@etherisc/gif-next 0.0.2-bb3faee-097 → 0.0.2-bb9ecaf-723

package/contracts/authorization/AccessAdminLib.sol

@@ -7,13 +7,15 @@ import {IAccess} from "./IAccess.sol";
 import {IAccessAdmin} from "./IAccessAdmin.sol";
 import {IAuthorization} from "./IAuthorization.sol";
 import {IComponent} from "../shared/IComponent.sol";
+import {IInstanceLinkedComponent} from "../shared/IInstanceLinkedComponent.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {IService} from "../shared/IService.sol";
 import {IServiceAuthorization} from "./IServiceAuthorization.sol";
 
+import {BlocknumberLib} from "../type/Blocknumber.sol";
 import {ContractLib} from "../shared/ContractLib.sol";
 import {ObjectType} from "../type/ObjectType.sol";
-import {RoleId, RoleIdLib} from "../type/RoleId.sol";
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
 import {SelectorLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TimestampLib} from "../type/Timestamp.sol";
@@ -40,6 +42,126 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
     uint64 public constant CUSTOM_ROLE_MIN      = 1000000;
 
 
+    function ADMIN_ROLE_NAME() public pure returns (string memory) { 
+        return "AdminRole"; 
+    }
+
+
+    function isAdminRoleName(string memory name) public pure returns (bool) { 
+        return StrLib.eq(name, ADMIN_ROLE_NAME()); 
+    }
+
+
+    function PUBLIC_ROLE_NAME() public pure returns (string memory) { 
+        return "PublicRole"; 
+    }
+
+
+    function getAdminRole() public pure returns (RoleId adminRoleId) { 
+        // see oz AccessManagerUpgradeable
+        return RoleId.wrap(type(uint64).min); 
+    }
+
+
+    function getPublicRole() public pure returns (RoleId publicRoleId) { 
+        // see oz AccessManagerUpgradeable
+        return RoleId.wrap(type(uint64).max); 
+    }
+
+
+    function isAdminOrPublicRole(string memory name) 
+        public
+        view
+        returns (bool)
+    {
+        return StrLib.eq(name, ADMIN_ROLE_NAME())
+            || StrLib.eq(name, PUBLIC_ROLE_NAME()); 
+    }
+
+
+    function isDynamicRoleId(RoleId roleId) 
+        public 
+        pure 
+        returns (bool)
+    {
+        return roleId.toInt() >= COMPONENT_ROLE_MIN;
+    }
+
+
+    function adminRoleInfo()
+        public 
+        view 
+        returns (IAccess.RoleInfo memory)
+    {
+        return roleInfo(
+            getAdminRole(), 
+            IAccess.TargetType.Core, 
+            1, 
+            ADMIN_ROLE_NAME());
+    }
+
+
+    function publicRoleInfo()
+        public 
+        view 
+        returns (IAccess.RoleInfo memory)
+    {
+        return roleInfo(
+            getAdminRole(), 
+            IAccess.TargetType.Custom, 
+            type(uint32).max, 
+            PUBLIC_ROLE_NAME());
+    }
+
+
+    function coreRoleInfo(string memory name)
+        public 
+        view 
+        returns (IAccess.RoleInfo memory)
+    {
+        return roleInfo(
+            getAdminRole(), 
+            IAccess.TargetType.Core, 
+            1, 
+            name);
+    }
+
+
+    function serviceRoleInfo(string memory serviceName)
+        public 
+        view 
+        returns (IAccess.RoleInfo memory)
+    {
+        return roleInfo(
+            getAdminRole(), 
+            IAccess.TargetType.Service, 
+            1, 
+            serviceName);
+    }
+
+
+    /// @dev Creates a role info object from the provided parameters
+    function roleInfo(
+        RoleId adminRoleId, 
+        IAccess.TargetType targetType, 
+        uint32 maxMemberCount, 
+        string memory roleName
+    )
+        public 
+        view 
+        returns (IAccess.RoleInfo memory info)
+    {
+        return IAccess.RoleInfo({
+            name: StrLib.toStr(roleName),
+            adminRoleId: adminRoleId,
+            targetType: targetType,
+            maxMemberCount: maxMemberCount,
+            createdAt: TimestampLib.current(),
+            pausedAt: TimestampLib.max(),
+            lastUpdateIn: BlocknumberLib.current()});
+    }
+
+
     function getSelectors(
         IAccess.FunctionInfo[] memory functions
     )
@@ -57,16 +179,42 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
     }
 
