistryAdmin} from "./RegistryAdmin.sol";
 import {Registry} from "./Registry.sol";
 import {TokenRegistry} from "./TokenRegistry.sol";
-import {ServiceAuthorizationsLib} from "./ServiceAuthorizationsLib.sol";
-
 
+// TODO rename to something that does not end with 'Manager' 
+// everywhere else *Manager points to an upgradeable contract
 contract ReleaseManager is 
     AccessManaged, 
     ILifecycle, 
@@ -41,7 +42,7 @@ contract ReleaseManager is
 
     uint256 public constant INITIAL_GIF_VERSION = 3;
 
-    event LogReleaseCreation(VersionPart version, bytes32 salt, AccessManagerExtendedWithDisableInitializeable accessManager); 
+    event LogReleaseCreation(VersionPart version, bytes32 salt, address authority); 
     event LogReleaseActivation(VersionPart version);
 
     // constructor
@@ -53,13 +54,16 @@ contract ReleaseManager is
     // prepareRelease
     error ErrorReleaseManagerReleasePreparationDisallowed(StateId currentStateId);
     error ErrorReleaseManagerReleaseAlreadyPrepared(VersionPart version);
-    
+    error ErrorReleaseManagerVersionMismatch(VersionPart expectedVersion, VersionPart providedVersion);
+    error ErrorReleaseManagerNoDomains(VersionPart version);
+
     // register staking
     //error ErrorReleaseManagerStakingAlreadySet(address stakingAddress);
 
     // registerService
     error ErrorReleaseManagerNoServiceRegistrationExpected();
     error ErrorReleaseManagerServiceRegistrationDisallowed(StateId currentStateId);
+    error ErrorReleaseManagerServiceDomainMismatch(ObjectType expectedDomain, ObjectType actualDomain);
     error ErrorReleaseManagerNotService(IService service);
     error ErrorReleaseManagerServiceAddressInvalid(IService given, address expected);
 
@@ -85,28 +89,30 @@ contract ReleaseManager is
     error ErrorReleaseManagerServiceSelfRegistration(IService service);
     error ErrorReleaseManagerServiceOwnerRegistered(IService service, address owner);
 
-    // _verifyReleaseAuthorizations
-    error ErrorReleaseManagerReleaseEmpty();
-    error ErrorReleaseManagerReleaseServiceRoleInvalid(uint serviceIdx, address service, RoleId role);
-
     Seconds public constant MIN_DISABLE_DELAY = Seconds.wrap(60 * 24 * 365); // 1 year
 
     RegistryAdmin public immutable _admin;
-    address public immutable _releaseAccessManagerCodeAddress;
     Registry public immutable _registry;
     IRegisterable private _staking;
     address private _stakingOwner;
 
-    mapping(VersionPart version => AccessManagerExtendedWithDisableInitializeable accessManager) internal _releaseAccessManager;
     mapping(VersionPart version => IRegistry.ReleaseInfo info) internal _releaseInfo;
+    mapping(VersionPart version => IServiceAuthorization authz) internal _serviceAuthorization;
+
+    // TODO check where/why this is used
     mapping(address registryService => VersionPart version) _releaseVersionByAddress;
 
+    // TODO remove once it's clear that release authority will always be registry authority
+    mapping(VersionPart version => address authority) internal _releaseAccessManager;
+
+
     VersionPart immutable internal _initial;// first active version    
     VersionPart internal _latest; // latest active version
     VersionPart internal _next; // version to create and activate 
     StateId internal _state; // current state of release manager
 
-    uint256 internal _awaitingRegistration; // "services left to register" counter
+    uint256 internal _registeredServices;
+    uint256 internal _servicesToRegister;
 
     // deployer of this contract must be gif admin
     constructor(Registry registry)
@@ -124,11 +130,6 @@ contract ReleaseManager is
         _initial = VersionPartLib.toVersionPart(INITIAL_GIF_VERSION);
         _next = VersionPartLib.toVersionPart(INITIAL_GIF_VERSION - 1);
         _state = getInitialState(RELEASE());
-        
-        AccessManagerExtendedWithDisableInitializeable masterReleaseAccessManager = new AccessManagerExtendedWithDisableInitializeable();
-        masterReleaseAccessManager.initialize(_registry.NFT_LOCK_ADDRESS(), VersionLib.toVersionPart(0));
-        //masterReleaseAccessManager.disable();
-        _releaseAccessManagerCodeAddress = address(masterReleaseAccessManager);
     }
 
