npm - @etherisc/gif-next - Versions diffs - 0.0.2-82c6d88-499 → 0.0.2-8311e70-020 - Mend

@etherisc/gif-next 0.0.2-82c6d88-499 → 0.0.2-8311e70-020

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (571) hide show

package/contracts/{shared → authorization}/AccessAdmin.sol RENAMED Viewed

@@ -1,16 +1,23 @@
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.20;
-import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
 import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
+import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
+import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
+import {ContractLib} from "../shared/ContractLib.sol";
 import {IAccessAdmin} from "./IAccessAdmin.sol";
-import {RoleId, RoleIdLib} from "../type/RoleId.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
 import {Selector, SelectorLib, SelectorSetLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
-import {Timestamp, TimestampLib} from "../type/Timestamp.sol";
+import {TimestampLib} from "../type/Timestamp.sol";
+import {VersionPart} from "../type/Version.sol";
+interface IAccessManagedChecker {
+    function authority() external view returns (address);
+}
 /**
  * @dev A generic access amin contract that implements role based access control based on OpenZeppelin's AccessManager contract.
@@ -19,6 +26,7 @@ import {Timestamp, TimestampLib} from "../type/Timestamp.sol";
  */
 contract AccessAdmin is
     AccessManagedUpgradeable,
+    ReentrancyGuardUpgradeable,
     IAccessAdmin
 {
     using EnumerableSet for EnumerableSet.AddressSet;
@@ -26,19 +34,13 @@ contract AccessAdmin is
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
-    uint64 public constant MANAGER_ROLE = type(uint64).min + 1;
-    string public constant MANAGER_ROLE_NAME = "ManagerRole";
     /// @dev the OpenZeppelin access manager driving the access admin contract
-    AccessManager internal _authority;
+    AccessManagerCloneable internal _authority;
     /// @dev stores the deployer address and allows to create initializers
     /// that are restricted to the deployer address.
     address internal _deployer;
-    /// @dev required role for state changes to this contract
-    RoleId internal _managerRoleId;
     /// @dev store role info per role id
     mapping(RoleId roleId => RoleInfo info) internal _roleInfo;
@@ -63,15 +65,15 @@ contract AccessAdmin is
     /// @dev store all managed functions per target
     mapping(address target => SelectorSetLib.Set selectors) internal _targetFunctions;
-    /// @dev temporary dynamic function infos array
-    mapping(address target => mapping(Selector selector => Str functionName)) internal _functionName;
+    /// @dev function infos array
+    mapping(address target => mapping(Selector selector => FunctionInfo)) internal _functionInfo;
     /// @dev temporary dynamic functions array
     bytes4[] private _functions;
     modifier onlyDeployer() {
         // special case for cloned AccessAdmin contracts
-        // IMPORTANT cloning and _initializeAuthority needs to be done in a single transaction
+        // IMPORTANT cloning and initialize authority needs to be done in a single transaction
         if (_deployer == address(0)) {
             _deployer = msg.sender;
         }
@@ -83,11 +85,9 @@ contract AccessAdmin is
     }
     modifier onlyRoleAdmin(RoleId roleId) {
-        if (!roleExists(roleId)) {
-            revert ErrorRoleUnknown(roleId);
-        }
+        _checkRoleExists(roleId, false);
-        if (!hasRole(msg.sender, _roleInfo[roleId].adminRoleId)) {
+        if (!hasAdminRole(msg.sender, roleId)) {
             revert ErrorNotAdminOfRole(_roleInfo[roleId].adminRoleId);
         }
         _;
@@ -100,8 +100,15 @@ contract AccessAdmin is
         _;
     }
-    modifier onlyExistingRole(RoleId roleId) {
-        _checkRoleId(roleId);
+    modifier onlyExistingRole(
+        RoleId roleId,
+        bool onlyActiveRole,
+        bool allowLockedRoles
+    )
+    {
+        if (!allowLockedRoles) {
+            _checkRoleExists(roleId, onlyActiveRole);
+        }
         _;
     }
@@ -110,159 +117,91 @@ contract AccessAdmin is
         _;
     }
-    constructor() {
-        _deployer = msg.sender;
-        _authority = new AccessManager(address(this));
+    //-------------- initialization functions ------------------------------//
-        _setAuthority(address(_authority));
-        _createInitialRoleSetup();
+    // event LogAccessAdminDebug(string message);
-        _disableInitializers();
-    }
-    //--- role management functions -----------------------------------------//
-    function createRole(
-        RoleId roleId,
-        RoleId adminRoleId,
-        string memory name,
-        uint256 maxMemberCount,
-        bool memberRemovalDisabled
+    /// @dev Initializes this admin with the provided accessManager (and authorization specification).