 
+    function checkInitParameters(
+        address authority, 
+        string memory adminName 
+    )
+        public
+        view
+    {
+        // only contract check (authority might not yet be initialized at this time)
+        if (!ContractLib.isContract(authority)) {
+            revert IAccessAdmin.ErrorAccessAdminAuthorityNotContract(authority);
+        }
+
+        // check name not empty
+        if (bytes(adminName).length == 0) {
+            revert IAccessAdmin.ErrorAccessAdminAccessManagerEmptyName();
+        }
+    }
+
+
     function checkRoleCreation(
         IAccessAdmin accessAdmin,
         RoleId roleId, 
-        IAccess.RoleInfo memory info
+        IAccess.RoleInfo memory info,
+        bool revertOnExistingRole
     )
         public 
         view
+        returns (bool isAdminOrPublicRole)
     {
-        // check role does not yet exist    // ACCESS_ADMIN_LIB role creation checks
-        if(accessAdmin.roleExists(roleId)) {
+        // check 
+        if (roleId == ADMIN_ROLE() || roleId == PUBLIC_ROLE()) {
+            return true;
+        }
+
+        // check role does not yet exist 
+        if(revertOnExistingRole && accessAdmin.roleExists(roleId)) {
             revert IAccessAdmin.ErrorAccessAdminRoleAlreadyCreated(
                 roleId, 
                 accessAdmin.getRoleInfo(roleId).name.toString());
@@ -83,16 +231,54 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
         }
 
         // check role name is not used for another role
-        RoleId roleIdForName = accessAdmin.getRoleForName(StrLib.toString(info.name));
-        if(roleIdForName.gtz()) {
+        (RoleId roleIdForName, bool exists) = accessAdmin.getRoleForName(StrLib.toString(info.name));
+        if(revertOnExistingRole && exists) {
             revert IAccessAdmin.ErrorAccessAdminRoleNameAlreadyExists(
                 roleId, 
                 info.name.toString(),
                 roleIdForName);
         }
+
+        return false;
     }
 
 
+    function checkRoleExists(
+        IAccessAdmin accessAdmin,
+        RoleId roleId, 
+        bool onlyActiveRole,
+        bool allowAdminAndPublicRoles
+    )
+        internal
+        view
+    {
+        // check role exists
+        if (!accessAdmin.roleExists(roleId)) {
+            revert IAccessAdmin.ErrorAccessAdminRoleUnknown(roleId);
+        }
+
+        // if onlyActiveRoles: check if role is disabled
+        if (onlyActiveRole && accessAdmin.getRoleInfo(roleId).pausedAt <= TimestampLib.current()) {
+            revert IAccessAdmin.ErrorAccessAdminRoleIsPaused(roleId);
+        }
+
+        // if not allowAdminAndPublicRoles, check if role is admin or public role
+        if (!allowAdminAndPublicRoles) {
+            checkNotAdminOrPublicRole(roleId);
+        }
+    }
+
+
+    function checkNotAdminOrPublicRole(RoleId roleId) public pure {
+        if (roleId == ADMIN_ROLE()) {
+            revert IAccessAdmin.ErrorAccessAdminInvalidUseOfAdminRole();
+        }
+
+        if (roleId == PUBLIC_ROLE()) {
+            revert IAccessAdmin.ErrorAccessAdminInvalidUseOfPublicRole();
+        }
+    }
+
     function checkTargetCreation(
         IAccessAdmin accessAdmin,
         address target, 
@@ -139,6 +325,73 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
     }
 
