@etherisc/gif-next 0.0.2-e964d24-516 → 0.0.2-e987ccf-894

package/contracts/instance/InstanceAdmin.sol

@@ -0,0 +1,285 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.20;
+
+import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
+
+import {AccessAdmin} from "../authorization/AccessAdmin.sol";
+import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
+import {IAccessAdmin} from "../authorization/IAccessAdmin.sol";
+import {IAuthorization} from "../authorization/IAuthorization.sol";
+import {IComponent} from "../shared/IComponent.sol";
+import {IModuleAuthorization} from "../authorization/IModuleAuthorization.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {IInstance} from "./IInstance.sol";
+import {IService} from "../shared/IService.sol";
+import {ObjectType, ObjectTypeLib, ALL, POOL, RELEASE} from "../type/ObjectType.sol";
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE} from "../type/RoleId.sol";
+import {Str, StrLib} from "../type/String.sol";
+import {TokenHandler} from "../shared/TokenHandler.sol";
+import {VersionPart} from "../type/Version.sol";
+
+
+contract InstanceAdmin is
+    AccessAdmin
+{
+    string public constant INSTANCE_TARGET_NAME = "Instance";
+    string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
+    string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
+    string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+
+    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
+
+    error ErrorInstanceAdminNotRegistered(address target);
+    error ErrorInstanceAdminAlreadyAuthorized(address target);
+    error ErrorInstanceAdminReleaseMismatch();
+    error ErrorInstanceAdminExpectedTargetMissing(string targetName);
+
+    IInstance _instance;
+    IRegistry internal _registry;
+    uint64 _idNext;
+
+    IModuleAuthorization _instanceAuthorization;
+
+    /// @dev Only used for master instance admin.
+    /// Contracts created via constructor come with disabled initializers.
+    constructor(
+        IModuleAuthorization instanceAuthorization
+    )
+        AccessAdmin()
+    {
+        _instanceAuthorization = instanceAuthorization;
+    }
+
+    /// @dev Initializes this instance admin with the provided instances authorization specification.
+    /// Internally the function creates an instance specific OpenZeppelin AccessManager that is used as the authority
+    /// for the inststance authorizatios.
+    /// Important: Initialization of this instance admin is only complete after calling function initializeInstance. 
+    function initialize(
+        AccessManagerCloneable accessManager,
+        IModuleAuthorization instanceAuthorization
+    )
+        external
+        initializer() 
+    {
+        // create new access manager for this instance admin
+        _initializeAuthority(address(accessManager));
+
+        // create basic instance independent setup
+        _createAdminAndPublicRoles();
+
+        // store instance authorization specification
+        _instanceAuthorization = IModuleAuthorization(instanceAuthorization);
+    }
+
+    function _checkTargetIsReadyForAuthorization(address target)
+        internal
+        view
+    {
+        if (address(_registry) != address(0) && !_registry.isRegistered(target)) {
+            revert ErrorInstanceAdminNotRegistered(target);
+        }
+
+        if (targetExists(target)) {
+            revert ErrorInstanceAdminAlreadyAuthorized(target);
+        }
+    }
+
+    /// @dev Completes the initialization of this instance admin using the provided instance.
+    /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
+    function initializeInstanceAuthorization(address instanceAddress)
+        external
+    {
+        _checkTargetIsReadyForAuthorization(instanceAddress);
+
+        _idNext = CUSTOM_ROLE_ID_MIN;
+        _instance = IInstance(instanceAddress);
+        _registry = _instance.getRegistry();
+
+        // check matching releases
+        if (_instanceAuthorization.getRelease() != _instance.getMajorVersion()) {
+            revert ErrorInstanceAdminReleaseMismatch();
+        }
+
+        // add instance authorization
+        _createRoles(_instanceAuthorization);
+        _createModuleTargetsWithRoles();
+        _createTargetAuthorizations(_instanceAuthorization);
+
+        // grant component owner roles to instance owner
+        _grantComponentOwnerRoles();
+    }
+
+
+    /// @dev Initializes the authorization for the specified component.
+    /// Important: The component MUST be registered.
