npm - @etherisc/gif-next - Versions diffs - 0.0.2-d13bb9e-069 → 0.0.2-d18e1c5-511 - Mend

@etherisc/gif-next 0.0.2-d13bb9e-069 → 0.0.2-d18e1c5-511

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (571) hide show

package/contracts/authorization/AccessAdmin.sol CHANGED Viewed

@@ -5,13 +5,25 @@ import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/acce
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
 import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
+import {IAccess} from "./IAccess.sol";
+import {IAccessAdmin} from "./IAccessAdmin.sol";
+import {IAuthorization} from "./IAuthorization.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {ADMIN_ROLE_NAME, PUBLIC_ROLE_NAME} from "./AccessAdmin.sol";
+import {AccessAdminLib} from "./AccessAdminLib.sol";
 import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
 import {ContractLib} from "../shared/ContractLib.sol";
-import {IAccessAdmin} from "./IAccessAdmin.sol";
+import {NftId, NftIdLib} from "../type/NftId.sol";
+import {ObjectType} from "../type/ObjectType.sol";
 import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
-import {Selector, SelectorLib, SelectorSetLib} from "../type/Selector.sol";
+import {Selector, SelectorSetLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TimestampLib} from "../type/Timestamp.sol";
+import {VersionPart} from "../type/Version.sol";
+function ADMIN_ROLE_NAME() pure returns (string memory) { return "AdminRole"; }
+function PUBLIC_ROLE_NAME() pure returns (string memory) { return "PublicRole"; }
 /**
@@ -26,16 +38,23 @@ contract AccessAdmin is
 {
     using EnumerableSet for EnumerableSet.AddressSet;
-    string public constant ADMIN_ROLE_NAME = "AdminRole";
-    string public constant PUBLIC_ROLE_NAME = "PublicRole";
+    /// @dev admin name used for logging only
+    string internal _adminName;
-    /// @dev the OpenZeppelin access manager driving the access admin contract
+    /// @dev the access manager driving the access admin contract
+    /// hold link to registry and release version
     AccessManagerCloneable internal _authority;
+    /// @dev the authorization contract used for initial access control
+    IAuthorization internal _authorization;
     /// @dev stores the deployer address and allows to create initializers
     /// that are restricted to the deployer address.
     address internal _deployer;
+    /// @dev the linked NFT ID
+    NftId internal _linkedNftId;
     /// @dev store role info per role id
     mapping(RoleId roleId => RoleInfo info) internal _roleInfo;
@@ -66,54 +85,109 @@ contract AccessAdmin is
     /// @dev temporary dynamic functions array
     bytes4[] private _functions;
+    // @dev target type specific role id counters
+    mapping(TargetType => uint64) internal _nextRoleId;
     modifier onlyDeployer() {
         // special case for cloned AccessAdmin contracts
-        // IMPORTANT cloning and _initializeAuthority needs to be done in a single transaction
+        // IMPORTANT cloning and initialize authority needs to be done in a single transaction
         if (_deployer == address(0)) {
             _deployer = msg.sender;
         }
         if (msg.sender != _deployer) {
-            revert ErrorNotDeployer();
+            revert ErrorAccessAdminNotDeployer();
         }
         _;
     }
-    modifier onlyRoleAdmin(RoleId roleId) {
-        if (!roleExists(roleId)) {
-            revert ErrorRoleUnknown(roleId);
+    //-------------- initialization functions ------------------------------//
+    /// @dev Initializes this admin with the provided accessManager (and authorization specification).
+    /// Internally initializes access manager with this admin and creates basic role setup.