 
+    function checkComponentInitialization(
+        IAccessAdmin accessAdmin,
+        IAuthorization instanceAuthorization,
+        address componentAddress,
+        ObjectType expectedType
+    )
+        public
+        view
+        returns (IAuthorization componentAuthorization)
+    {
+        checkIsRegistered(address(accessAdmin.getRegistry()), componentAddress, expectedType);
+
+        VersionPart expecteRelease = accessAdmin.getRelease();
+        IInstanceLinkedComponent component = IInstanceLinkedComponent(componentAddress);
+        componentAuthorization = component.getAuthorization();
+
+        checkAuthorization(
+            address(instanceAuthorization), 
+            address(componentAuthorization), 
+            expectedType, 
+            expecteRelease,
+            false, // expectServiceAuthorization,
+            false); // checkAlreadyInitialized
+    }
+
+
+    function checkTargetAndRoleForFunctions(
+        IAccessAdmin accessAdmin,
+        address target,
+        RoleId roleId,
+        bool onlyComponentOrContractTargets
+    ) 
+        public
+        view
+    {
+        // check target exists
+        IAccess.TargetType targetType = accessAdmin.getTargetInfo(target).targetType;
+        if (targetType == IAccess.TargetType.Undefined) {
+            revert IAccessAdmin.ErrorAccessAdminTargetNotCreated(target);
+        }
+
+        // check target type
+        if (onlyComponentOrContractTargets) {
+            if (targetType != IAccess.TargetType.Component && targetType != IAccess.TargetType.Contract) {
+                revert IAccessAdmin.ErrorAccessAdminNotComponentOrCustomTarget(target);
+            }
+        }
+
+        // check role exist
+        checkRoleExists(accessAdmin, roleId, true, true);
+    } 
+
+
+    function checkTargetExists(
+        IAccessAdmin accessAdmin,
+        address target
+    )
+        public
+        view
+    {
+        // check not yet created
+        if (!accessAdmin.targetExists(target)) {
+            revert IAccessAdmin.ErrorAccessAdminTargetNotCreated(target);
+        }
+    }
+
+
     function checkAuthorization( 
         address authorizationOld,
         address authorization,
@@ -214,6 +467,20 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
     }
 
 
+    function getAuthorizedRole(
+        IAccessAdmin accessAdmin,
+        IAuthorization authorization, 
+        RoleId roleId
+    )
+        public
+        view 
+        returns (RoleId authorizedRoleId)
+    {
+        string memory roleName = authorization.getRoleInfo(roleId).name.toString();
+        (authorizedRoleId, ) = accessAdmin.getRoleForName(roleName);
+    }
+
+
     function getServiceRoleId(
         address serviceAddress,
         IAccess.TargetType serviceTargetType
@@ -302,7 +569,9 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
             return RoleIdLib.toRoleId(COMPONENT_ROLE_MIN + index);
         }
 
-        if (targetType == IAccess.TargetType.Custom) { 
+        if (targetType == IAccess.TargetType.Custom
+            || targetType == IAccess.TargetType.Contract) 
+        { 
             return RoleIdLib.toRoleId(CUSTOM_ROLE_MIN + index);
         }
 
@@ -342,32 +611,44 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
     }
 
 
-    function toRoleName(string memory name) public pure returns (string memory) {
+    function toFunctionGrantingString(
+        IAccessAdmin accessAdmin,
+        Str functionName,
+        RoleId roleId
+    )
+        public
+        view
+        returns (string memory)
+    {
         return string(
             abi.encodePacked(
-                name,
-                ROLE_SUFFIX));
+                functionName.toString(),
+                "(): ",
+                getRoleName(accessAdmin, roleId)));
     }
 