+    /// Internally initializes access manager with this admin and creates basic role setup.
+    function initialize(
+        AccessManagerCloneable authority
     )
-        external
-        virtual
-        restricted()
+        public
+        initializer()
     {
-        _createRole(roleId, adminRoleId, name, maxMemberCount, memberRemovalDisabled);
+        __AccessAdmin_init(authority);
     }
-    function setRoleDisabled(
-        RoleId roleId,
-        bool disabled
-    )
-        external
-        virtual
-        restricted()
-    {
-        _setRoleDisabled(roleId, disabled);
-    }
-    function grantRole(
-        address account,
-        RoleId roleId
+    function __AccessAdmin_init(
+        AccessManagerCloneable authority
     )
-        external
-        virtual
-        onlyRoleAdmin(roleId)
-        restricted()
+        internal
+        onlyInitializing()
+        onlyDeployer() // initializes deployer if not initialized yet
     {
-        _grantRoleToAccount(roleId, account);
-    }
+        authority.initialize(address(this));
-    function revokeRole(
-        address account,
-        RoleId roleId
-    )
-        external
-        virtual
-        onlyRoleAdmin(roleId)
-        restricted()
-    {
-        _revokeRoleFromAccount(roleId, account);
-    }
+        // set and initialize this access manager contract as
+        // the admin (ADMIN_ROLE) of the provided authority
+        __AccessManaged_init(address(authority));
+        _authority = authority;
-    function renounceRole(
-        RoleId roleId
-    )
-        external
-        virtual
-        onlyRoleMember(roleId)
-        restricted()
-    {
-        _revokeRoleFromAccount(roleId, msg.sender);
+        // create admin and public roles
+        _initializeAdminAndPublicRoles();
+        // additional use case specific initialization
+        _initializeCustom();
     }
-    //--- target management functions ---------------------------------------//
-    function createTarget(
-        address target,
-        string memory name
-    )
-        external
-        virtual
-        restricted()
-    {
-        _createTarget(target, name);
+    function getRegistry() public view returns (IRegistry registry) {
+        return _authority.getRegistry();
     }
-    function setTargetLocked(
-        address target,
-        bool locked
-    )
-        external
-        virtual
-        onlyExistingTarget(target)
-        restricted()
-    {
-        _authority.setTargetClosed(target, locked);
-        // implizit logging: rely on OpenZeppelin log TargetClosed
+    function getRelease() public view returns (VersionPart release) {
+        return _authority.getRelease();
     }
-    function authorizeFunctions(
-        address target,
-        RoleId roleId,
-        Function[] memory functions
-    )
-        external
-        virtual
-        onlyExistingTarget(target)
-        onlyExistingRole(roleId)
-        restricted()
-    {
-        _authorizeTargetFunctions(target, roleId, functions);
-    }
-    function unauthorizeFunctions(
-        address target,
-        Function[] memory functions
-    )
-        external
+    function _initializeAdminAndPublicRoles()
+        internal
         virtual
-        restricted()
+        onlyInitializing()
     {
-        _unauthorizeTargetFunctions(target, functions);
-    }
+        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
+        // setup admin role
+        _createRoleUnchecked(
+            ADMIN_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Contract,
+                maxMemberCount: 1,
+                name: ADMIN_ROLE_NAME}));
-    function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions) {
-        return SelectorSetLib.size(_targetFunctions[target]);
-    }
+        // add this contract as admin role member
+        _roleMembers[adminRoleId].add(address(this));
-    function getAuthorizedFunction(
-        address target,
-        uint256 idx
-    )
-        external
-        view
-        returns (
-            Function memory func,
-            RoleId roleId
-        )
-    {
-        Selector selector = SelectorSetLib.at(_targetFunctions[target], idx);
+        // setup public role
+        _createRoleUnchecked(
+            PUBLIC_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Gif,
+                maxMemberCount: type(uint32).max,