     /// @dev skips previous release if was not activated
@@ -143,32 +144,55 @@ contract ReleaseManager is
         }
 
         _next = VersionPartLib.toVersionPart(_next.toInt() + 1);
-        _awaitingRegistration = 0;
+        _servicesToRegister = 0;
+        _registeredServices = 0;
         _state = SCHEDULED();
 
         return _next;
     }
 
-    // TODO order of events
     function prepareNextRelease(
-        address[] memory addresses,
-        string[] memory names, 
-        RoleId[][] memory serviceRoles,
-        string[][] memory serviceRoleNames,
-        RoleId[][] memory functionRoles,
-        string[][] memory functionRoleNames,
-        bytes4[][][] memory selectors, 
+        IServiceAuthorization serviceAuthorization,
         bytes32 salt
     )
         external
         restricted() // GIF_MANAGER_ROLE
         returns(
-            address releaseAccessManagerAddress, 
+            address authority, 
             VersionPart version, 
             bytes32 releaseSalt
         )
     {
-        version = getNextVersion();
+        // verify release manager is in proper state to start deploying a next release
+        if (!isValidTransition(RELEASE(), _state, DEPLOYING())) {
+            revert ErrorReleaseManagerReleasePreparationDisallowed(_state);
+        }
+
+        // verify prepareNextRelease is only called once per release
+        if(_servicesToRegister > 0) {
+            revert ErrorReleaseManagerReleaseAlreadyPrepared(version);
+        }
+
+        // verify authorizaion contract release matches with expected version
+        VersionPart releaseVersion = serviceAuthorization.getRelease();
+        if (releaseVersion != _next) {
+            revert ErrorReleaseManagerVersionMismatch(_next, releaseVersion);
+        }
+
+        // sanity check to ensure service domain list is not empty
+        uint256 serviceDomainsCount = serviceAuthorization.getServiceDomains().length;
+        if (serviceDomainsCount == 0) {
+            revert ErrorReleaseManagerNoDomains(_next);
+        }
+
+        _state = DEPLOYING();
+        _servicesToRegister = serviceDomainsCount;
+
+        // store release specific service authorization
+        authority = _admin.authority();
+        _serviceAuthorization[_next] = serviceAuthorization;
+        // TODO refactor: authority no longer release specific
+        _releaseAccessManager[_next] = authority;
 
         // ensures unique salt
         releaseSalt = keccak256(
@@ -176,34 +200,7 @@ contract ReleaseManager is
                 bytes32(version.toInt()),
                 salt));
 
-        releaseAccessManagerAddress = Clones.cloneDeterministic(_releaseAccessManagerCodeAddress, releaseSalt);
-        AccessManagerExtendedWithDisableInitializeable releaseAccessManager = AccessManagerExtendedWithDisableInitializeable(releaseAccessManagerAddress);
-        releaseAccessManager.initialize(address(this), version);
-
-        if (!isValidTransition(RELEASE(), _state, DEPLOYING())) {
-            revert ErrorReleaseManagerReleasePreparationDisallowed(_state);
-        }
-
-        _verifyReleaseAuthorizations(addresses, serviceRoles, functionRoles, selectors);
-
-        if(_awaitingRegistration > 0) {
-            revert ErrorReleaseManagerReleaseAlreadyPrepared(version);
-        }
-        // TODO instead of copying just set ServiceAuthorizationsLib for release and array of domains???
-        _releaseInfo[version].version = version;
-        _releaseInfo[version].salt = releaseSalt;
-        _releaseInfo[version].addresses = addresses;
-        _releaseInfo[version].names = names;
-        _releaseInfo[version].serviceRoles = serviceRoles;
-        _releaseInfo[version].serviceRoleNames = serviceRoleNames;
-        _releaseInfo[version].functionRoles = functionRoles;
-        _releaseInfo[version].functionRoleNames = functionRoleNames;
-        _releaseInfo[version].selectors = selectors;
-        _awaitingRegistration = addresses.length;
-        _state = DEPLOYING();        
-        _releaseAccessManager[version] = releaseAccessManager;
-
-        emit LogReleaseCreation(version, releaseSalt, releaseAccessManager);
+        emit LogReleaseCreation(version, releaseSalt, authority);
     }
 
