@etherisc/gif-next 0.0.2-f1b01e0-214 → 0.0.2-f1e6957-384

package/contracts/instance/InstanceAdmin.sol

@@ -3,51 +3,33 @@ pragma solidity ^0.8.20;
 
 import {IAccess} from "../authorization/IAccess.sol";
 import {IAuthorization} from "../authorization/IAuthorization.sol";
-import {IInstanceLinkedComponent} from "../shared/IInstanceLinkedComponent.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {IInstance} from "./IInstance.sol";
 
 import {AccessAdmin} from "../authorization/AccessAdmin.sol";
+import {AccessAdminLib} from "../authorization/AccessAdminLib.sol";
 import {AccessManagerCloneable} from "../authorization/AccessManagerCloneable.sol";
-import {NftId} from "../type/NftId.sol";
-import {ObjectType, INSTANCE, ORACLE} from "../type/ObjectType.sol";
-import {RoleId, RoleIdLib} from "../type/RoleId.sol";
-import {Str, StrLib} from "../type/String.sol";
-import {TokenHandler} from "../shared/TokenHandler.sol";
-import {VersionPart, VersionPartLib} from "../type/Version.sol";
+import {ObjectType, INSTANCE} from "../type/ObjectType.sol";
+import {RoleId, ADMIN_ROLE} from "../type/RoleId.sol";
+import {Str} from "../type/String.sol";
+import {VersionPart} from "../type/Version.sol";
+import {INSTANCE_TARGET_NAME, INSTANCE_ADMIN_TARGET_NAME, INSTANCE_STORE_TARGET_NAME, PRODUCT_STORE_TARGET_NAME, BUNDLE_SET_TARGET_NAME, RISK_SET_TARGET_NAME} from "./TargetNames.sol";
 
 
 contract InstanceAdmin is
     AccessAdmin
 {
-    string public constant INSTANCE_TARGET_NAME = "Instance";
-    string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
-    string public constant INSTANCE_STORE_TARGET_NAME = "InstanceStore";
-    string public constant BUNDLE_SET_TARGET_NAME = "BundleSet";
-    string public constant RISK_SET_TARGET_NAME = "RiskSet";
-
-    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
-
+    // onlyInstanceService
     error ErrorInstanceAdminNotInstanceService(address caller);
 
-    error ErrorInstanceAdminNotRegistered(address instance);
-    error ErrorInstanceAdminNotInstance(address instance);
-    error ErrorInstanceAdminAlreadyAuthorized(address instance);
-
-    error ErrorInstanceAdminNotComponentRole(RoleId roleId);
-    error ErrorInstanceAdminRoleAlreadyExists(RoleId roleId);
-    error ErrorInstanceAdminRoleTypeNotContract(RoleId roleId, IAccess.RoleType roleType);
-
-    error ErrorInstanceAdminReleaseMismatch();
-    error ErrorInstanceAdminExpectedTargetMissing(string targetName);
+    // authorizeFunctions
+    error ErrorInstanceAdminNotComponentOrCustomTarget(address target);
 
     IInstance internal _instance;
     IRegistry internal _registry;
-    VersionPart internal _release;
-    uint64 internal _customIdNext;
 
-    mapping(address target => RoleId roleId) internal _targetRoleId;
-    uint64 internal _components;
+    uint64 internal _customRoleIdNext;
+
 
     modifier onlyInstanceService() {
         if (msg.sender != _registry.getServiceAddress(INSTANCE(), getRelease())) {
@@ -56,6 +38,7 @@ contract InstanceAdmin is
         _;
     }
 
+
     /// @dev Only used for master instance admin.
     constructor(address accessManager) {
         initialize(
@@ -69,55 +52,82 @@ contract InstanceAdmin is
     /// Important: The instance MUST be registered and all instance supporting contracts must be wired to this instance.
     function completeSetup(
         address registry,
-        address instance,
         address authorization,
-        VersionPart release
+        VersionPart release,
+        address instance
     )
         external
         reinitializer(uint64(release.toInt()))
-        onlyDeployer()
     {
         // checks
-        _checkRegistry(registry);
-        _checkIsRegistered(registry, instance, INSTANCE());
+        AccessAdminLib.checkIsRegistered(registry, instance, INSTANCE());
 
+        // effects
         AccessManagerCloneable(
             authority()).completeSetup(
                 registry, 
                 release); 
 
-        _checkAuthorization(authorization, INSTANCE(), release, true);
+        AccessAdminLib.checkAuthorization(
+            address(_authorization), 
+            authorization, 
+            INSTANCE(), // expectedDomain
+            release, // expectedRelease
+            false, // expectServiceAuthorization
+            true); // checkAlreadyInitialized
 