+                name: PUBLIC_ROLE_NAME}));
+    }
-        func = Function({
-            selector: selector,
-            name: _functionName[target][selector]});
-        roleId = RoleIdLib.toRoleId(
-            _authority.getTargetFunctionRole(
-                target,
-                selector.toBytes4()));
-    }
+    function _initializeCustom()
+        internal
+        virtual
+        onlyInitializing()
+    { }
-    //--- view functions ----------------------------------------------------//
+    //--- view functions for roles ------------------------------------------//
     function roles() external view returns (uint256 numberOfRoles) {
         return _roleIds.length;
@@ -280,16 +219,8 @@ contract AccessAdmin is
         return RoleId.wrap(_authority.PUBLIC_ROLE());
     }
-    function getManagerRole() public view returns (RoleId roleId) {
-        return _managerRoleId;
-    }
     function roleExists(RoleId roleId) public view returns (bool exists) {
-        return _roleInfo[roleId].exists;
-    }
-    function isRoleDisabled(RoleId roleId) public view returns (bool isActive) {
-        return _roleInfo[roleId].disabledAt <= TimestampLib.blockTimestamp();
+        return _roleInfo[roleId].createdAt.gtz();
     }
     function getRoleInfo(RoleId roleId) external view returns (RoleInfo memory) {
@@ -300,6 +231,15 @@ contract AccessAdmin is
         return _roleForName[name];
     }
+    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
+        return _roleMembers[roleId].length();
+    }
+    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address account) {
+        return _roleMembers[roleId].at(idx);
+    }
+    // TODO false because not role member or because role not exists?
     function hasRole(address account, RoleId roleId) public view returns (bool) {
         (bool isMember, ) = _authority.hasRole(
             RoleId.unwrap(roleId),
@@ -307,22 +247,21 @@ contract AccessAdmin is
         return isMember;
     }
-    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
-        return _roleMembers[roleId].length();
+    function hasAdminRole(address account, RoleId roleId)
+        public
+        virtual
+        view
+        returns (bool)
+    {
+        return hasRole(account, _roleInfo[roleId].adminRoleId);
     }
-    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address account) {
-        return _roleMembers[roleId].at(idx);
-    }
+    //--- view functions for targets ----------------------------------------//
     function targetExists(address target) public view returns (bool exists) {
         return _targetInfo[target].createdAt.gtz();
     }
-    function isTargetLocked(address target) public view returns (bool locked) {
-        return _authority.isTargetClosed(target);
-    }
     function targets() external view returns (uint256 numberOfTargets) {
         return _targets.length;
     }
@@ -335,34 +274,61 @@ contract AccessAdmin is
         return _targetInfo[target];
     }
-    function getTargetForName(Str name) external view returns (address target) {
+    function getTargetForName(Str name) public view returns (address target) {
         return _targetForName[name];
     }
-    function isAccessManaged(address target) public view returns (bool) {
-        if (!_isContract(target)) {
-            return false;
-        }
+    function isTargetLocked(address target) public view returns (bool locked) {
+        return _authority.isTargetClosed(target);
+    }
-        (bool success, ) = target.staticcall(
-            abi.encodeWithSelector(
-                AccessManagedUpgradeable.authority.selector));
+    function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions) {
+        return SelectorSetLib.size(_targetFunctions[target]);
+    }
-        return success;
+    function getAuthorizedFunction(
+        address target,
+        uint256 idx
+    )
+        external
+        view
+        returns (
+            FunctionInfo memory func,
+            RoleId roleId
+        )
+    {
+        Selector selector = SelectorSetLib.at(_targetFunctions[target], idx);
+        func = _functionInfo[target][selector];
+        roleId = RoleIdLib.toRoleId(
+            _authority.getTargetFunctionRole(
+                target,
+                selector.toBytes4()));
     }
-    function canCall(address caller, address target, Selector selector) external view returns (bool can) {