 
@@ -212,59 +209,49 @@ contract ReleaseManager is
         restricted // GIF_MANAGER_ROLE
         returns(NftId nftId)
     {
+        // TODO is it usefull to check transition from A to A?
         if (!isValidTransition(RELEASE(), _state, DEPLOYING())) {
             revert ErrorReleaseManagerServiceRegistrationDisallowed(_state);
         }
 
+        if (_servicesToRegister == _registeredServices) {
+            revert ErrorReleaseManagerNoServiceRegistrationExpected();
+        }
+
         (
             IRegistry.ObjectInfo memory info,
             ObjectType domain,
             VersionPart version
         ) = _verifyService(service);
 
-        // redundant with state var
-        if (_awaitingRegistration == 0) {
-            revert ErrorReleaseManagerNoServiceRegistrationExpected();
+        ObjectType expectedDomain = _serviceAuthorization[version].getServiceDomains()[_registeredServices];
+        if (service.getDomain() != expectedDomain) {
+            revert ErrorReleaseManagerServiceDomainMismatch(expectedDomain, service.getDomain());
         }
 
-        uint serviceIdx = _awaitingRegistration - 1;
-        address serviceAddress = _releaseInfo[version].addresses[serviceIdx];
-        // TODO temp, while typescript addresses computation is not implemented 
-        /*if(address(service) != serviceAddress) {
-            revert ErrorReleaseManagerServiceAddressInvalid(service, serviceAddress);
-        }*/
-
-        _setServiceAuthorizations(
-            _releaseAccessManager[version],
-            // TODO temp, while typescript addresses computation is not implemented
-            address(service),//serviceAddress, 
-            _releaseInfo[version].names[serviceIdx], 
-            _releaseInfo[version].serviceRoles[serviceIdx],
-            _releaseInfo[version].serviceRoleNames[serviceIdx],
-            _releaseInfo[version].functionRoles[serviceIdx],
-            _releaseInfo[version].functionRoleNames[serviceIdx],
-            _releaseInfo[version].selectors[serviceIdx]);
-
-        // TODO decide for one of the approaches
-        // // service to service authorization
-        // ServiceAuthorizationsLib.ServiceAuthorization memory authz = ServiceAuthorizationsLib.getAuthorizations(domain);
-        // for(uint8 idx = 0; idx < authz.authorizedRole.length; idx++) {
-        //     _accessManager.setTargetFunctionRole(
-        //         address(service), 
-        //         authz.authorizedSelectors[idx], 
-        //         authz.authorizedRole[idx]);
-        // }
-
-        _awaitingRegistration = serviceIdx;
-        // TODO end state depends on (_awaitingRegistration == 0)
-        _state = DEPLOYING();
-
-        // checked in registry
-        _releaseInfo[version].domains.push(domain);
-
+        // register service with registry
         nftId = _registry.registerService(info, version, domain);
+        _registeredServices++;
 
         service.linkToRegisteredNftId();
+
+        // setup service authorization
+        _admin.authorizeService(
+            _serviceAuthorization[version], 
+            service);
+
+        // TODO consider to extend this to REGISTRY
+        // special roles for registry/staking/pool service
+        if (domain == STAKING() || domain == POOL()) {
+            // TODO rename to grantServiceDomainRole()
+            _admin.grantServiceRoleForAllVersions(service, domain);
+        }
+
+        if (_registeredServices < _servicesToRegister) {
+            _state = DEPLOYING();
+        } else {
+            // TODO end state depends on (_awaitingRegistration == 0)
+        }
     }
 
 
@@ -276,20 +263,18 @@ contract ReleaseManager is
             revert ErrorReleaseManagerReleaseActivationDisallowed(_state);
         }
 
+        // release fully deployed
         VersionPart version = _next;
-        address service = _registry.getServiceAddress(REGISTRY(), version);
+        if(_registeredServices < _servicesToRegister) {
+            revert ErrorReleaseManagerReleaseRegistrationNotFinished(version, _servicesToRegister - _registeredServices);
+        }
 
-        // release exists, registry service is a MUST
-        //if(_releaseAccessManager[version] == address(0)) {
+        // release exists, registry service MUST exist
+        address service = _registry.getServiceAddress(REGISTRY(), version);
         if(service == address(0)) {
             revert ErrorReleaseManagerReleaseNotCreated(version);
         }
 