-        // effects
         _registry = IRegistry(registry);
-        _release = release;
-
         _instance = IInstance(instance);
         _authorization = IAuthorization(authorization);
-        _components = 0;
-        _customIdNext = CUSTOM_ROLE_ID_MIN;
+        _customRoleIdNext = 0;
 
         // link nft ownability to instance
         _linkToNftOwnable(instance);
 
-        // create instance role and target
-        _setupInstance(instance);
-
-        // add instance authorization
+        // setup roles and services
         _createRoles(_authorization);
-        // _createTargets(_authorization);
-        _setupInstanceHelperTargetsWithRoles();
+        _setupServices(_authorization);
+
+        // setup instance targets
+        _createInstanceTargets(_authorization.getMainTargetName());
+
+        // authorize functions of instance contracts
         _createTargetAuthorizations(_authorization);
     }
 
+    /// @dev grants the service roles to the service addresses based on the authorization specification.
+    /// Service addresses used for the granting are determined by the registry and the release of this instance.
+    function _setupServices(IAuthorization authorization)
+        internal
+    {
+        ObjectType[] memory serviceDomains = authorization.getServiceDomains();
+
+        for(uint256 i = 0; i < serviceDomains.length; i++) {
+            ObjectType serviceDomain = serviceDomains[i];
+            RoleId serviceRoleId = authorization.getServiceRole(serviceDomain);
+            address service = _registry.getServiceAddress(serviceDomain, getRelease());
+
+            _grantRoleToAccount(
+                serviceRoleId,
+                service);
+        }
+    }
 
-    function _createTargets(IAuthorization authorization)
+
+    function _createInstanceTargets(string memory instanceTargetName)
         internal
     {
-        _createTargetWithRole(address(this), INSTANCE_ADMIN_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_ADMIN_TARGET_NAME)));
-        _createTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(INSTANCE_STORE_TARGET_NAME)));
-        _createTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(BUNDLE_SET_TARGET_NAME)));
-        _createTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME, authorization.getTargetRole(StrLib.toStr(RISK_SET_TARGET_NAME)));
+        _createInstanceTarget(address(_instance), instanceTargetName); 
+        _createInstanceTarget(address(this), INSTANCE_ADMIN_TARGET_NAME); 
+        _createInstanceTarget(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME); 
+        _createInstanceTarget(address(_instance.getProductStore()), PRODUCT_STORE_TARGET_NAME); 
+        _createInstanceTarget(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME); 
+        _createInstanceTarget(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME); 
+    }
+
+
+    function _createInstanceTarget(address target, string memory name) internal {
+        _createTarget(target, name, TargetType.Instance, true); 
     }
 
 
@@ -130,64 +140,49 @@ contract InstanceAdmin is
         external
         restricted()
     {
-        // checks
-        _checkIsRegistered(address(getRegistry()), componentAddress, expectedType);
-
-        IInstanceLinkedComponent component = IInstanceLinkedComponent(componentAddress);
-        IAuthorization authorization = component.getAuthorization();
-        _checkAuthorization(address(authorization), expectedType, getRelease(), false);
+        IAuthorization authorization = AccessAdminLib.checkComponentInitialization(
+            this, _authorization, componentAddress, expectedType);
 
         // effects
-        // setup target and role for component (including token handler if applicable)
-        _setupComponentAndTokenHandler(component, expectedType);
-
-        // create other roles and function authorizations
         _createRoles(authorization);
+        _createTarget(componentAddress, authorization.getMainTargetName(), TargetType.Component, true);
         _createTargetAuthorizations(authorization);
     }
 
-    function getRelease()
-        public
-        view
-        override
-        returns (VersionPart release)
-    {
-        return _release;
-    }
-
 
-    // create instance role and target
-    function _setupInstance(address instance) internal {
-
-        // create instance role
-        RoleId instanceRoleId = _authorization.getTargetRole(
-            _authorization.getMainTarget());
+    /// @dev Creates a custom role.
+    function createRole(
+        string memory name,
+        RoleId adminRoleId,
+        uint32 maxMemberCount
+    )
+        external
+        restricted()
+        returns (RoleId roleId)
+    {
+        // create roleId
+        roleId = AccessAdminLib.getCustomRoleId(_customRoleIdNext++);
 
+        // create role
         _createRole(
-            instanceRoleId,
-            _authorization.getRoleInfo(instanceRoleId));
-
-        // create instance target
-        _createTarget(
-            instance, 
-            _authorization.getMainTargetName(), 
-            true, // checkAuthority
-            false); // custom
-
-        // assign instance role to instance
-        _grantRoleToAccount(
-            instanceRoleId, 
-            instance);
+            roleId, 
+            AccessAdminLib.roleInfo(
+                adminRoleId, 
+                IAccess.TargetType.Custom, 
+                maxMemberCount, 
+                name),
+            true); // revert on existing role
     }
 