+    function initialize(
+        address authority,
+        string memory adminName
+    )
+        public
+        initializer()
+    {
+        __AccessAdmin_init(authority, adminName);
+    }
+    function __AccessAdmin_init(
+        address authority,
+        string memory adminName
+    )
+        internal
+        onlyInitializing()
+        onlyDeployer()
+    {
+        // checks
+        // only contract check (authority might not yet be initialized at this time)
+        if (!ContractLib.isContract(authority)) {
+            revert ErrorAccessAdminAuthorityNotContract(authority);
         }
-        if (!hasAdminRole(msg.sender, roleId)) {
-            revert ErrorNotAdminOfRole(_roleInfo[roleId].adminRoleId);
+        // check name not empty
+        if (bytes(adminName).length == 0) {
+            revert ErrorAccessAdminAccessManagerEmptyName();
         }
-        _;
-    }
-    modifier onlyRoleMember(RoleId roleId) {
-        if (!hasRole(msg.sender, roleId)) {
-            revert ErrorNotRoleOwner(roleId);
+        _authority = AccessManagerCloneable(authority);
+        _authority.initialize(address(this));
+        // delayed additional check for authority after its initialization
+        if (!ContractLib.isAuthority(authority)) {
+            revert ErrorAccessAdminAccessManagerNotAccessManager(authority);
         }
-        _;
+        // effects
+        // set and initialize this access manager contract as
+        // the admin (ADMIN_ROLE) of the provided authority
+        __AccessManaged_init(authority);
+        // set name for logging
+        _adminName = adminName;
+        // set initial linked NFT ID to zero
+        _linkedNftId = NftIdLib.zero();
+        // create admin and public roles
+        _initializeAdminAndPublicRoles();
     }
-    modifier onlyExistingRole(RoleId roleId) {
-        _checkRoleId(roleId);
-        _;
+    //--- view functions for access amdin ---------------------------------------//
+    function getRelease() public view virtual returns (VersionPart release) {
+        return _authority.getRelease();
     }
-    modifier onlyExistingTarget(address target) {
-        _checkTarget(target);
-        _;
+    function getRegistry() public view returns (IRegistry registry) {
+        return _authority.getRegistry();
+    }
+    function getLinkedNftId() external view returns (NftId linkedNftId) {
+        return _linkedNftId;
+    }
+    function getLinkedOwner() external view returns (address linkedOwner) {
+        return getRegistry().ownerOf(_linkedNftId);
     }
-    constructor() {
-        _deployer = msg.sender;
-        _authority = new AccessManagerCloneable();
-        _authority.initialize(address(this));
-        _setAuthority(address(_authority)); // set authority for oz access managed
-        _createAdminAndPublicRoles();
+    function getAuthorization() public view returns (IAuthorization authorization) {
+        return _authorization;
+    }
+    function isLocked() public view returns (bool locked) {
+        return _authority.isLocked();
     }
     //--- view functions for roles ------------------------------------------//
@@ -134,16 +208,33 @@ contract AccessAdmin is
         return RoleId.wrap(_authority.PUBLIC_ROLE());
     }
+    function roleExists(string memory name) public view returns (bool exists) {
+        // special case for admin and public roles
+        if (StrLib.eq(name, ADMIN_ROLE_NAME()) || StrLib.eq(name, PUBLIC_ROLE_NAME())) {
+            return true;
+        }
+        return _roleForName[StrLib.toStr(name)].roleId.gtz();
+    }
     function roleExists(RoleId roleId) public view returns (bool exists) {
         return _roleInfo[roleId].createdAt.gtz();
     }
-    function getRoleInfo(RoleId roleId) external view returns (RoleInfo memory) {
+    function getRoleForName(string memory name) public view returns (RoleId roleId) {
+        return _roleForName[StrLib.toStr(name)].roleId;
+    }
+    function getRoleInfo(RoleId roleId) public view returns (RoleInfo memory) {
         return _roleInfo[roleId];
     }
-    function getRoleForName(Str name) external view returns (RoleNameInfo memory) {
-        return _roleForName[name];
+    function isRoleActive(RoleId roleId) external view returns (bool isActive) {
+        return _roleInfo[roleId].pausedAt > TimestampLib.current();
+    }
+    function isRoleCustom(RoleId roleId) external view returns (bool isActive) {
+        return _roleInfo[roleId].roleType == RoleType.Custom;
     }
     function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
@@ -154,20 +245,15 @@ contract AccessAdmin is
         return _roleMembers[roleId].at(idx);
     }
-    function hasRole(address account, RoleId roleId) public view returns (bool) {
+    function isRoleMember(RoleId roleId, address account) public view returns (bool) {
         (bool isMember, ) = _authority.hasRole(
             RoleId.unwrap(roleId),
             account);
         return isMember;
     }
-    function hasAdminRole(address account, RoleId roleId)
-        public
-        virtual
-        view
-        returns (bool)
-    {
-        return hasRole(account, _roleInfo[roleId].adminRoleId);
