npm - @etherisc/gif-next - Versions diffs - 0.0.2-f1f3b2c-994 → 0.0.2-f2273b3-211 - Mend

@etherisc/gif-next 0.0.2-f1f3b2c-994 → 0.0.2-f2273b3-211

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (483) hide show

package/contracts/authorization/AccessAdmin.sol CHANGED Viewed

@@ -8,11 +8,16 @@ import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/ut
 import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
 import {ContractLib} from "../shared/ContractLib.sol";
 import {IAccessAdmin} from "./IAccessAdmin.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
 import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
 import {Selector, SelectorLib, SelectorSetLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TimestampLib} from "../type/Timestamp.sol";
+import {VersionPart} from "../type/Version.sol";
+interface IAccessManagedChecker {
+    function authority() external view returns (address);
+}
 /**
  * @dev A generic access amin contract that implements role based access control based on OpenZeppelin's AccessManager contract.
@@ -68,7 +73,7 @@ contract AccessAdmin is
     modifier onlyDeployer() {
         // special case for cloned AccessAdmin contracts
-        // IMPORTANT cloning and _initializeAuthority needs to be done in a single transaction
+        // IMPORTANT cloning and initialize authority needs to be done in a single transaction
         if (_deployer == address(0)) {
             _deployer = msg.sender;
         }
@@ -80,9 +85,7 @@ contract AccessAdmin is
     }
     modifier onlyRoleAdmin(RoleId roleId) {
-        if (!roleExists(roleId)) {
-            revert ErrorRoleUnknown(roleId);
-        }
+        _checkRoleExists(roleId, false);
         if (!hasAdminRole(msg.sender, roleId)) {
             revert ErrorNotAdminOfRole(_roleInfo[roleId].adminRoleId);
@@ -97,8 +100,15 @@ contract AccessAdmin is
         _;
     }
-    modifier onlyExistingRole(RoleId roleId) {
-        _checkRoleId(roleId);
+    modifier onlyExistingRole(
+        RoleId roleId,
+        bool onlyActiveRole,
+        bool allowLockedRoles
+    )
+    {
+        if (!allowLockedRoles) {
+            _checkRoleExists(roleId, onlyActiveRole);
+        }
         _;
     }
@@ -107,15 +117,90 @@ contract AccessAdmin is
         _;
     }
-    constructor() {
-        _deployer = msg.sender;
-        _authority = new AccessManagerCloneable();
-        _authority.initialize(address(this));
+    //-------------- initialization functions ------------------------------//
+    // event LogAccessAdminDebug(string message);
+    /// @dev Initializes this admin with the provided accessManager (and authorization specification).
+    /// Internally initializes access manager with this admin and creates basic role setup.
+    function initialize(
+        AccessManagerCloneable authority
+    )
+        public
+        initializer()
+    {
+        __AccessAdmin_init(authority);
+    }
+    function __AccessAdmin_init(
+        AccessManagerCloneable authority
+    )
+        internal
+        onlyInitializing()
+        onlyDeployer() // initializes deployer if not initialized yet
+    {
+        authority.initialize(address(this));
+        // set and initialize this access manager contract as
+        // the admin (ADMIN_ROLE) of the provided authority
+        __AccessManaged_init(address(authority));
+        _authority = authority;
+        // create admin and public roles
+        _initializeAdminAndPublicRoles();
+        // additional use case specific initialization
+        _initializeCustom();
+    }
-        _setAuthority(address(_authority)); // set authority for oz access managed
-        _createAdminAndPublicRoles();
+    function getRegistry() public view returns (IRegistry registry) {
+        return _authority.getRegistry();
     }
+    function getRelease() public view returns (VersionPart release) {
+        return _authority.getRelease();
+    }
+    function _initializeAdminAndPublicRoles()
+        internal
+        virtual
+        onlyInitializing()
+    {
+        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
+        // setup admin role
+        _createRoleUnchecked(
+            ADMIN_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Contract,
+                maxMemberCount: 1,
+                name: ADMIN_ROLE_NAME}));
+        // add this contract as admin role member
+        _roleMembers[adminRoleId].add(address(this));
+        // setup public role
+        _createRoleUnchecked(
+            PUBLIC_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Gif,
+                maxMemberCount: type(uint32).max,
+                name: PUBLIC_ROLE_NAME}));
+    }
+    function _initializeCustom()
+        internal
+        virtual
+        onlyInitializing()
+    { }
     //--- view functions for roles ------------------------------------------//
     function roles() external view returns (uint256 numberOfRoles) {
@@ -154,6 +239,7 @@ contract AccessAdmin is
         return _roleMembers[roleId].at(idx);
     }
+    // TODO false because not role member or because role not exists?