+    function canCall(address caller, address target, Selector selector) external virtual view returns (bool can) {
         (can, ) = _authority.canCall(caller, target, selector.toBytes4());
     }
-    function deployer() public view returns (address) {
-        return _deployer;
+    function toRole(RoleId adminRoleId, RoleType roleType, uint32 maxMemberCount, string memory name) public view returns (RoleInfo memory) {
+        return RoleInfo({
+            name: StrLib.toStr(name),
+            adminRoleId: adminRoleId,
+            roleType: roleType,
+            maxMemberCount: maxMemberCount,
+            createdAt: TimestampLib.blockTimestamp(),
+            pausedAt: TimestampLib.max()
+        });
     }
-    function toFunction(bytes4 selector, string memory name) public pure returns (Function memory) {
-            return Function({
-                selector: SelectorLib.toSelector(selector),
-                name: StrLib.toStr(name)});
+    function toFunction(bytes4 selector, string memory name) public view returns (FunctionInfo memory) {
+        return FunctionInfo({
+            name: StrLib.toStr(name),
+            selector: SelectorLib.toSelector(selector),
+            createdAt: TimestampLib.blockTimestamp()});
+    }
+    function deployer() public view returns (address) {
+        return _deployer;
     }
     //--- internal/private functions -------------------------------------------------//
@@ -370,7 +336,7 @@ contract AccessAdmin is
     function _authorizeTargetFunctions(
         address target,
         RoleId roleId,
-        Function[] memory functions
+        FunctionInfo[] memory functions
     )
         internal
     {
@@ -382,33 +348,43 @@ contract AccessAdmin is
         bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
         // apply authz via access manager
-        _grantRoleAccessToFunctions(target, roleId, functionSelectors);
+        _grantRoleAccessToFunctions(
+            target,
+            roleId,
+            functionSelectors,
+            false); // allowLockedRoles
     }
     function _unauthorizeTargetFunctions(
         address target,
-        Function[] memory functions
+        FunctionInfo[] memory functions
     )
         internal
     {
         bool addFunctions = false;
         bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        _grantRoleAccessToFunctions(target, getAdminRole(), functionSelectors);
+        _grantRoleAccessToFunctions(
+            target,
+            getAdminRole(),
+            functionSelectors,
+            true); // allowLockedRoles
     }
     function _processFunctionSelectors(
         address target,
-        Function[] memory functions,
+        FunctionInfo[] memory functions,
         bool addFunctions
     )
         internal
+        onlyExistingTarget(target)
         returns (
             bytes4[] memory functionSelectors
         )
     {
         uint256 n = functions.length;
         functionSelectors = new bytes4[](n);
-        Function memory func;
+        FunctionInfo memory func;
         Selector selector;
         for (uint256 i = 0; i < n; i++) {
@@ -420,112 +396,23 @@ contract AccessAdmin is
             else { SelectorSetLib.remove(_targetFunctions[target], selector); }
             // set function name
-            _functionName[target][selector] = func.name;
+            _functionInfo[target][selector] = func;
             // add bytes4 selector to function selector array
             functionSelectors[i] = selector.toBytes4();
         }
     }
-    function _initializeAuthority(
-        address authorityAddress
-    )
-        internal
-        virtual
-        onlyInitializing()
-        onlyDeployer()
-    {
-        if (authority() != address(0)) {
-            revert ErrorAuthorityAlreadySet();
-        }
-        _authority = AccessManager(authorityAddress);
-        if(!hasRole(address(this), RoleId.wrap(_authority.ADMIN_ROLE()))) {
-            revert ErrorAdminRoleMissing();
-        }
-        __AccessManaged_init(address(_authority));
-    }
-    function _initializeRoleSetup()
-        internal
-        virtual
-        onlyInitializing()
-    {
-        _createInitialRoleSetup();
-    }
-    function _createInitialRoleSetup()
-        internal
-    {
-        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
-        Function[] memory functions;
-        // setup admin role