-        // release fully deployed
-        if(_awaitingRegistration > 0) {
-            revert ErrorReleaseManagerReleaseRegistrationNotFinished(version, _awaitingRegistration);
-        }
-
         // release is not activated
         if(_releaseInfo[version].activatedAt.gtz()) {
             revert ErrorReleaseManagerReleaseAlreadyActivated(version);
@@ -321,7 +306,8 @@ contract ReleaseManager is
 
         disableDelay = SecondsLib.toSeconds(Math.max(disableDelay.toInt(), MIN_DISABLE_DELAY.toInt()));
 
-        _releaseAccessManager[version].disable(disableDelay);
+        // TODO come up with a substitute
+        // _releaseAccessManager[version].disable(disableDelay);
 
         _releaseInfo[version].disabledAt = TimestampLib.blockTimestamp().addSeconds(disableDelay);
     }
@@ -336,7 +322,8 @@ contract ReleaseManager is
         //}
 
         // reverts if disable delay expired
-        _releaseAccessManager[version].enable();
+        // TODO come up with a substitute
+        // _releaseAccessManager[version].enable();
         
         _releaseInfo[version].disabledAt = zeroTimestamp();
     }
@@ -381,13 +368,18 @@ contract ReleaseManager is
     }
 
     function getRemainingServicesToRegister() external view returns (uint256 services) {
-        return _awaitingRegistration;
+        return _servicesToRegister - _registeredServices;
     }
 
-    function getReleaseAccessManager(VersionPart version) external view returns(AccessManagerExtendedWithDisableInitializeable) {
-        return _releaseAccessManager[version];
+    function getServiceAuthorization(VersionPart version)
+        external
+        view
+        returns (IServiceAuthorization serviceAuthorization)
+    {
+        return _serviceAuthorization[version];
     }
-    // TODO tokenr registry knows nothing about adfmin, only registry
+
+    // TODO token registry knows nothing about adfmin, only registry
     function getRegistryAdmin() external view returns (address) {
         return address(_admin);
     }
@@ -507,81 +499,7 @@ contract ReleaseManager is
         }
     }
 
-
-    function _verifyReleaseAuthorizations(
-        address[] memory serviceAddress,
-        RoleId[][] memory serviceRoles,
-        RoleId[][] memory functionRoles,
-        bytes4[][][] memory selectors
-    )
-        internal
-        pure
-    {
-        if(serviceAddress.length == 0) {
-            revert ErrorReleaseManagerReleaseEmpty();
-        }
-
-        for(uint serviceIdx = 0; serviceIdx < serviceAddress.length; serviceIdx++)
-        {
-            for(uint roleIdx = 0; roleIdx < serviceRoles[serviceIdx].length; roleIdx++)
-            {
-                RoleId role = serviceRoles[serviceIdx][roleIdx];
-                if(role == ADMIN_ROLE() || role == PUBLIC_ROLE()) {
-                    revert ErrorReleaseManagerReleaseServiceRoleInvalid(serviceIdx, serviceAddress[serviceIdx], role);
-                }
-            }
-        }
-
-        // TODO no duplicate service "domain" role per release
-        // TODO no duplicate service roles per service
-        // TODO no duplicate service function roles per service
-        // TODO no duplicate service function selectors per service
-    }
-
-    function _setServiceAuthorizations(
-        AccessManagerExtendedWithDisableInitializeable accessManager, // release access manager
-        address serviceAddress,
-        string memory serviceName,
-        RoleId[] memory serviceRoles,
-        string[] memory serviceRoleNames,
-        RoleId[] memory functionRoles,
-        string[] memory functionRoleNames,
-        bytes4[][] memory selectors
-    )
-        internal
-    {
-        accessManager.createTarget(serviceAddress, serviceName);
-
-        for(uint idx = 0; idx < functionRoles.length; idx++)
-        {
-            uint64 roleInt = functionRoles[idx].toInt();
-
-            if(!accessManager.isRoleExists(roleInt)) {
-                accessManager.createRole(roleInt, functionRoleNames[idx]);
-            }
-
-            accessManager.setTargetFunctionRole(
-                serviceAddress, 
-                selectors[idx],
-                functionRoles[idx].toInt());
-        }
-    
-        for(uint idx = 0; idx < serviceRoles.length; idx++)
-        {
-            uint64 roleInt = serviceRoles[idx].toInt();
-
-            if(!accessManager.isRoleExists(roleInt)) {
-                accessManager.createRole(roleInt, serviceRoleNames[idx]);
-            }
-
-            accessManager.grantRole(
-                serviceRoles[idx].toInt(),
-                serviceAddress, 
-                0);
-        }
-    }
-
-    // returns true iff a the address passes some simple proxy tests.
+    /// @dev returns true iff a the address passes some simple proxy tests.
     function _isRegistry(address registryAddress) internal view returns (bool) {
 