+    function isRoleAdmin(RoleId roleId, address account) public virtual view returns (bool) {
+        return isRoleMember(_roleInfo[roleId].adminRoleId, account);
     }
     //--- view functions for targets ----------------------------------------//
@@ -184,7 +270,7 @@ contract AccessAdmin is
         return _targets[idx];
     }
-    function getTargetInfo(address target) external view returns (TargetInfo memory targetInfo) {
+    function getTargetInfo(address target) public view returns (TargetInfo memory targetInfo) {
         return _targetInfo[target];
     }
@@ -193,7 +279,7 @@ contract AccessAdmin is
     }
     function isTargetLocked(address target) public view returns (bool locked) {
-        return _authority.isTargetClosed(target);
+        return _authority.isLocked() || _authority.isTargetClosed(target);
     }
     function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions) {
@@ -219,120 +305,18 @@ contract AccessAdmin is
                 selector.toBytes4()));
     }
-    // TODO cleanup
-    // function isAccessManaged(address target) public view returns (bool) {
-    //     if (!_isContract(target)) {
-    //         return false;
-    //     }
-    //     (bool success, ) = target.staticcall(
-    //         abi.encodeWithSelector(
-    //             AccessManagedUpgradeable.authority.selector));
-    //     return success;
-    // }
-    function canCall(address caller, address target, Selector selector) external virtual view returns (bool can) {
-        (can, ) = _authority.canCall(caller, target, selector.toBytes4());
-    }
-    function toRole(RoleId adminRoleId, RoleType roleType, uint32 maxMemberCount, string memory name) public view returns (RoleInfo memory) {
-        return RoleInfo({
-            name: StrLib.toStr(name),
-            adminRoleId: adminRoleId,
-            roleType: roleType,
-            maxMemberCount: maxMemberCount,
-            createdAt: TimestampLib.blockTimestamp()
-        });
-    }
-    function toFunction(bytes4 selector, string memory name) public view returns (FunctionInfo memory) {
-        return FunctionInfo({
-            name: StrLib.toStr(name),
-            selector: SelectorLib.toSelector(selector),
-            createdAt: TimestampLib.blockTimestamp()});
-    }
     function deployer() public view returns (address) {
         return _deployer;
     }
     //--- internal/private functions -------------------------------------------------//
-    function _authorizeTargetFunctions(
-        address target,
-        RoleId roleId,
-        FunctionInfo[] memory functions
-    )
-        internal
-    {
-        if (roleId == getAdminRole()) {
-            revert ErrorAuthorizeForAdminRoleInvalid(target);
+    function _linkToNftOwnable(address registerable) internal {
+        if (!getRegistry().isRegistered(registerable)) {
+            revert ErrorAccessAdminNotRegistered(registerable);
         }
-        bool addFunctions = true;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        // apply authz via access manager
-        _grantRoleAccessToFunctions(target, roleId, functionSelectors);
-    }
-    function _unauthorizeTargetFunctions(
-        address target,
-        FunctionInfo[] memory functions
-    )
-        internal
-    {
-        bool addFunctions = false;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        _grantRoleAccessToFunctions(target, getAdminRole(), functionSelectors);
-    }
-    function _processFunctionSelectors(
-        address target,
-        FunctionInfo[] memory functions,
-        bool addFunctions
-    )
-        internal
-        returns (
-            bytes4[] memory functionSelectors
-        )
-    {
-        uint256 n = functions.length;
-        functionSelectors = new bytes4[](n);
-        FunctionInfo memory func;
-        Selector selector;
-        for (uint256 i = 0; i < n; i++) {
-            func = functions[i];
-            selector = func.selector;
-            // add function selector to target selector set if not in set
-            if (addFunctions) { SelectorSetLib.add(_targetFunctions[target], selector); }
-            else { SelectorSetLib.remove(_targetFunctions[target], selector); }
-            // set function name
-            _functionInfo[target][selector] = func;
-            // add bytes4 selector to function selector array
-            functionSelectors[i] = selector.toBytes4();
-        }
-    }
-    function _initializeAuthority(
-        address authorityAddress
-    )
-        internal
-        virtual
-        onlyInitializing()
-        onlyDeployer()
-    {
-        if (authority() != address(0)) {
-            revert ErrorAuthorityAlreadySet();
-        }
-        _authority = AccessManagerCloneable(authorityAddress);
-        __AccessManaged_init(address(_authority));
+        _linkedNftId = getRegistry().getNftIdForAddress(registerable);
     }
@@ -341,123 +325,199 @@ contract AccessAdmin is
         virtual
         onlyInitializing()
     {
-        _createAdminAndPublicRoles();
-    }
-    /// @dev internal setup function that can be used in both constructor and initializer.