-        _createRoleUnchecked(
-            adminRoleId,
-            adminRoleId,
-            StrLib.toStr(ADMIN_ROLE_NAME),
-            1,
-            true);
-        // add this contract as admin role member
-        _roleMembers[adminRoleId].add(address(this));
-        // setup public role
-        _createRoleUnchecked(
-            RoleIdLib.toRoleId(_authority.PUBLIC_ROLE()),
-            adminRoleId,
-            StrLib.toStr(PUBLIC_ROLE_NAME),
-            type(uint256).max,
-            true);
-        // setup manager role
-        _managerRoleId = RoleIdLib.toRoleId(MANAGER_ROLE);
-        _createRole(
-            _managerRoleId,
-            adminRoleId,
-            MANAGER_ROLE_NAME,
-            3, // TODO think about max member count
-            false);
-        // grant public role access to grant and revoke, renounce
-        functions = new Function[](3);
-        functions[0] = toFunction(IAccessAdmin.grantRole.selector, "grantRole");
-        functions[1] = toFunction(IAccessAdmin.revokeRole.selector, "revokeRole");
-        functions[2] = toFunction(IAccessAdmin.renounceRole.selector, "renounceRole");
-        _authorizeTargetFunctions(address(this), getPublicRole(), functions);
-        // grant manager role access to the specified functions
-        functions = new Function[](6);
-        functions[0] = toFunction(IAccessAdmin.createRole.selector, "createRole");
-        functions[1] = toFunction(IAccessAdmin.setRoleDisabled.selector, "setRoleDisabled");
-        functions[2] = toFunction(IAccessAdmin.createTarget.selector, "createTarget");
-        functions[3] = toFunction(IAccessAdmin.setTargetLocked.selector, "setTargetLocked");
-        functions[4] = toFunction(IAccessAdmin.authorizeFunctions.selector, "authorizeFunctions");
-        functions[5] = toFunction(IAccessAdmin.unauthorizeFunctions.selector, "unauthorizeFunctions");
-        _authorizeTargetFunctions(address(this), getManagerRole(), functions);
-    }
-    /// @dev check if target exists and reverts if it doesn't
-    function _checkTarget(address target)
-        internal
-    {
-        if (_targetInfo[target].createdAt.eqz()) {
-            revert ErrorTargetUnknown(target);
-        }
-    }
     /// @dev grant the specified role access to all functions in the provided selector list
     function _grantRoleAccessToFunctions(
         address target,
         RoleId roleId,
-        bytes4[] memory functionSelectors
+        bytes4[] memory functionSelectors,
+        bool allowLockedRoles // admin and public roles are locked
     )
         internal
+        onlyExistingTarget(target)
+        onlyExistingRole(roleId, true, allowLockedRoles)
     {
         _authority.setTargetFunctionRole(
             target,
@@ -535,18 +422,26 @@ contract AccessAdmin is
         // implizit logging: rely on OpenZeppelin log TargetFunctionRoleUpdated
     }
     /// @dev grant the specified role to the provided account
     function _grantRoleToAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, true, false)
     {
-        _checkRoleId(roleId);
-        _checkRoleIsActive(roleId);
         // check max role members will not be exceeded
         if (_roleMembers[roleId].length() >= _roleInfo[roleId].maxMemberCount) {
             revert ErrorRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
         }
+        // check account is contract for contract role
+        if (
+            _roleInfo[roleId].roleType == RoleType.Contract &&
+            !ContractLib.isContract(account) // will fail in account's constructor
+        ) {
+            revert ErrorRoleMemberNotContract(roleId, account);
+        }
+        // TODO check account already have roleId
         _roleMembers[roleId].add(account);
         _authority.grantRole(
             RoleId.unwrap(roleId),
@@ -559,14 +454,15 @@ contract AccessAdmin is
     /// @dev revoke the specified role from the provided account
     function _revokeRoleFromAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, false, false)
     {
-        _checkRoleId(roleId);
         // check role removal is permitted
-        if (_roleInfo[roleId].memberRemovalDisabled) {
-            revert ErrorRoleRemovalDisabled(roleId);
+        if (_roleInfo[roleId].roleType == RoleType.Contract) {
+            revert ErrorRoleMemberRemovalDisabled(roleId, account);
         }
+        // TODO check account have roleId?