 
-    function toRole(
-        RoleId adminRoleId, 
-        IAccessAdmin.RoleType roleType, 
-        uint32 maxMemberCount, 
-        string memory name
+    function getRoleName(
+        IAccessAdmin accessAdmin,
+        RoleId roleId
     )
-        public 
+        public
         view 
-        returns (IAccess.RoleInfo memory)
-    { 
-        return IAccess.RoleInfo({
-            name: StrLib.toStr(name),
-            adminRoleId: adminRoleId,
-            roleType: roleType,
-            maxMemberCount: maxMemberCount,
-            createdAt: TimestampLib.current(),
-            pausedAt: TimestampLib.max()
-        });
+        returns (string memory)
+    {
+        if (accessAdmin.roleExists(roleId)) {
+            return accessAdmin.getRoleInfo(roleId).name.toString();
+        }
+
+        return "<unknown-role>";
+    }
+
+
+    function toRoleName(string memory name) public pure returns (string memory) {
+        return string(
+            abi.encodePacked(
+                name,
+                ROLE_SUFFIX));
     }
 
 
@@ -390,7 +671,8 @@ library AccessAdminLib { // ACCESS_ADMIN_LIB
         return IAccess.FunctionInfo({
             name: StrLib.toStr(name),
             selector: SelectorLib.toSelector(selector),
-            createdAt: TimestampLib.current()});
+            createdAt: TimestampLib.current(),
+            lastUpdateIn: BlocknumberLib.current()});
     }
 
 }

package/contracts/authorization/AccessManagerCloneable.sol

@@ -62,24 +62,6 @@ contract AccessManagerCloneable is
         _checkAndSetRelease(release);
     }
 
-    // /// @dev Completes the setup of the access manager.
-    // /// Links the access manager to the registry and sets the release version.
-    // function completeSetup(
-    //     address registry, 
-    //     VersionPart release,
-    //     bool verifyRelease
-    // )
-    //     public
-    //     onlyAdminRole
-    //     reinitializer(uint64(release.toInt()))
-    // {
-    //     _checkAndSetRegistry(registry);
-
-    //     if (verifyRelease) {
-    //         _checkAndSetRelease(release);
-    //     }
-    // }
-
     /// @dev Returns true if the caller is authorized to call the target with the given selector and the manager lock is not set to locked.
     /// Feturn values as in OpenZeppelin AccessManager.
     /// For a locked manager the function reverts with ErrorAccessManagerTargetAdminLocked.

package/contracts/authorization/Authorization.sol

@@ -1,8 +1,10 @@
 // SPDX-License-Identifier: Apache-2.0
 pragma solidity ^0.8.20;
 
+import {IAccess} from "./IAccess.sol";
 import {IAuthorization} from "./IAuthorization.sol";
 
+import {AccessAdminLib} from "./AccessAdminLib.sol";
 import {ObjectType} from "../type/ObjectType.sol";
 import {RoleId, RoleIdLib} from "../type/RoleId.sol";
 import {ServiceAuthorization} from "../authorization/ServiceAuthorization.sol";
@@ -16,8 +18,10 @@ contract Authorization is
 
     // MUST match with AccessAdminLib.COMPONENT_ROLE_MIN
     uint64 public constant COMPONENT_ROLE_MIN = 110000;
+    uint64 public constant INSTANCE_ROLE_MIN = 100000;
 
     uint64 internal _nextGifContractRoleId;
+    uint64 internal _nextInstanceContractRoleId;
 
     string internal _tokenHandlerName = "ComponentTh";
     Str internal _tokenHandlerTarget;
@@ -28,28 +32,35 @@ contract Authorization is
         ObjectType domain,
         uint8 release,
         string memory commitHash,
-        bool isComponent,
+        IAccess.TargetType targetType,
         bool includeTokenHandler
     )
         ServiceAuthorization(mainTargetName, domain, release, commitHash)
     {
-        _nextGifContractRoleId = 10;
+        // IMPORTANT must match with AccessAdminLib.CORE_ROLE_MIN
+        _nextGifContractRoleId = 100;
+        _nextInstanceContractRoleId = INSTANCE_ROLE_MIN;
 