-    function _createAdminAndPublicRoles()
-        internal
-    {
-        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
         // setup admin role
         _createRoleUnchecked(
             ADMIN_ROLE(),
-            toRole({
+            AccessAdminLib.toRole({
                 adminRoleId: ADMIN_ROLE(),
                 roleType: RoleType.Contract,
                 maxMemberCount: 1,
-                name: ADMIN_ROLE_NAME}));
+                name: ADMIN_ROLE_NAME()}));
-        // add this contract as admin role member
-        _roleMembers[adminRoleId].add(address(this));
+        // add this contract as admin role member, as contract roles cannot be revoked
+        // and max member count is 1 for admin role this access admin contract will
+        // always be the only admin of the access manager.
+        _roleMembers[
+            RoleIdLib.toRoleId(_authority.ADMIN_ROLE())].add(address(this));
         // setup public role
         _createRoleUnchecked(
             PUBLIC_ROLE(),
-            toRole({
+            AccessAdminLib.toRole({
                 adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Gif,
+                roleType: RoleType.Core,
                 maxMemberCount: type(uint32).max,
-                name: PUBLIC_ROLE_NAME}));
+                name: PUBLIC_ROLE_NAME()}));
     }
-    /// @dev check if target exists and reverts if it doesn't
-    function _checkTarget(address target)
+    /// @dev Authorize the functions of the target for the specified role.
+    function _authorizeFunctions(IAuthorization authorization, Str target, RoleId roleId)
+        internal
+    {
+        _authorizeTargetFunctions(
+            getTargetForName(target),
+            _toAuthorizedRoleId(authorization, roleId),
+            authorization.getAuthorizedFunctions(
+                target,
+                roleId),
+            true);
+    }
+    function _toAuthorizedRoleId(IAuthorization authorization, RoleId roleId)
+        internal
+        returns (RoleId authorizedRoleId)
+    {
+        // special case for service roles (service roles have predefined role ids)
+        if (roleId.isServiceRole()) {
+            // create service role if missing
+            if (!roleExists(roleId)) {
+                _createRole(
+                    roleId,
+                    AccessAdminLib.toRole(
+                        ADMIN_ROLE(),
+                        RoleType.Contract,
+                        1,
+                        authorization.getRoleName(roleId)));
+            }
+            return roleId;
+        }
+        string memory roleName = authorization.getRoleInfo(roleId).name.toString();
+        return authorizedRoleId = getRoleForName(roleName);
+    }
+    function _authorizeTargetFunctions(
+        address target,
+        RoleId roleId,
+        FunctionInfo[] memory functions,
+        bool addFunctions
+    )
         internal
     {
-        if (_targetInfo[target].createdAt.eqz()) {
-            revert ErrorTargetUnknown(target);
+        if (addFunctions && roleId == getAdminRole()) {
+            revert ErrorAccessAdminAuthorizeForAdminRoleInvalid(target);
         }
+        // apply authz via access manager
+        _grantRoleAccessToFunctions(
+            target,
+            roleId,
+            functions,
+            addFunctions); // add functions
     }
     /// @dev grant the specified role access to all functions in the provided selector list
     function _grantRoleAccessToFunctions(
         address target,
         RoleId roleId,
-        bytes4[] memory functionSelectors
+        FunctionInfo[] memory functions,
+        bool addFunctions
     )
         internal
     {
+        _checkTargetExists(target);
+        _checkRoleExists(roleId, true, true);
         _authority.setTargetFunctionRole(
             target,
-            functionSelectors,
+            AccessAdminLib.getSelectors(functions),
             RoleId.unwrap(roleId));
-        // implizit logging: rely on OpenZeppelin log TargetFunctionRoleUpdated
+        // update function set and log function grantings
+        for (uint256 i = 0; i < functions.length; i++) {
+            _updateFunctionAccess(
+                target,
+                roleId,
+                functions[i],
+                addFunctions);