         _roleMembers[roleId].remove(account);
         _authority.revokeRole(
             RoleId.unwrap(roleId),
@@ -576,37 +472,11 @@ contract AccessAdmin is
     }
-    function _checkRoleId(RoleId roleId)
-        internal
-    {
-        if (!_roleInfo[roleId].exists) {
-            revert ErrorRoleUnknown(roleId);
-        }
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if (roleIdInt == _authority.ADMIN_ROLE()
-            || roleIdInt == _authority.PUBLIC_ROLE())
-        {
-            revert ErrorRoleIsLocked(roleId);
-        }
-    }
-    function _checkRoleIsActive(RoleId roleId)
-        internal
-    {
-        if (isRoleDisabled(roleId)) {
-            revert ErrorRoleIsDisabled(roleId);
-        }
-    }
+    /// @dev Creates a role based on the provided parameters.
+    /// Checks that the provided role and role id and role name not already used.
     function _createRole(
         RoleId roleId,
-        RoleId adminRoleId,
-        string memory roleName,
-        uint256 maxMemberCount,
-        bool memberRemovalDisabled
+        RoleInfo memory info
     )
         internal
     {
@@ -618,83 +488,55 @@ contract AccessAdmin is
         }
         // check admin role exists
-        if(!roleExists(adminRoleId)) {
-            revert ErrorRoleAdminNotExisting(adminRoleId);
+        if(!roleExists(info.adminRoleId)) {
+            revert ErrorRoleAdminNotExisting(info.adminRoleId);
         }
         // check role name is not empty
-        Str name = StrLib.toStr(roleName);
-        if(name.length() == 0) {
+        if(info.name.length() == 0) {
             revert ErrorRoleNameEmpty(roleId);
         }
         // check role name is not used for another role
-        if(_roleForName[name].exists) {
+        if(_roleForName[info.name].exists) {
             revert ErrorRoleNameAlreadyExists(
                 roleId,
-                roleName,
-                _roleForName[name].roleId);
-        }
-        _createRoleUnchecked(
-            roleId, adminRoleId,
-            name,
-            maxMemberCount,
-            memberRemovalDisabled);
-    }
-    function _setRoleDisabled(
-        RoleId roleId,
-        bool disabled
-    )
-        internal
-    {
-        _checkRoleId(roleId);
-        Timestamp disabledAtOld = _roleInfo[roleId].disabledAt;
-        if (disabled) {
-            _roleInfo[roleId].disabledAt = TimestampLib.blockTimestamp();
-        } else {
-            _roleInfo[roleId].disabledAt = TimestampLib.max();
+                info.name.toString(),
+                _roleForName[info.name].roleId);
         }
-        emit LogRoleDisabled(roleId, disabled, disabledAtOld);
+        _createRoleUnchecked(roleId, info);
     }
     function _createRoleUnchecked(
         RoleId roleId,
-        RoleId adminRoleId,
-        Str name,
-        uint256 maxMemberCount,
-        bool memberRemovalDisabled
+        RoleInfo memory info
     )
         private
     {
         // create role info
-        _roleInfo[roleId] = RoleInfo({
-            adminRoleId: adminRoleId,
-            name: name,
-            maxMemberCount: maxMemberCount,
-            memberRemovalDisabled: memberRemovalDisabled,
-            disabledAt: TimestampLib.max(),
-            exists: true});
+        info.createdAt = TimestampLib.blockTimestamp();
+        _roleInfo[roleId] = info;
         // create role name info
-        _roleForName[name] = RoleNameInfo({
+        _roleForName[info.name] = RoleNameInfo({
             roleId: roleId,
             exists: true});
         // add role to list of roles
         _roleIds.push(roleId);
-        emit LogRoleCreated(roleId, adminRoleId, name.toString());
