npm - @etherisc/gif-next - Versions diffs - 0.0.2-f1f3b2c-994 → 0.0.2-f2273b3-211 - Mend

@etherisc/gif-next 0.0.2-f1f3b2c-994 → 0.0.2-f2273b3-211

Files changed (483) hide show

package/contracts/authorization/AccessAdmin.sol CHANGED Viewed

@@ -8,11 +8,16 @@ import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/ut
 import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
 import {ContractLib} from "../shared/ContractLib.sol";
 import {IAccessAdmin} from "./IAccessAdmin.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
 import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
 import {Selector, SelectorLib, SelectorSetLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
 import {TimestampLib} from "../type/Timestamp.sol";
+import {VersionPart} from "../type/Version.sol";
+interface IAccessManagedChecker {
+    function authority() external view returns (address);
+}
 /**
  * @dev A generic access amin contract that implements role based access control based on OpenZeppelin's AccessManager contract.
@@ -68,7 +73,7 @@ contract AccessAdmin is
     modifier onlyDeployer() {
         // special case for cloned AccessAdmin contracts
-        // IMPORTANT cloning and _initializeAuthority needs to be done in a single transaction
+        // IMPORTANT cloning and initialize authority needs to be done in a single transaction
         if (_deployer == address(0)) {
             _deployer = msg.sender;
         }
@@ -80,9 +85,7 @@ contract AccessAdmin is
     }
     modifier onlyRoleAdmin(RoleId roleId) {
-        if (!roleExists(roleId)) {
-            revert ErrorRoleUnknown(roleId);
-        }
+        _checkRoleExists(roleId, false);
         if (!hasAdminRole(msg.sender, roleId)) {
             revert ErrorNotAdminOfRole(_roleInfo[roleId].adminRoleId);
@@ -97,8 +100,15 @@ contract AccessAdmin is
         _;
     }
-    modifier onlyExistingRole(RoleId roleId) {
-        _checkRoleId(roleId);
+    modifier onlyExistingRole(
+        RoleId roleId,
+        bool onlyActiveRole,
+        bool allowLockedRoles
+    )
+    {
+        if (!allowLockedRoles) {
+            _checkRoleExists(roleId, onlyActiveRole);
+        }
         _;
     }
@@ -107,15 +117,90 @@ contract AccessAdmin is
         _;
     }
-    constructor() {
-        _deployer = msg.sender;
-        _authority = new AccessManagerCloneable();
-        _authority.initialize(address(this));
+    //-------------- initialization functions ------------------------------//
+    // event LogAccessAdminDebug(string message);
+    /// @dev Initializes this admin with the provided accessManager (and authorization specification).
+    /// Internally initializes access manager with this admin and creates basic role setup.
+    function initialize(
+        AccessManagerCloneable authority
+    )
+        public
+        initializer()
+    {
+        __AccessAdmin_init(authority);
+    }
+    function __AccessAdmin_init(
+        AccessManagerCloneable authority
+    )
+        internal
+        onlyInitializing()
+        onlyDeployer() // initializes deployer if not initialized yet
+    {
+        authority.initialize(address(this));
+        // set and initialize this access manager contract as
+        // the admin (ADMIN_ROLE) of the provided authority
+        __AccessManaged_init(address(authority));
+        _authority = authority;
+        // create admin and public roles
+        _initializeAdminAndPublicRoles();
+        // additional use case specific initialization
+        _initializeCustom();
+    }
-        _setAuthority(address(_authority)); // set authority for oz access managed
-        _createAdminAndPublicRoles();
+    function getRegistry() public view returns (IRegistry registry) {
+        return _authority.getRegistry();
     }
+    function getRelease() public view returns (VersionPart release) {
+        return _authority.getRelease();
+    }
+    function _initializeAdminAndPublicRoles()
+        internal
+        virtual
+        onlyInitializing()
+    {
+        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
+        // setup admin role
+        _createRoleUnchecked(
+            ADMIN_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Contract,
+                maxMemberCount: 1,
+                name: ADMIN_ROLE_NAME}));
+        // add this contract as admin role member
+        _roleMembers[adminRoleId].add(address(this));
+        // setup public role
+        _createRoleUnchecked(
+            PUBLIC_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Gif,
+                maxMemberCount: type(uint32).max,
+                name: PUBLIC_ROLE_NAME}));
+    }
+    function _initializeCustom()
+        internal
+        virtual
+        onlyInitializing()
+    { }
     //--- view functions for roles ------------------------------------------//
     function roles() external view returns (uint256 numberOfRoles) {
@@ -154,6 +239,7 @@ contract AccessAdmin is
         return _roleMembers[roleId].at(idx);
     }
+    // TODO false because not role member or because role not exists?