+        }
+    }
+    function _updateFunctionAccess(
+        address target,
+        RoleId roleId,
+        FunctionInfo memory func,
+        bool addFunction
+    )
+        internal
+    {
+        // update functions info
+        Selector selector = func.selector;
+        _functionInfo[target][selector] = func;
+        // update function sets
+        if (addFunction) { SelectorSetLib.add(_targetFunctions[target], selector); }
+        else { SelectorSetLib.remove(_targetFunctions[target], selector); }
+        // logging
+        emit LogAccessAdminFunctionGranted(
+            _adminName,
+            target,
+            string(abi.encodePacked(
+                func.name.toString(),
+                "(): ",
+                _getRoleName(roleId))));
     }
     /// @dev grant the specified role to the provided account
     function _grantRoleToAccount(RoleId roleId, address account)
         internal
     {
-        _checkRoleId(roleId);
+        _checkRoleExists(roleId, true, false);
         // check max role members will not be exceeded
         if (_roleMembers[roleId].length() >= _roleInfo[roleId].maxMemberCount) {
-            revert ErrorRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
+            revert ErrorAccessAdminRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
         }
         // check account is contract for contract role
-        // TODO implement
-        if (_roleInfo[roleId].roleType == RoleType.Contract) {
+        if (
+            _roleInfo[roleId].roleType == RoleType.Contract &&
+            !ContractLib.isContract(account) // will fail in account's constructor
+        ) {
+            revert ErrorAccessAdminRoleMemberNotContract(roleId, account);
         }
+        // effects
         _roleMembers[roleId].add(account);
         _authority.grantRole(
             RoleId.unwrap(roleId),
             account,
             0);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleGranted(_adminName, account, _getRoleName(roleId));
     }
     /// @dev revoke the specified role from the provided account
     function _revokeRoleFromAccount(RoleId roleId, address account)
         internal
     {
-        _checkRoleId(roleId);
+        _checkRoleExists(roleId, false, false);
-        // check role removal is permitted
+        // check for attempt to revoke contract role
         if (_roleInfo[roleId].roleType == RoleType.Contract) {
-            revert ErrorRoleRemovalDisabled(roleId);
+            revert ErrorAccessAdminRoleMemberRemovalDisabled(roleId, account);
         }
+        // effects
         _roleMembers[roleId].remove(account);
         _authority.revokeRole(
             RoleId.unwrap(roleId),
             account);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleRevoked(_adminName, account, _roleInfo[roleId].name.toString());
     }
-    function _checkRoleId(RoleId roleId)
-        internal
-    {
-        if (_roleInfo[roleId].createdAt.eqz()) {
-            revert ErrorRoleUnknown(roleId);
-        }
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if (roleIdInt == _authority.ADMIN_ROLE()
-            || roleIdInt == _authority.PUBLIC_ROLE())
-        {
-            revert ErrorRoleIsLocked(roleId);
-        }
-    }
     /// @dev Creates a role based on the provided parameters.
     /// Checks that the provided role and role id and role name not already used.
     function _createRole(
@@ -466,32 +526,84 @@ contract AccessAdmin is
     )
         internal
     {
-        // check role does not yet exist
-        if(roleExists(roleId)) {
-            revert ErrorRoleAlreadyCreated(
-                roleId,
-                _roleInfo[roleId].name.toString());
+        // skip admin and public roles (they are created during initialization)
+        if (roleId == ADMIN_ROLE() || roleId == PUBLIC_ROLE()) {
+            return;
         }
+        AccessAdminLib.checkRoleCreation(this, roleId, info);
+        _createRoleUnchecked(roleId, info);
+    }
-        // check admin role exists
-        if(!roleExists(info.adminRoleId)) {
-            revert ErrorRoleAdminNotExisting(info.adminRoleId);
-        }
-        // check role name is not empty
-        if(info.name.length() == 0) {
-            revert ErrorRoleNameEmpty(roleId);
+    /// @dev Activates or deactivates role.