     function hasRole(address account, RoleId roleId) public view returns (bool) {
         (bool isMember, ) = _authority.hasRole(
             RoleId.unwrap(roleId),
@@ -219,19 +305,6 @@ contract AccessAdmin is
                 selector.toBytes4()));
     }
-    // TODO cleanup
-    // function isAccessManaged(address target) public view returns (bool) {
-    //     if (!_isContract(target)) {
-    //         return false;
-    //     }
-    //     (bool success, ) = target.staticcall(
-    //         abi.encodeWithSelector(
-    //             AccessManagedUpgradeable.authority.selector));
-    //     return success;
-    // }
     function canCall(address caller, address target, Selector selector) external virtual view returns (bool can) {
         (can, ) = _authority.canCall(caller, target, selector.toBytes4());
     }
@@ -242,7 +315,8 @@ contract AccessAdmin is
             adminRoleId: adminRoleId,
             roleType: roleType,
             maxMemberCount: maxMemberCount,
-            createdAt: TimestampLib.blockTimestamp()
+            createdAt: TimestampLib.blockTimestamp(),
+            pausedAt: TimestampLib.max()
         });
     }
@@ -270,11 +344,18 @@ contract AccessAdmin is
             revert ErrorAuthorizeForAdminRoleInvalid(target);
         }
-        bool addFunctions = true;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
+        (
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
+        ) = _processFunctionSelectors(target, functions, true);
         // apply authz via access manager
-        _grantRoleAccessToFunctions(target, roleId, functionSelectors);
+        _grantRoleAccessToFunctions(
+            target,
+            roleId,
+            functionSelectors,
+            functionNames,
+            false); // allow locked roles
     }
     function _unauthorizeTargetFunctions(
@@ -283,9 +364,17 @@ contract AccessAdmin is
     )
         internal
     {
-        bool addFunctions = false;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        _grantRoleAccessToFunctions(target, getAdminRole(), functionSelectors);
+        (
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
+        ) = _processFunctionSelectors(target, functions, false);
+        _grantRoleAccessToFunctions(
+            target,
+            getAdminRole(),
+            functionSelectors,
+            functionNames,
+            true);  // allowLockedRoles
     }
     function _processFunctionSelectors(
@@ -294,12 +383,15 @@ contract AccessAdmin is
         bool addFunctions
     )
         internal
+        onlyExistingTarget(target)
         returns (
-            bytes4[] memory functionSelectors
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
         )
     {
         uint256 n = functions.length;
         functionSelectors = new bytes4[](n);
+        functionNames = new string[](n);
         FunctionInfo memory func;
         Selector selector;
@@ -316,70 +408,7 @@ contract AccessAdmin is
             // add bytes4 selector to function selector array
             functionSelectors[i] = selector.toBytes4();
-        }
-    }
-    function _initializeAuthority(
-        address authorityAddress
-    )
-        internal
-        virtual
-        onlyInitializing()
-        onlyDeployer()
-    {
-        if (authority() != address(0)) {
-            revert ErrorAuthorityAlreadySet();
-        }
-        _authority = AccessManagerCloneable(authorityAddress);
-        __AccessManaged_init(address(_authority));
-    }
-    function _initializeAdminAndPublicRoles()
-        internal
-        virtual
-        onlyInitializing()
-    {
-        _createAdminAndPublicRoles();
-    }
-    /// @dev internal setup function that can be used in both constructor and initializer.