     function hasRole(address account, RoleId roleId) public view returns (bool) {
         (bool isMember, ) = _authority.hasRole(
             RoleId.unwrap(roleId),
@@ -219,19 +305,6 @@ contract AccessAdmin is
                 selector.toBytes4()));
     }
-    // TODO cleanup
-    // function isAccessManaged(address target) public view returns (bool) {
-    //     if (!_isContract(target)) {
-    //         return false;
-    //     }
-    //     (bool success, ) = target.staticcall(
-    //         abi.encodeWithSelector(
-    //             AccessManagedUpgradeable.authority.selector));
-    //     return success;
-    // }
     function canCall(address caller, address target, Selector selector) external virtual view returns (bool can) {
         (can, ) = _authority.canCall(caller, target, selector.toBytes4());
     }
@@ -242,7 +315,8 @@ contract AccessAdmin is
             adminRoleId: adminRoleId,
             roleType: roleType,
             maxMemberCount: maxMemberCount,
-            createdAt: TimestampLib.blockTimestamp()
+            createdAt: TimestampLib.blockTimestamp(),
+            pausedAt: TimestampLib.max()
         });
     }
@@ -270,11 +344,18 @@ contract AccessAdmin is
             revert ErrorAuthorizeForAdminRoleInvalid(target);
         }
-        bool addFunctions = true;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
+        (
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
+        ) = _processFunctionSelectors(target, functions, true);
         // apply authz via access manager
-        _grantRoleAccessToFunctions(target, roleId, functionSelectors);
+        _grantRoleAccessToFunctions(
+            target,
+            roleId,
+            functionSelectors,
+            functionNames,
+            false); // allow locked roles
     }
     function _unauthorizeTargetFunctions(
@@ -283,9 +364,17 @@ contract AccessAdmin is
     )
         internal
     {
-        bool addFunctions = false;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        _grantRoleAccessToFunctions(target, getAdminRole(), functionSelectors);
+        (
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
+        ) = _processFunctionSelectors(target, functions, false);
+        _grantRoleAccessToFunctions(
+            target,
+            getAdminRole(),
+            functionSelectors,
+            functionNames,
+            true);  // allowLockedRoles
     }
     function _processFunctionSelectors(
@@ -294,12 +383,15 @@ contract AccessAdmin is
         bool addFunctions
     )
         internal
+        onlyExistingTarget(target)
         returns (
-            bytes4[] memory functionSelectors
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
         )
     {
         uint256 n = functions.length;
         functionSelectors = new bytes4[](n);
+        functionNames = new string[](n);
         FunctionInfo memory func;
         Selector selector;
@@ -316,70 +408,7 @@ contract AccessAdmin is
             // add bytes4 selector to function selector array
             functionSelectors[i] = selector.toBytes4();
-        }
-    }
-    function _initializeAuthority(
-        address authorityAddress
-    )
-        internal
-        virtual
-        onlyInitializing()
-        onlyDeployer()
-    {
-        if (authority() != address(0)) {
-            revert ErrorAuthorityAlreadySet();
-        }
-        _authority = AccessManagerCloneable(authorityAddress);
-        __AccessManaged_init(address(_authority));
-    }
-    function _initializeAdminAndPublicRoles()
-        internal
-        virtual
-        onlyInitializing()
-    {
-        _createAdminAndPublicRoles();
-    }
-    /// @dev internal setup function that can be used in both constructor and initializer.