+    /// The role activ property is indirectly controlled over the pausedAt timestamp.
+    function _setRoleActive(RoleId roleId, bool active)
+        internal
+    {
+        if (active) {
+            _roleInfo[roleId].pausedAt = TimestampLib.max();
+        } else {
+            _roleInfo[roleId].pausedAt = TimestampLib.current();
         }
+    }
-        // check role name is not used for another role
-        if(_roleForName[info.name].exists) {
-            revert ErrorRoleNameAlreadyExists(
-                roleId,
-                info.name.toString(),
-                _roleForName[info.name].roleId);
-        }
-        _createRoleUnchecked(roleId, info);
+    function _createManagedTarget(
+        address target,
+        string memory targetName,
+        TargetType targetType
+    )
+        internal
+        returns (RoleId contractRoleId)
+    {
+        return _createTarget(target, targetName, targetType, true);
+    }
+    function _createUncheckedTarget(
+        address target,
+        string memory targetName,
+        TargetType targetType
+    )
+        internal
+    {
+        _createTarget(target, targetName, targetType, false);
+    }
+    function _createTarget(
+        address target,
+        string memory targetName,
+        TargetType targetType,
+        bool checkAuthority
+    )
+        private
+        returns (RoleId contractRoleId)
+    {
+        // checks
+        AccessAdminLib.checkTargetCreation(this, target, targetName, checkAuthority);
+        // effects
+        contractRoleId = _createTargetUnchecked(
+            target,
+            targetName,
+            targetType,
+            checkAuthority);
+        // deal with token handler, if applicable
+        (
+            address tokenHandler,
+            string memory tokenHandlerName
+        ) = AccessAdminLib.getTokenHandler(target, targetName, targetType);
+        if (tokenHandler != address(0)) {
+            _createTargetUnchecked(
+                tokenHandler,
+                tokenHandlerName,
+                targetType,
+                checkAuthority);
+        }
     }
@@ -502,7 +614,8 @@ contract AccessAdmin is
         private
     {
         // create role info
-        info.createdAt = TimestampLib.blockTimestamp();
+        info.createdAt = TimestampLib.current();
+        info.pausedAt = TimestampLib.max();
         _roleInfo[roleId] = info;
         // create role name info
@@ -513,80 +626,155 @@ contract AccessAdmin is
         // add role to list of roles
         _roleIds.push(roleId);
-        emit LogRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
+        emit LogAccessAdminRoleCreated(_adminName, roleId, info.roleType, info.adminRoleId, info.name.toString());
     }
-    function _createTarget(
+    /// @dev Creates a new target and a corresponding contract role.
+    /// The function assigns the role to the target and logs the creation.
+    function _createTargetUnchecked(
         address target,
         string memory targetName,
-        bool checkAuthority,
-        bool custom
+        TargetType targetType,
+        bool managed
     )
         internal
-        nonReentrant()
+        returns (RoleId targetRoleId)
     {
-        // check target does not yet exist
-        if(targetExists(target)) {
-            revert ErrorTargetAlreadyCreated(
-                target,
-                _targetInfo[target].name.toString());
+        // create target role (if not existing)
+        string memory roleName;
+        (targetRoleId, roleName) = _getOrCreateTargetRoleIdAndName(target, targetName, targetType);
+        if (!roleExists(targetRoleId)) {
+            _createRole(
+                targetRoleId,
+                AccessAdminLib.toRole(ADMIN_ROLE(), IAccess.RoleType.Contract, 1, roleName));
         }
-        // check target name is not empty
+        // create target info
         Str name = StrLib.toStr(targetName);
-        if(name.length() == 0) {
-            revert ErrorTargetNameEmpty(target);
+        _targetInfo[target] = TargetInfo({
+            name: name,
+            targetType: targetType,
+            roleId: targetRoleId,
+            createdAt: TimestampLib.current()
+        });
+        // create name to target mapping
+        _targetForName[name] = target;
+        // add target to list of targets
+        _targets.push(target);
+        // grant contract role to target