-    function _createAdminAndPublicRoles()
-        internal
-    {
-        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
-        // setup admin role
-        _createRoleUnchecked(
-            ADMIN_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Contract,
-                maxMemberCount: 1,
-                name: ADMIN_ROLE_NAME}));
-        // add this contract as admin role member
-        _roleMembers[adminRoleId].add(address(this));
-        // setup public role
-        _createRoleUnchecked(
-            PUBLIC_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Gif,
-                maxMemberCount: type(uint32).max,
-                name: PUBLIC_ROLE_NAME}));
-    }
-    /// @dev check if target exists and reverts if it doesn't
-    function _checkTarget(address target)
-        internal
-        view
-    {
-        if (_targetInfo[target].createdAt.eqz()) {
-            revert ErrorTargetUnknown(target);
+            functionNames[i] = func.name.toString();
         }
     }
@@ -387,24 +416,36 @@ contract AccessAdmin is
     function _grantRoleAccessToFunctions(
         address target,
         RoleId roleId,
-        bytes4[] memory functionSelectors
+        bytes4[] memory functionSelectors,
+        string[] memory functionNames,
+        bool allowLockedRoles // admin and public roles are locked
     )
         internal
+        onlyExistingTarget(target)
+        onlyExistingRole(roleId, true, allowLockedRoles)
     {
         _authority.setTargetFunctionRole(
             target,
             functionSelectors,
             RoleId.unwrap(roleId));
-        // implizit logging: rely on OpenZeppelin log TargetFunctionRoleUpdated
+        for (uint256 i = 0; i < functionSelectors.length; i++) {
+            emit LogAccessAdminFunctionGranted(
+                target,
+                // _getAccountName(target),
+                // string(abi.encodePacked("", functionSelectors[i])),
+                functionNames[i],
+                _getRoleName(roleId));
+        }
     }
     /// @dev grant the specified role to the provided account
     function _grantRoleToAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, true, false)
     {
-        _checkRoleId(roleId);
         // check max role members will not be exceeded
         if (_roleMembers[roleId].length() >= _roleInfo[roleId].maxMemberCount) {
             revert ErrorRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
@@ -413,7 +454,7 @@ contract AccessAdmin is
         // check account is contract for contract role
         if (
             _roleInfo[roleId].roleType == RoleType.Contract &&
-            account.code.length == 0 // will fail in account's constructor
+            !ContractLib.isContract(account) // will fail in account's constructor
         ) {
             revert ErrorRoleMemberNotContract(roleId, account);
         }
@@ -425,14 +466,14 @@ contract AccessAdmin is
             account,
             0);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleGranted(account, _getRoleName(roleId));
     }
     /// @dev revoke the specified role from the provided account
     function _revokeRoleFromAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, false, false)
     {
-        _checkRoleId(roleId);
         // check role removal is permitted
         if (_roleInfo[roleId].roleType == RoleType.Contract) {
@@ -445,26 +486,10 @@ contract AccessAdmin is
             RoleId.unwrap(roleId),
             account);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleRevoked(account, _roleInfo[roleId].name.toString());
     }
-    function _checkRoleId(RoleId roleId)
-        internal
-        view
-    {
-        if (_roleInfo[roleId].createdAt.eqz()) {
-            revert ErrorRoleUnknown(roleId);
-        }
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if (roleIdInt == _authority.ADMIN_ROLE()
-            || roleIdInt == _authority.PUBLIC_ROLE())
-        {
-            revert ErrorRoleIsLocked(roleId);
-        }
-    }
     /// @dev Creates a role based on the provided parameters.
     /// Checks that the provided role and role id and role name not already used.
     function _createRole(
@@ -520,7 +545,7 @@ contract AccessAdmin is
         // add role to list of roles
         _roleIds.push(roleId);
-        emit LogRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
+        emit LogAccessAdminRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
     }
@@ -531,7 +556,6 @@ contract AccessAdmin is
         bool custom
     )
         internal
-        nonReentrant()
     {
         // check target does not yet exist
         if(targetExists(target)) {
@@ -555,7 +579,7 @@ contract AccessAdmin is
         }
         // check target is an access managed contract
-        if (!ContractLib.isAccessManaged(target)) {
+        if (!_isAccessManaged(target)) {
             revert ErrorTargetNotAccessManaged(target);
         }
@@ -580,9 +604,27 @@ contract AccessAdmin is
         // add role to list of roles
         _targets.push(target);
-        emit LogTargetCreated(target, targetName);
+        emit LogAccessAdminTargetCreated(target, targetName);
     }
+    function _isAccessManaged(address target)
+        internal
+        view
+        returns (bool)
+    {
+        if (!ContractLib.isContract(target)) {
+            return false;
+        }
+        (bool success, ) = target.staticcall(
+            abi.encodeWithSelector(
+                IAccessManagedChecker.authority.selector));
+        return success;
+    }
     function _setTargetClosed(address target, bool locked)
         internal
     {
@@ -595,4 +637,53 @@ contract AccessAdmin is
         _authority.setTargetClosed(target, locked);
     }
+    function _getAccountName(address account) internal view returns (string memory) {
+        if (targetExists(account)) {
+            return _targetInfo[account].name.toString();
+        }
+        return "<unknown-account>";
+    }
+    function _getRoleName(RoleId roleId) internal view returns (string memory) {
+        if (roleExists(roleId)) {
+            return _roleInfo[roleId].name.toString();
+        }
+        return "<unknown-role>";
+    }
+    function _checkRoleExists(
+        RoleId roleId,
+        bool onlyActiveRole
+    )
+        internal
+        view
+    {
+        if (!roleExists(roleId)) {
+            revert ErrorRoleUnknown(roleId);
+        }
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        if (roleIdInt == _authority.ADMIN_ROLE()) {
+            revert ErrorRoleIsLocked(roleId);
+        }
+        // check if role is disabled
+        if (onlyActiveRole && _roleInfo[roleId].pausedAt <= TimestampLib.blockTimestamp()) {
+            revert ErrorRoleIsPaused(roleId);
+        }
+    }
+    /// @dev check if target exists and reverts if it doesn't
+    function _checkTarget(address target)
+        internal
+        view
+    {
+        if (!targetExists(target)) {
+            revert ErrorTargetUnknown(target);
+        }
+    }
 }

package/contracts/authorization/AccessManagerCloneable.sol CHANGED Viewed

@@ -2,15 +2,148 @@
 pragma solidity ^0.8.20;
 import {AccessManagerUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagerUpgradeable.sol";
+import {IAccessManaged} from "@openzeppelin/contracts/access/manager/IAccessManaged.sol";
+import {IAccessManager} from "@openzeppelin/contracts/access/manager/IAccessManager.sol";
+import {InitializableERC165} from "../shared/InitializableERC165.sol";
+import {RegistryLinked} from "../shared/RegistryLinked.sol";
+import {VersionPart, VersionLib} from "../type/Version.sol";
+/// @dev An AccessManager based on OpenZeppelin that is cloneable and has a central lock property.