+    function initializeComponentAuthorization(
+        IComponent component,
+        IAuthorization authorization
+    )
+        external
+    {
+        _checkTargetIsReadyForAuthorization(address(component));
+
+        _createRoles(authorization);
+
+        // create component target
+        _createTarget(
+            address(component), 
+            authorization.getTargetName(), 
+            true, // checkAuthority
+            false); // custom
+
+        _createTarget(
+            address(component.getTokenHandler()), 
+            string(abi.encodePacked(authorization.getTargetName(), "TH")), 
+            true, 
+            false);
+        
+        // FIXME: make this a bit nicer and work with IAuthorization. Use a specific role, not public - access to TokenHandler must be restricted
+        FunctionInfo[] memory functions = new FunctionInfo[](3);
+        functions[0] = toFunction(TokenHandler.collectTokens.selector, "collectTokens");
+        functions[1] = toFunction(TokenHandler.collectTokensToThreeRecipients.selector, "collectTokensToThreeRecipients");
+        functions[2] = toFunction(TokenHandler.distributeTokens.selector, "distributeTokens");
+
+        _authorizeTargetFunctions(
+            address(component.getTokenHandler()),
+            getPublicRole(),
+            functions);
+
+        _grantRoleToAccount(
+            authorization.getTargetRole(
+                authorization.getTarget()), 
+            address(component));
+        
+        _createTargetAuthorizations(authorization);
+    }
+
+
+    function _grantComponentOwnerRoles()
+        internal
+    {
+        address instanceOwner = _registry.ownerOf(_instance.getNftId());
+        _grantRoleToAccount(DISTRIBUTION_OWNER_ROLE(), instanceOwner);
+        _grantRoleToAccount(ORACLE_OWNER_ROLE(), instanceOwner);
+        _grantRoleToAccount(POOL_OWNER_ROLE(), instanceOwner);
+        _grantRoleToAccount(PRODUCT_OWNER_ROLE(), instanceOwner);
+    }
+
+    /// @dev Creates a custom role
+    // TODO implement
+    // function createRole()
+    //     external
+    //     restricted()
+    // {
+
+    // }
+
+    /// @dev Grants the provided role to the specified account
+    function grantRole(
+        RoleId roleId, 
+        address account)
+        external
+        restricted()
+    {
+        _grantRoleToAccount(roleId, account);
+    }
+
+    /// @dev Returns the instance authorization specification used to set up this instance admin.
+    function getInstanceAuthorization()
+        external
+        view
+        returns (IModuleAuthorization instanceAuthorizaion)
+    {
+        return _instanceAuthorization;
+    }
+
+
+    function _createRoles(IAuthorization authorization)
+        internal
+    {
+        RoleId[] memory roles = authorization.getRoles();
+        RoleId roleId;
+        RoleInfo memory roleInfo;
+
+        for(uint256 i = 0; i < roles.length; i++) {
+            roleId = roles[i];
+            _createRole(
+                roleId,
+                authorization.getRoleInfo(roleId));
+        }
+    }
+
+
+    function _createTargetAuthorizations(IAuthorization authorization)
+        internal
+    {
+        Str[] memory targets = authorization.getTargets();
+        Str target;
+
+        for(uint256 i = 0; i < targets.length; i++) {
+            target = targets[i];
+            RoleId[] memory authorizedRoles = authorization.getAuthorizedRoles(target);
+            RoleId authorizedRole;
+
+            for(uint256 j = 0; j < authorizedRoles.length; j++) {
+                authorizedRole = authorizedRoles[j];
+
+                _authorizeTargetFunctions(
+                    getTargetForName(target),
+                    authorizedRole,
+                    authorization.getAuthorizedFunctions(
+                        target, 
+                        authorizedRole));
+            }
+        }
+    }
+
+    function _checkAndCreateTargetWithRole(
+        address target,
+        string memory targetName
+    )
+        internal
+    {
+        // check that target name is defined in authorization specification
+        Str name = StrLib.toStr(targetName);
+        if (!_instanceAuthorization.targetExists(name)) {
+            revert ErrorInstanceAdminExpectedTargetMissing(targetName);
+        }
+
+        // create named target
+        _createTarget(
+            target, 
+            targetName, 
+            false, // check authority TODO check normal targets, don't check service targets (they share authority with registry admin)
+            false);
+
+        // assign target role if defined
+        RoleId targetRoleId = _instanceAuthorization.getTargetRole(name);
+        if (targetRoleId != RoleIdLib.zero()) {
+            _grantRoleToAccount(targetRoleId, target);
+        }
+    }
+
+    function _createModuleTargetsWithRoles()
+        internal
+    {
+        // create module targets
+        _checkAndCreateTargetWithRole(address(_instance), INSTANCE_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
+        _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