         // setup main target
-        if (isComponent) {
+        // special case: core targets
+        if (targetType == IAccess.TargetType.Core) {
+            _addGifTarget(_mainTargetName);
+        // special case instances
+        } else if (targetType == IAccess.TargetType.Instance) {
+            _addInstanceTarget(_mainTargetName);
+        // all other target types
+        } else {
             if (domain.eqz()) {
                 revert ErrorAuthorizationTargetDomainZero();
             }
 
             RoleId mainRoleId = RoleIdLib.toRoleId(COMPONENT_ROLE_MIN);
-            string memory mainRolName = _toTargetRoleName(_mainTargetName);
+            string memory mainRoleName = _toTargetRoleName(_mainTargetName);
 
             _addTargetWithRole(
                 _mainTargetName, 
                 mainRoleId,
-                mainRolName);
-        } else {
-            _addGifTarget(_mainTargetName);
+                mainRoleName);
         }
 
         // setup use case specific parts
@@ -120,9 +131,9 @@ contract Authorization is
     function _addCustomRole(RoleId roleId, RoleId adminRoleId, uint32 maxMemberCount, string memory name) internal {
         _addRole(
             roleId,
-            _toRoleInfo(
+            AccessAdminLib.roleInfo(
                 adminRoleId,
-                RoleType.Custom,
+                TargetType.Custom,
                 maxMemberCount,
                 name));
     }
@@ -141,6 +152,16 @@ contract Authorization is
             contractRoleName);
     }
 
+    /// @dev Add an instance target with its corresponding contract role
+    function _addInstanceTarget(string memory contractName) internal {
+        RoleId contractRoleId = RoleIdLib.toRoleId(_nextInstanceContractRoleId++);
+        string memory contractRoleName = _toTargetRoleName(contractName);
+
+        _addTargetWithRole(
+            contractName, 
+            contractRoleId,
+            contractRoleName);
+    }
 
     /// @dev Use this method to to add an authorized target.
     function _addTarget(string memory name) internal {

package/contracts/authorization/IAccess.sol

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.20;
 
+import {Blocknumber} from "../type/Blocknumber.sol";
 import {RoleId} from "../type/RoleId.sol";
 import {Selector} from "../type/Selector.sol";
 import {Str} from "../type/String.sol";
@@ -8,13 +9,6 @@ import {Timestamp} from "../type/Timestamp.sol";
 
 interface IAccess {
 
-    enum RoleType {
-        Undefined, // no role must have this type
-        Core, // GIF core roles
-        Contract, // roles assigned to contracts, cannot be revoked
-        Custom // use case specific rules for components
-    }
-
     enum TargetType {
         Undefined, // no target must have this type
         Core, // GIF core contracts
@@ -22,26 +16,30 @@ interface IAccess {
         Service, // service contracts
         Instance, // instance contracts
         Component, // instance contracts
-        Custom // use case specific rules for components
+        Contract, // normal contracts
+        Custom // use case specific rules for contracts or normal accounts
     }
 
     struct RoleInfo {
         // slot 0
-        RoleId adminRoleId; 
-        RoleType roleType; 
-        uint32 maxMemberCount; 
-        Timestamp createdAt; 
-        Timestamp pausedAt; 
+        RoleId adminRoleId;  // 64
+        TargetType targetType; // ?
+        uint32 maxMemberCount; // 32
+        Timestamp createdAt; // 40
+        Timestamp pausedAt; // 40
+        Blocknumber lastUpdateIn; // 40
         // slot 1
-        Str name;
+        Str name; // 256
     }
 
+
     // TODO recalc slot allocation
     struct TargetInfo {
         Str name;
         TargetType targetType;
         RoleId roleId;
         Timestamp createdAt;
+        Blocknumber lastUpdateIn;
     }
 
     struct FunctionInfo {
@@ -50,6 +48,7 @@ interface IAccess {
         // slot 1
         Selector selector; // function selector
         Timestamp createdAt;
+        Blocknumber lastUpdateIn;
     }
 
     struct RoleNameInfo {

package/contracts/authorization/IAccessAdmin.sol

@@ -8,6 +8,7 @@ import {IAuthorization} from "./IAuthorization.sol";
 import {IRegistryLinked} from "../shared/IRegistryLinked.sol";
 import {IRelease} from "../registry/IRelease.sol";
 