+/// The lock property allows to lock all services of a release in a central place.
+/// Cloned by upon release preparation and instance cloning.
 contract AccessManagerCloneable is
-    AccessManagerUpgradeable
+    AccessManagerUpgradeable,
+    InitializableERC165,
+    RegistryLinked
 {
+    error ErrorAccessManagerCallerNotAdmin(address caller);
+    error ErrorAccessManagerRegistryAlreadySet(address registry);
+    error ErrorAccessManagerInvalidRelease(VersionPart release);
+    error ErrorAccessManagerTargetAdminLocked(address target);
+    error ErrorAccessManagerCallerAdminLocked(address caller);
-    function initialize(address initialAdmin)
+    VersionPart private _release;
+    bool private _isLocked;
+    modifier onlyAdminRole() {
+        (bool isMember, ) = hasRole(ADMIN_ROLE, msg.sender);
+        if(!isMember) {
+            revert ErrorAccessManagerCallerNotAdmin(msg.sender);
+        }
+        _;
+    }
+    function initialize(address admin)
         external
         initializer()
     {
-        __AccessManager_init(initialAdmin);
+        __AccessManager_init(admin);
+        _initializeERC165();
+        _registerInterface(type(IAccessManager).interfaceId);
+    }
+    /// @dev Completes the setup of the access manager.
+    /// Links the access manager to the registry and sets the release version.
+    function completeSetup(
+        address registry,
+        VersionPart release
+    )
+        external
+        onlyAdminRole
+        reinitializer(uint64(release.toInt()))
+    {
+        _completeSetup(registry, release, true);
+    }
+    /// @dev Completes the setup of the access manager.
+    /// Links the access manager to the registry and sets the release version.
+    function completeSetup(
+        address registry,
+        VersionPart release,
+        bool verifyRelease
+    )
+        public
+        onlyAdminRole
+        reinitializer(uint64(release.toInt()))
+    {
+        _completeSetup(registry, release, verifyRelease);
+    }
+    /// @dev Returns true if the caller is authorized to call the target with the given selector and the manager lock is not set to locked.
+    /// Feturn values as in OpenZeppelin AccessManager.
+    /// For a locked manager the function reverts with ErrorAccessManagerTargetAdminLocked.
+    function canCall(
+        address caller,
+        address target,
+        bytes4 selector
+    )
+        public
+        view
+        virtual override
+        returns (
+            bool immediate,
+            uint32 delay
+        )
+    {
+        (immediate, delay) = super.canCall(caller, target, selector);
+        // locking of all contracts under control of this access manager
+        if (isLocked()) {
+            revert ErrorAccessManagerTargetAdminLocked(target);
+        }
+    }
+    /// @dev Locks/unlocks all services of this access manager.
+    /// Only the corresponding access admin can lock/unlock the services.
+    function setLocked(bool locked)
+        external
+        onlyAdminRole()
+    {
+        _isLocked = locked;
+    }
+    /// @dev Returns the release version of this access manager.
+    /// For the registry admin release 3 is returned.
+    /// For the release admin and the instance admin the actual release version is returned.
+    function getRelease() external view returns (VersionPart release) {
+        return _release;
+    }
+    /// @dev Returns true iff all contracts of this access manager are locked.
+    function isLocked()
+        public
+        view
+        returns (bool)
+    {
+        return _isLocked;
+    }
+    function _completeSetup(
+        address registry,
+        VersionPart release,
+        bool verifyRelease
+    )
+        internal
+    {
+        // checks
+        if(address(getRegistry()) != address(0)) {
+            revert ErrorAccessManagerRegistryAlreadySet(address(getRegistry()) );
+        }
+        if (verifyRelease && !release.isValidRelease()) {
+            revert ErrorAccessManagerInvalidRelease(release);
+        }
+        // effects
+        __RegistryLinked_init(registry);
+        _release = release;
     }
 }