-    /// @dev Creates a custom role
-    // TODO implement
-    // function createRole()
-    //     external
-    //     restricted()
-    // {
 
-    // }
+    /// @dev Activtes/pauses the specified role.
+    function setRoleActive(RoleId roleId, bool active)
+        external
+        restricted()
+    {
+        _setRoleActive(roleId, active);
+    }
+
 
     /// @dev Grants the provided role to the specified account
     function grantRole(
@@ -200,6 +195,61 @@ contract InstanceAdmin is
     }
 
 
+    /// @dev Revokes the provided role from the specified account
+    function revokeRole(
+        RoleId roleId, 
+        address account)
+        external
+        restricted()
+    {
+        _revokeRoleFromAccount(roleId, account);
+    }
+
+
+    /// @dev Create a new contract target.
+    /// The target needs to be an access managed contract.
+    function createTarget(
+        address target, 
+        string memory name
+    )
+        external
+        restricted()
+        returns (RoleId contractRoleId)
+    {
+        return _createTarget(
+            target, 
+            name, 
+            TargetType.Contract,
+            true); // check authority matches
+    }
+
+
+    /// @dev Add function authorizations for the specified component or custom target.
+    function authorizeFunctions(
+        address target,
+        RoleId roleId,
+        IAccess.FunctionInfo[] memory functions
+    )
+        external
+        restricted()
+    {
+        _authorizeTargetFunctions(target, roleId, functions, true, true);
+    }
+
+
+    /// @dev Removes function authorizations for the specified component or custom target.
+    function unauthorizeFunctions(
+        address target,
+        IAccess.FunctionInfo[] memory functions
+    )
+        external
+        restricted()
+    {
+        _authorizeTargetFunctions(target, ADMIN_ROLE(), functions, true, false);
+    }
+
+
+    /// @dev locks the instance and all its releated targets including component and custom targets.
     function setInstanceLocked(bool locked)
         external
         // not restricted(): need to operate on locked instances to unlock instance
@@ -212,28 +262,20 @@ contract InstanceAdmin is
 
     function setTargetLocked(address target, bool locked) 
         external 
-        // not restricted(): might need to operate on targets while instance is locked
+        // not restricted(): need to operate on locked instances to unlock instance
         onlyInstanceService()
     {
         _setTargetLocked(target, locked);
     }
 
 
-    function setComponentLocked(address target, bool locked) 
+    function setContractLocked(address target, bool locked) 
         external 
-        restricted()
+        restricted() // component service
     {
         _setTargetLocked(target, locked);
     }
 
-    /// @dev Returns the number of components that have been registered with this instance.   
-    function components() 
-        external 
-        view 
-        returns (uint64)
-    {
-        return _components;
-    }
 
     /// @dev Returns the instance authorization specification used to set up this instance admin.
     function getInstanceAuthorization()
@@ -246,133 +288,6 @@ contract InstanceAdmin is
 