+
+        // create targets for services that need to access the module targets
+        ObjectType[] memory serviceDomains = _instanceAuthorization.getServiceDomains();
+        VersionPart release = _instanceAuthorization.getRelease();
+        ObjectType serviceDomain;
+
+        for (uint256 i = 0; i < serviceDomains.length; i++) {
+            serviceDomain = serviceDomains[i];
+
+            _checkAndCreateTargetWithRole(
+                _registry.getServiceAddress(serviceDomain, release),
+                _instanceAuthorization.getServiceTarget(serviceDomain).toString());
+        }
+    }
+}

package/contracts/instance/InstanceAuthorizationV3.sol

@@ -0,0 +1,203 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.20;
+
+import {
+     PRODUCT, ORACLE, POOL, INSTANCE, COMPONENT, DISTRIBUTION, APPLICATION, POLICY, CLAIM, BUNDLE
+} from "../../contracts/type/ObjectType.sol";
+
+import {
+     DISTRIBUTION_OWNER_ROLE, ORACLE_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE
+} from "../../contracts/type/RoleId.sol";
+
+import {BundleSet} from "../instance/BundleSet.sol"; 
+import {IAccess} from "../authorization/IAccess.sol";
+import {Instance} from "../instance/Instance.sol";
+import {InstanceAdmin} from "../instance/InstanceAdmin.sol";
+import {InstanceStore} from "../instance/InstanceStore.sol";
+import {ModuleAuthorization} from "../authorization/ModuleAuthorization.sol";
+
+
+contract InstanceAuthorizationV3
+     is ModuleAuthorization
+{
+
+     string public constant INSTANCE_TARGET_NAME = "Instance";
+     string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
+     string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
+     string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
+
+     string public constant INSTANCE_ROLE_NAME = "InstanceRole";
+     string public constant DISTRIBUTION_OWNER_ROLE_NAME = "DistributionOwnerRole";
+     string public constant ORACLE_OWNER_ROLE_NAME = "OracleOwnerRole";
+     string public constant POOL_OWNER_ROLE_NAME = "PoolOwnerRole";
+     string public constant PRODUCT_OWNER_ROLE_NAME = "ProductOwnerRole";
+
+     constructor() ModuleAuthorization(INSTANCE_TARGET_NAME) {}
+
+
+     function _setupRoles()
+          internal
+          override
+     {
+          _addGifRole(DISTRIBUTION_OWNER_ROLE(), DISTRIBUTION_OWNER_ROLE_NAME);
+          _addGifRole(ORACLE_OWNER_ROLE(), ORACLE_OWNER_ROLE_NAME);
+          _addGifRole(POOL_OWNER_ROLE(), POOL_OWNER_ROLE_NAME);
+          _addGifRole(PRODUCT_OWNER_ROLE(), PRODUCT_OWNER_ROLE_NAME);
+     }
+
+
+     function _setupTargets()
+          internal
+          override
+     {
+          // instance target
+          _addTargetWithRole(
+               INSTANCE_TARGET_NAME, 
+               _getTargetRoleId(INSTANCE()),
+               INSTANCE_ROLE_NAME);
+
+          // instance supporting targets
+          _addTarget(INSTANCE_STORE_TARGET_NAME);
+          _addTarget(INSTANCE_ADMIN_TARGET_NAME);
+          _addTarget(BUNDLE_SET_TARGET_NAME);
+
+          // service targets relevant to instance
+          _addServiceTargetWithRole(INSTANCE());
+          _addServiceTargetWithRole(COMPONENT());
+          _addServiceTargetWithRole(DISTRIBUTION());
+          _addServiceTargetWithRole(ORACLE());
+          _addServiceTargetWithRole(POOL());
+          _addServiceTargetWithRole(BUNDLE());
+          _addServiceTargetWithRole(PRODUCT());
+          _addServiceTargetWithRole(APPLICATION());
+          _addServiceTargetWithRole(POLICY());
+          _addServiceTargetWithRole(CLAIM());
+     }
+
+
+     function _setupTargetAuthorizations()
+          internal
+          override
+     {
+          _setupInstanceAuthorization();
+          _setupInstanceAdminAuthorization();
+          _setupInstanceStoreAuthorization();
+          _setupBundleSetAuthorization();
+     }
+
+
+     function _setupBundleSetAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize bundle service role
+          functions = _authorizeForTarget(BUNDLE_SET_TARGET_NAME, getServiceRole(BUNDLE()));
+          _authorize(functions, BundleSet.linkPolicy.selector, "linkPolicy");
+          _authorize(functions, BundleSet.unlinkPolicy.selector, "unlinkPolicy");
+          _authorize(functions, BundleSet.add.selector, "add");
+          _authorize(functions, BundleSet.lock.selector, "lock");
+          _authorize(functions, BundleSet.unlock.selector, "unlock");
+     }
+
+
+     function _setupInstanceAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize instance service role
+          functions = _authorizeForTarget(INSTANCE_TARGET_NAME, getServiceRole(INSTANCE()));
+          _authorize(functions, Instance.setInstanceReader.selector, "setInstanceReader");
+     }
+
+
+     function _setupInstanceAdminAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize instance role
+          functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, _getTargetRoleId(INSTANCE()));
+          _authorize(functions, InstanceAdmin.grantRole.selector, "grantRole");
+
+          // authorize instance service role