         // zero address is certainly not registry

package/contracts/registry/ServiceAuthorizationV3.sol

@@ -0,0 +1,200 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.20;
+
+import {
+     ALL, REGISTRY, SERVICE, PRODUCT, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, DISTRIBUTOR, APPLICATION, POLICY, CLAIM, BUNDLE, STAKE, STAKING, PRICE
+} from "../../contracts/type/ObjectType.sol";
+
+import {ComponentService} from "../shared/ComponentService.sol";
+import {IAccess} from "../authorization/IAccess.sol";
+import {IBundleService} from "../pool/IBundleService.sol";
+import {IDistributionService} from "../distribution/IDistributionService.sol";
+import {InstanceService} from "../instance/InstanceService.sol";
+import {IInstanceService} from "../instance/IInstanceService.sol";
+import {IPoolService} from "../pool/IPoolService.sol";
+import {IStakingService} from "../staking/IStakingService.sol";
+import {IRegistryService} from "./IRegistryService.sol";
+import {ServiceAuthorization} from "../authorization/ServiceAuthorization.sol";
+
+
+contract ServiceAuthorizationV3
+     is ServiceAuthorization
+{
+
+     constructor(string memory commitHash)
+          ServiceAuthorization(commitHash)
+     {}
+
+     function _setupDomains()
+          internal
+          override
+     {
+          _authorizeDomain(REGISTRY(), address(1));
+          _authorizeDomain(STAKING(), address(2));
+          _authorizeDomain(INSTANCE(), address(3));
+          _authorizeDomain(COMPONENT(), address(4));
+          _authorizeDomain(DISTRIBUTION(), address(5));
+          _authorizeDomain(PRICE(), address(6));
+          _authorizeDomain(BUNDLE(), address(7));
+          _authorizeDomain(POOL(), address(8));
+          _authorizeDomain(ORACLE(), address(9));
+          _authorizeDomain(PRODUCT(), address(10));
+          _authorizeDomain(CLAIM(), address(11));
+          _authorizeDomain(APPLICATION(), address(12));
+          _authorizeDomain(POLICY(), address(13));
+     }
+
+
+     function _setupDomainAuthorizations()
+          internal
+          override
+     {
+          _setupIRegistryServiceAuthorization();
+          _setupStakingServiceAuthorization();
+          _setupInstanceServiceAuthorization();
+          _setupComponentServiceAuthorization();
+          _setupDistributionServiceAuthorization();
+          _setupPoolServiceAuthorization();
+          _setupBundleServiceAuthorization();
+     }
+
+
+     /// @dev registry service authorization.
+     /// authorized functions MUST be implemented with a restricted modifier
+     function _setupIRegistryServiceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          functions = _authorizeForService(REGISTRY(), APPLICATION());
+          _authorize(functions, IRegistryService.registerPolicy.selector, "registerPolicy");
+
+          functions = _authorizeForService(REGISTRY(), POOL());
+          _authorize(functions, IRegistryService.registerPool.selector, "registerPool");
+
+          functions = _authorizeForService(REGISTRY(), BUNDLE());
+          _authorize(functions, IRegistryService.registerBundle.selector, "registerBundle");
+
+          functions = _authorizeForService(REGISTRY(), DISTRIBUTION());
+          _authorize(functions, IRegistryService.registerDistribution.selector, "registerDistribution");
+          _authorize(functions, IRegistryService.registerDistributor.selector, "registerDistributor");
+
+          functions = _authorizeForService(REGISTRY(), COMPONENT());
+          _authorize(functions, IRegistryService.registerComponent.selector, "registerComponent");
+
+          functions = _authorizeForService(REGISTRY(), INSTANCE());
+          _authorize(functions, IRegistryService.registerInstance.selector, "registerInstance");
+
+          functions = _authorizeForService(REGISTRY(), STAKING());
+          _authorize(functions, IRegistryService.registerStake.selector, "registerStake");
+
+          functions = _authorizeForService(REGISTRY(), PRODUCT());
+          _authorize(functions, IRegistryService.registerProduct.selector, "registerProduct");
+     }
+
+
+     /// @dev staking service authorization.
+     /// authorized functions MUST be implemented with a restricted modifier
+     function _setupStakingServiceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          functions = _authorizeForService(STAKING(), INSTANCE());
+          _authorize(functions, IStakingService.createInstanceTarget.selector, "createInstanceTarget");