     // ------------------- Internal functions ------------------- //
 
-    function _setupComponentAndTokenHandler(
-        IInstanceLinkedComponent component,
-        ObjectType componentType
-    )
-        internal
-    {
-
-        IAuthorization authorization = component.getAuthorization();
-        string memory targetName = authorization.getMainTargetName();
-
-        // create component role and target
-        RoleId componentRoleId = _createComponentRoleId(component, authorization);
-
-        // create component's target
-        _createTarget(
-            address(component), 
-            targetName, 
-            true, // checkAuthority
-            false); // custom
-
-        // create component's token handler target if app
-        if (componentType != ORACLE()) {
-            NftId componentNftId = _registry.getNftIdForAddress(address(component));
-            address tokenHandler = address(
-                _instance.getInstanceReader().getComponentInfo(
-                    componentNftId).tokenHandler);
-
-            _createTarget(
-                tokenHandler, 
-                authorization.getTokenHandlerName(), 
-                true, 
-                false);
-
-            // token handler does not require its own role
-            // token handler is not calling other components
-        }
-
-        // assign component role to component
-        _grantRoleToAccount(
-            componentRoleId, 
-            address(component));
-    }
-
-
-    function _createComponentRoleId(
-        IInstanceLinkedComponent component,
-        IAuthorization authorization
-    )
-        internal 
-        returns (RoleId componentRoleId)
-    {
-        // checks
-        // check component is not yet authorized
-        if (_targetRoleId[address(component)].gtz()) {
-            revert ErrorInstanceAdminAlreadyAuthorized(address(component));
-        }
-
-        // check generic component role
-        RoleId genericComponentRoleId = authorization.getTargetRole(
-            authorization.getMainTarget());
-
-        if (!genericComponentRoleId.isComponentRole()) {
-            revert ErrorInstanceAdminNotComponentRole(genericComponentRoleId);
-        }
-
-        // check component role does not exist
-        componentRoleId = toComponentRole(
-            genericComponentRoleId, 
-            _components);
-
-        if (roleExists(componentRoleId)) {
-            revert ErrorInstanceAdminRoleAlreadyExists(componentRoleId);
-        }
-
-        // check role info
-        IAccess.RoleInfo memory roleInfo = authorization.getRoleInfo(
-            genericComponentRoleId);
-
-        if (roleInfo.roleType != IAccess.RoleType.Contract) {
-            revert ErrorInstanceAdminRoleTypeNotContract(
-                componentRoleId,
-                roleInfo.roleType);
-        }
-
-        // effects
-        _targetRoleId[address(component)] = componentRoleId;
-        _components++;
-
-        _createRole(
-            componentRoleId,
-            roleInfo);
-    }
-
-
-    function _createRoles(IAuthorization authorization)
-        internal
-    {
-        RoleId[] memory roles = authorization.getRoles();
-        RoleId mainTargetRoleId = authorization.getTargetRole(
-            authorization.getMainTarget());
-
-        RoleId roleId;
-        RoleInfo memory roleInfo;
-
-        for(uint256 i = 0; i < roles.length; i++) {
-
-            roleId = roles[i];
-
-            // skip main target role, create role if not exists
-            if (roleId != mainTargetRoleId && !roleExists(roleId)) {
-                _createRole(
-                    roleId,
-                    authorization.getRoleInfo(roleId));
-            }
-        }
-    }
-
-
-    function toComponentRole(RoleId roleId, uint64 componentIdx)
-        internal
-        pure
-        returns (RoleId)
-    {
-        return RoleIdLib.toRoleId(
-            RoleIdLib.toInt(roleId) + componentIdx);
-    }
-
 
     function _createTargetAuthorizations(IAuthorization authorization)
         internal
@@ -383,68 +298,10 @@ contract InstanceAdmin is
         for(uint256 i = 0; i < targets.length; i++) {
             target = targets[i];
             RoleId[] memory authorizedRoles = authorization.getAuthorizedRoles(target);
-            RoleId authorizedRole;
 
             for(uint256 j = 0; j < authorizedRoles.length; j++) {
-                authorizedRole = authorizedRoles[j];
-
-                _authorizeTargetFunctions(
-                    getTargetForName(target),
-                    authorizedRole,
-                    authorization.getAuthorizedFunctions(
-                        target, 
-                        authorizedRole));
+                _authorizeFunctions(authorization, target, authorizedRoles[j]);
             }
         }
     }
-
-    function _checkAndCreateTargetWithRole(
-        address target,
-        string memory targetName
-    )
-        internal
-    {
-        // check that target name is defined in authorization specification
-        Str name = StrLib.toStr(targetName);
-        if (!_authorization.targetExists(name)) {
-            revert ErrorInstanceAdminExpectedTargetMissing(targetName);
-        }
-
-        // create named target
-        _createTarget(
-            target, 
-            targetName, 
-            false, // check authority TODO check normal targets, don't check service targets (they share authority with release admin)
-            false);
-
-        // assign target role if defined
-        RoleId targetRoleId = _authorization.getTargetRole(name);
-        if (targetRoleId != RoleIdLib.zero()) {
-            _grantRoleToAccount(targetRoleId, target);
-        }
-    }
-
-    function _setupInstanceHelperTargetsWithRoles()
-        internal
-    {
-
-        // create module targets
-        _checkAndCreateTargetWithRole(address(_instance.getInstanceStore()), INSTANCE_STORE_TARGET_NAME);
-        _checkAndCreateTargetWithRole(address(_instance.getInstanceAdmin()), INSTANCE_ADMIN_TARGET_NAME);
-        _checkAndCreateTargetWithRole(address(_instance.getBundleSet()), BUNDLE_SET_TARGET_NAME);
-        _checkAndCreateTargetWithRole(address(_instance.getRiskSet()), RISK_SET_TARGET_NAME);
-
-        // create targets for services that need to access the instance targets
-        ObjectType[] memory serviceDomains = _authorization.getServiceDomains();
-        VersionPart release = _authorization.getRelease();
-        ObjectType serviceDomain;
-
-        for (uint256 i = 0; i < serviceDomains.length; i++) {
-            serviceDomain = serviceDomains[i];
-
-            _checkAndCreateTargetWithRole(
-                _registry.getServiceAddress(serviceDomain, release),
-                _authorization.getServiceTarget(serviceDomain).toString());
-        }
-    }
 }