+        emit LogRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
     }
-    function _createTarget(address target, string memory targetName)
+    function _createTarget(
+        address target,
+        string memory targetName,
+        bool checkAuthority,
+        bool custom
+    )
         internal
     {
         // check target does not yet exist
@@ -710,7 +552,7 @@ contract AccessAdmin is
             revert ErrorTargetNameEmpty(target);
         }
-        // check target name is not used for another role
+        // check target name is not used for another target
         if( _targetForName[name] != address(0)) {
             revert ErrorTargetNameAlreadyExists(
                 target,
@@ -719,19 +561,22 @@ contract AccessAdmin is
         }
         // check target is an access managed contract
-        if (!isAccessManaged(target)) {
+        if (!_isAccessManaged(target)) {
             revert ErrorTargetNotAccessManaged(target);
         }
         // check target shares authority with this contract
-        address targetAuthority = AccessManagedUpgradeable(target).authority();
-        if (targetAuthority != authority()) {
-            revert ErrorTargetAuthorityMismatch(authority(), targetAuthority);
+        if (checkAuthority) {
+            address targetAuthority = AccessManagedUpgradeable(target).authority();
+            if (targetAuthority != authority()) {
+                revert ErrorTargetAuthorityMismatch(authority(), targetAuthority);
+            }
         }
         // create target info
         _targetInfo[target] = TargetInfo({
             name: name,
+            isCustom: custom,
             createdAt: TimestampLib.blockTimestamp()
         });
@@ -744,16 +589,71 @@ contract AccessAdmin is
         emit LogTargetCreated(target, targetName);
     }
-    function _isContract(address target)
+    function _isAccessManaged(address target)
         internal
-        view
+        view
         returns (bool)
     {
-        uint256 size;
-        assembly {
-            size := extcodesize(target)
+        if (!ContractLib.isContract(target)) {
+            return false;
+        }
+        (bool success, ) = target.staticcall(
+            abi.encodeWithSelector(
+                IAccessManagedChecker.authority.selector));
+        return success;
+    }
+    function _setTargetClosed(address target, bool locked)
+        internal
+    {
+        _checkTarget(target);
+        // target locked/unlocked already
+        if(_authority.isTargetClosed(target) == locked) {
+            revert ErrorTargetAlreadyLocked(target, locked);
+        }
+        _authority.setTargetClosed(target, locked);
+    }
+    function _checkRoleExists(
+        RoleId roleId,
+        bool onlyActiveRole
+    )
+        internal
+        view
+    {
+        if (!roleExists(roleId)) {
+            revert ErrorRoleUnknown(roleId);
+        }
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        if (roleIdInt == _authority.ADMIN_ROLE())
+        // TODO cleanup
+            //|| roleIdInt == _authority.PUBLIC_ROLE()) prevents granting of public role
+        {
+            revert ErrorRoleIsLocked(roleId);
+        }
+        // check if role is disabled
+        if (onlyActiveRole && _roleInfo[roleId].pausedAt <= TimestampLib.blockTimestamp()) {
+            revert ErrorRoleIsPaused(roleId);
+        }
+    }
+    /// @dev check if target exists and reverts if it doesn't
+    function _checkTarget(address target)
+        internal
+        view
+    {
+        if (!targetExists(target)) {
+            revert ErrorTargetUnknown(target);
         }
-        return size > 0;
     }
 }