+          _authorize(functions, IStakingService.setInstanceLockingPeriod.selector, "setInstanceLockingPeriod");
+          _authorize(functions, IStakingService.setInstanceRewardRate.selector, "setInstanceRewardRate");
+          _authorize(functions, IStakingService.refillInstanceRewardReserves.selector, "refillInstanceRewardReserves");
+          _authorize(functions, IStakingService.withdrawInstanceRewardReserves.selector, "withdrawInstanceRewardReserves");
+
+          functions = _authorizeForService(STAKING(), ALL());
+          _authorize(functions, IStakingService.create.selector, "create");
+          _authorize(functions, IStakingService.stake.selector, "stake");
+          _authorize(functions, IStakingService.restakeToNewTarget.selector, "restakeToNewTarget");
+          _authorize(functions, IStakingService.updateRewards.selector, "updateRewards");
+          _authorize(functions, IStakingService.claimRewards.selector, "claimRewards");
+          _authorize(functions, IStakingService.unstake.selector, "unstake");
+     }
+
+
+     /// @dev Instance service function authorization.
+     function _setupInstanceServiceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          functions = _authorizeForService(INSTANCE(), COMPONENT());
+          _authorize(functions, IInstanceService.initializeAuthorization.selector, "initializeAuthorization");
+     }
+
+
+     /// @dev Component service function authorization.
+     function _setupComponentServiceAuthorization()
+          internal
+     {
+          // authz.authorizations = new DomainAuthorization[](4);
+
+          // authz.authorizations[0].domain = POLICY();
+          // _functions = new IAccessAdmin.Function[](1);
+          // __authorize(ComponentService.increaseProductFees.selector, "increaseProductFees"));
+          // authz.authorizations[0].functions = _functions;
+
+          // authz.authorizations[1].domain = DISTRIBUTION();
+          // _functions = new IAccessAdmin.Function[](1);
+          // __authorize(ComponentService.increaseDistributionBalance.selector, "increaseDistributionBalance"));
+          // authz.authorizations[1].functions = _functions;
+
+          // authz.authorizations[2].domain = POOL();
+          // _functions = new IAccessAdmin.Function[](1);
+          // __authorize(ComponentService.increasePoolBalance.selector, "increasePoolBalance"));
+          // authz.authorizations[2].functions = _functions;
+
+          // authz.authorizations[3].domain = BUNDLE();
+          // _functions = new IAccessAdmin.Function[](1);
+          // __authorize(ComponentService.increaseBundleBalance.selector, "increaseBundleBalance"));
+          // authz.authorizations[3].functions = _functions;
+     }
+
+     /// @dev Distribution service function authorization.
+     function _setupDistributionServiceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          functions = _authorizeForService(DISTRIBUTION(), POLICY());
+          _authorize(functions, IDistributionService.processSale.selector, "processSale");
+     }
+
+
+     /// @dev Pool service function authorization.
+     function _setupPoolServiceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          functions = _authorizeForService(POOL(), POLICY());
+          _authorize(functions, IPoolService.lockCollateral.selector, "lockCollateral");
+          _authorize(functions, IPoolService.releaseCollateral.selector, "releaseCollateral");
+          _authorize(functions, IPoolService.reduceCollateral.selector, "reduceCollateral");
+          _authorize(functions, IPoolService.processSale.selector, "processSale");
+
+          functions = _authorizeForService(POOL(), CLAIM());
+          _authorize(functions, IPoolService.reduceCollateral.selector, "reduceCollateral");
+     }
+
+
+     /// @dev Instance service function authorization.
+     function _setupBundleServiceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          functions = _authorizeForService(BUNDLE(), POOL());
+          _authorize(functions, IBundleService.create.selector, "create");
+          _authorize(functions, IBundleService.close.selector, "close");
+          _authorize(functions, IBundleService.lockCollateral.selector, "lockCollateral");
+          _authorize(functions, IBundleService.releaseCollateral.selector, "releaseCollateral");
+          _authorize(functions, IBundleService.unlinkPolicy.selector, "unlinkPolicy");
+     }
+}
+