+        _grantRoleToAccount(targetRoleId, target);
+        emit LogAccessAdminTargetCreated(_adminName, targetName, managed, target, targetRoleId);
+    }
+    function _getOrCreateTargetRoleIdAndName(
+        address target,
+        string memory targetName,
+        TargetType targetType
+    )
+        internal
+        returns (
+            RoleId roleId,
+            string memory roleName
+        )
+    {
+        // get roleId
+        if (targetType == TargetType.Service || targetType == TargetType.GenericService) {
+            roleId = AccessAdminLib.getServiceRoleId(target, targetType);
+        } else {
+            roleId = AccessAdminLib.getTargetRoleId(target, targetType, _nextRoleId[targetType]);
+            // increment target type specific role id counter
+            _nextRoleId[targetType]++;
         }
-        // check target name is not used for another target
-        if( _targetForName[name] != address(0)) {
-            revert ErrorTargetNameAlreadyExists(
-                target,
-                targetName,
-                _targetForName[name]);
+        // create role name
+        roleName = AccessAdminLib.toRoleName(targetName);
+    }
+    function _setTargetLocked(address target, bool locked)
+        internal
+    {
+        _checkTargetExists(target);
+        _authority.setTargetClosed(target, locked);
+    }
+    function _getRoleName(RoleId roleId) internal view returns (string memory) {
+        if (roleExists(roleId)) {
+            return _roleInfo[roleId].name.toString();
         }
+        return "<unknown-role>";
+    }
-        // check target is an access managed contract
-        if (!ContractLib.isAccessManaged(target)) {
-            revert ErrorTargetNotAccessManaged(target);
+    function _checkAuthorization(
+        address authorization,
+        ObjectType expectedDomain,
+        VersionPart expectedRelease,
+        bool expectServiceAuthorization,
+        bool checkAlreadyInitialized
+    )
+        internal
+        view
+    {
+        AccessAdminLib.checkAuthorization(
+            address(_authorization),
+            authorization,
+            expectedDomain,
+            expectedRelease,
+            expectServiceAuthorization,
+            checkAlreadyInitialized);
+    }
+    function _checkRoleExists(
+        RoleId roleId,
+        bool onlyActiveRole,
+        bool allowAdminAndPublicRoles
+    )
+        internal
+        view
+    {
+        if (!roleExists(roleId)) {
+            revert ErrorAccessAdminRoleUnknown(roleId);
         }
-        // check target shares authority with this contract
-        if (checkAuthority) {
-            address targetAuthority = AccessManagedUpgradeable(target).authority();
-            if (targetAuthority != authority()) {
-                revert ErrorTargetAuthorityMismatch(authority(), targetAuthority);
+        if (!allowAdminAndPublicRoles) {
+            if (roleId == ADMIN_ROLE()) {
+                revert ErrorAccessAdminInvalidUserOfAdminRole();
             }
-        }
-        // create target info
-        _targetInfo[target] = TargetInfo({
-            name: name,
-            isCustom: custom,
-            createdAt: TimestampLib.blockTimestamp()
-        });
+            // check role is not public role
+            if (roleId == PUBLIC_ROLE()) {
+                revert ErrorAccessAdminInvalidUserOfPublicRole();
+            }
+        }
-        // create name to target mapping
-        _targetForName[name] = target;
+        // check if role is disabled
+        if (onlyActiveRole && _roleInfo[roleId].pausedAt <= TimestampLib.current()) {
+            revert ErrorAccessAdminRoleIsPaused(roleId);
+        }
+    }
-        // add role to list of roles
-        _targets.push(target);
-        emit LogTargetCreated(target, targetName);
-    }
-    // TODO cleanup
-    // function _isContract(address target)
-    //     internal
-    //     view
-    //     returns (bool)
-    // {
-    //     uint256 size;
-    //     assembly {
-    //         size := extcodesize(target)
-    //     }
-    //     return size > 0;
-    // }
+    /// @dev check if target exists and reverts if it doesn't
+    function _checkTargetExists(
+        address target
+    )
+        internal
+        view
+    {
+        // check not yet created
+        if (!targetExists(target)) {
+            revert ErrorAccessAdminTargetNotCreated(target);
+        }
+    }
 }