+import {Blocknumber} from "../type/Blocknumber.sol";
 import {NftId} from "../type/NftId.sol";
 import {ObjectType} from "../type/ObjectType.sol";
 import {RoleId} from "../type/RoleId.sol";
@@ -23,12 +24,14 @@ interface IAccessAdmin is
 {
 
     // roles, targets and functions
-    event LogAccessAdminRoleCreated(string admin, RoleId roleId, RoleType roleType, RoleId roleAdminId, string name);
+    event LogAccessAdminRoleCreated(string admin, RoleId roleId, TargetType targetType, RoleId roleAdminId, string name);
     event LogAccessAdminTargetCreated(string admin, string name, bool managed, address target, RoleId roleId);
 
+    event LogAccessAdminRoleActivatedSet(string admin, RoleId roleId, bool active, Blocknumber lastUpdateIn);
     event LogAccessAdminRoleGranted(string admin, address account, string roleName);
     event LogAccessAdminRoleRevoked(string admin, address account, string roleName);
-    event LogAccessAdminFunctionGranted(string admin, address target, string func);
+    event LogAccessAdminTargetLockedSet(string admin, address target, bool locked, Blocknumber lastUpdateIn);
+    event LogAccessAdminFunctionGranted(string admin, address target, string func, Blocknumber lastUpdateIn);
 
     // only deployer modifier
     error ErrorAccessAdminNotDeployer();
@@ -40,8 +43,8 @@ interface IAccessAdmin is
     error ErrorAccessAdminNotRoleOwner(RoleId roleId, address account);
 
     // role management
-    error ErrorAccessAdminInvalidUserOfAdminRole();
-    error ErrorAccessAdminInvalidUserOfPublicRole();
+    error ErrorAccessAdminInvalidUseOfAdminRole();
+    error ErrorAccessAdminInvalidUseOfPublicRole();
     error ErrorAccessAdminRoleNotCustom(RoleId roleId);
 
     // initialization
@@ -96,6 +99,7 @@ interface IAccessAdmin is
     error ErrorAccessAdminTargetAlreadyLocked(address target, bool isLocked);
 
     // authorize target functions
+    error ErrorAccessAdminNotComponentOrCustomTarget(address target);
     error ErrorAccessAdminAuthorizeForAdminRoleInvalid(address target);
 
     // toFunction
@@ -109,18 +113,14 @@ interface IAccessAdmin is
 
     function getAuthorization() external view returns (IAuthorization authorization);
     function getLinkedNftId() external view returns (NftId linkedNftId);
-    function getLinkedOwner() external view returns (address linkedOwner);
 
     function isLocked() external view returns (bool locked);
 
     function roles() external view returns (uint256 numberOfRoles);
     function getRoleId(uint256 idx) external view returns (RoleId roleId);
-    function getAdminRole() external view returns (RoleId roleId);
-    function getPublicRole() external view returns (RoleId roleId);
 
     function roleExists(RoleId roleId) external view returns (bool exists); 
-    function roleExists(string memory roleName) external view returns (bool exists); 
-    function getRoleForName(string memory name) external view returns (RoleId roleId);
+    function getRoleForName(string memory name) external view returns (RoleId roleId, bool exists);
     function getRoleInfo(RoleId roleId) external view returns (RoleInfo memory roleInfo);
     function isRoleActive(RoleId roleId) external view returns (bool isActive);
     function isRoleCustom(RoleId roleId) external view returns (bool isCustom);
@@ -139,6 +139,4 @@ interface IAccessAdmin is
 
     function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions);
     function getAuthorizedFunction(address target, uint256 idx) external view returns (FunctionInfo memory func, RoleId roleId);
-
-    function deployer() external view returns (address);
 }