+          // functions = _authorizeForTarget(INSTANCE_ADMIN_TARGET_NAME, getServiceRole(INSTANCE()));
+     }
+
+
+     function _setupInstanceStoreAuthorization()
+          internal
+     {
+          IAccess.FunctionInfo[] storage functions;
+
+          // authorize component service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(COMPONENT()));
+          _authorize(functions, InstanceStore.createComponent.selector, "createComponent");
+          _authorize(functions, InstanceStore.updateComponent.selector, "updateComponent");
+          _authorize(functions, InstanceStore.createPool.selector, "createPool");
+          _authorize(functions, InstanceStore.createProduct.selector, "createProduct");
+          _authorize(functions, InstanceStore.updateProduct.selector, "updateProduct");
+          _authorize(functions, InstanceStore.increaseBalance.selector, "increaseBalance");
+          _authorize(functions, InstanceStore.decreaseBalance.selector, "decreaseBalance");
+          _authorize(functions, InstanceStore.increaseFees.selector, "increaseFees");
+          _authorize(functions, InstanceStore.decreaseFees.selector, "decreaseFees");
+
+          // authorize distribution service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(DISTRIBUTION()));
+          _authorize(functions, InstanceStore.createDistributorType.selector, "createDistributorType");
+          _authorize(functions, InstanceStore.updateDistributorType.selector, "updateDistributorType");
+          _authorize(functions, InstanceStore.updateDistributorTypeState.selector, "updateDistributorTypeState");
+          _authorize(functions, InstanceStore.createDistributor.selector, "createDistributor");
+          _authorize(functions, InstanceStore.updateDistributor.selector, "updateDistributor");
+          _authorize(functions, InstanceStore.updateDistributorState.selector, "updateDistributorState");
+          _authorize(functions, InstanceStore.createReferral.selector, "createReferral");
+          _authorize(functions, InstanceStore.updateReferral.selector, "updateReferral");
+          _authorize(functions, InstanceStore.updateReferralState.selector, "updateReferralState");
+
+          // authorize oracle service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(ORACLE()));
+          _authorize(functions, InstanceStore.createRequest.selector, "createRequest");
+          _authorize(functions, InstanceStore.updateRequest.selector, "updateRequest");
+          _authorize(functions, InstanceStore.updateRequestState.selector, "updateRequestState");
+
+          // authorize pool service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(POOL()));
+          _authorize(functions, InstanceStore.updatePool.selector, "updatePool");
+
+          // authorize bundle service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(BUNDLE()));
+          _authorize(functions, InstanceStore.createBundle.selector, "createBundle");
+          _authorize(functions, InstanceStore.updateBundle.selector, "updateBundle");
+          _authorize(functions, InstanceStore.updateBundleState.selector, "updateBundleState");
+          _authorize(functions, InstanceStore.increaseLocked.selector, "increaseLocked");
+          _authorize(functions, InstanceStore.decreaseLocked.selector, "decreaseLocked");
+
+          // authorize product service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(PRODUCT()));
+          _authorize(functions, InstanceStore.createRisk.selector, "createRisk");
+          _authorize(functions, InstanceStore.updateRisk.selector, "updateRisk");
+          _authorize(functions, InstanceStore.updateRiskState.selector, "updateRiskState");
+
+          // authorize application service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(APPLICATION()));
+          _authorize(functions, InstanceStore.createApplication.selector, "createApplication");
+          _authorize(functions, InstanceStore.updateApplication.selector, "updateApplication");
+          _authorize(functions, InstanceStore.updateApplicationState.selector, "updateApplicationState");
+
+          // authorize policy service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(POLICY()));
+          _authorize(functions, InstanceStore.updatePolicy.selector, "updatePolicy");
+          _authorize(functions, InstanceStore.updatePolicyState.selector, "updatePolicyState");
+          _authorize(functions, InstanceStore.createPremium.selector, "createPremium");
+
+          // authorize claim service role
+          functions = _authorizeForTarget(INSTANCE_STORE_TARGET_NAME, getServiceRole(CLAIM()));
+          _authorize(functions, InstanceStore.updatePolicyClaims.selector, "updatePolicyClaims");
+          _authorize(functions, InstanceStore.createClaim.selector, "createClaim");
+          _authorize(functions, InstanceStore.updateClaim.selector, "updateClaim");
+          _authorize(functions, InstanceStore.createPayout.selector, "createPayout");
+          _authorize(functions, InstanceStore.updatePayout.selector, "updatePayout");
+     }
+}
+