-    function _createAdminAndPublicRoles()
-        internal
-    {
-        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
-        // setup admin role
-        _createRoleUnchecked(
-            ADMIN_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Contract,
-                maxMemberCount: 1,
-                name: ADMIN_ROLE_NAME}));
-        // add this contract as admin role member
-        _roleMembers[adminRoleId].add(address(this));
-        // setup public role
-        _createRoleUnchecked(
-            PUBLIC_ROLE(),
-            toRole({
-                adminRoleId: ADMIN_ROLE(),
-                roleType: RoleType.Gif,
-                maxMemberCount: type(uint32).max,
-                name: PUBLIC_ROLE_NAME}));
-    }
-    /// @dev check if target exists and reverts if it doesn't
-    function _checkTarget(address target)
-        internal
-        view
-    {
-        if (_targetInfo[target].createdAt.eqz()) {
-            revert ErrorTargetUnknown(target);
+            functionNames[i] = func.name.toString();
         }
     }
@@ -387,24 +416,36 @@ contract AccessAdmin is
     function _grantRoleAccessToFunctions(
         address target,
         RoleId roleId,
-        bytes4[] memory functionSelectors
+        bytes4[] memory functionSelectors,
+        string[] memory functionNames,
+        bool allowLockedRoles // admin and public roles are locked
     )
         internal
+        onlyExistingTarget(target)
+        onlyExistingRole(roleId, true, allowLockedRoles)
     {
         _authority.setTargetFunctionRole(
             target,
             functionSelectors,
             RoleId.unwrap(roleId));
-        // implizit logging: rely on OpenZeppelin log TargetFunctionRoleUpdated
+        for (uint256 i = 0; i < functionSelectors.length; i++) {
+            emit LogAccessAdminFunctionGranted(
+                target,
+                // _getAccountName(target),
+                // string(abi.encodePacked("", functionSelectors[i])),
+                functionNames[i],
+                _getRoleName(roleId));
+        }
     }
     /// @dev grant the specified role to the provided account
     function _grantRoleToAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, true, false)
     {
-        _checkRoleId(roleId);
         // check max role members will not be exceeded
         if (_roleMembers[roleId].length() >= _roleInfo[roleId].maxMemberCount) {
             revert ErrorRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
@@ -413,7 +454,7 @@ contract AccessAdmin is
         // check account is contract for contract role
         if (
             _roleInfo[roleId].roleType == RoleType.Contract &&
-            account.code.length == 0 // will fail in account's constructor
+            !ContractLib.isContract(account) // will fail in account's constructor
         ) {
             revert ErrorRoleMemberNotContract(roleId, account);
         }
@@ -425,14 +466,14 @@ contract AccessAdmin is
             account,
             0);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleGranted(account, _getRoleName(roleId));
     }
     /// @dev revoke the specified role from the provided account
     function _revokeRoleFromAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, false, false)
     {
-        _checkRoleId(roleId);
         // check role removal is permitted
         if (_roleInfo[roleId].roleType == RoleType.Contract) {
@@ -445,26 +486,10 @@ contract AccessAdmin is
             RoleId.unwrap(roleId),
             account);
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleRevoked(account, _roleInfo[roleId].name.toString());
     }
-    function _checkRoleId(RoleId roleId)
-        internal
-        view
-    {
-        if (_roleInfo[roleId].createdAt.eqz()) {
-            revert ErrorRoleUnknown(roleId);
-        }
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if (roleIdInt == _authority.ADMIN_ROLE()
-            || roleIdInt == _authority.PUBLIC_ROLE())
-        {
-            revert ErrorRoleIsLocked(roleId);
-        }
-    }
     /// @dev Creates a role based on the provided parameters.
     /// Checks that the provided role and role id and role name not already used.
     function _createRole(
@@ -520,7 +545,7 @@ contract AccessAdmin is
         // add role to list of roles
         _roleIds.push(roleId);
-        emit LogRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
+        emit LogAccessAdminRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
     }
@@ -531,7 +556,6 @@ contract AccessAdmin is
         bool custom
     )
         internal
-        nonReentrant()
     {
         // check target does not yet exist
         if(targetExists(target)) {
@@ -555,7 +579,7 @@ contract AccessAdmin is
         }
         // check target is an access managed contract
-        if (!ContractLib.isAccessManaged(target)) {
+        if (!_isAccessManaged(target)) {
             revert ErrorTargetNotAccessManaged(target);
         }
@@ -580,9 +604,27 @@ contract AccessAdmin is
         // add role to list of roles
         _targets.push(target);
-        emit LogTargetCreated(target, targetName);
+        emit LogAccessAdminTargetCreated(target, targetName);
     }
+    function _isAccessManaged(address target)
+        internal
+        view
+        returns (bool)
+    {
+        if (!ContractLib.isContract(target)) {
+            return false;
+        }
+        (bool success, ) = target.staticcall(
+            abi.encodeWithSelector(
+                IAccessManagedChecker.authority.selector));
+        return success;
+    }
     function _setTargetClosed(address target, bool locked)
         internal
     {
@@ -595,4 +637,53 @@ contract AccessAdmin is
         _authority.setTargetClosed(target, locked);
     }
+    function _getAccountName(address account) internal view returns (string memory) {
+        if (targetExists(account)) {
+            return _targetInfo[account].name.toString();
+        }
+        return "<unknown-account>";
+    }
+    function _getRoleName(RoleId roleId) internal view returns (string memory) {
+        if (roleExists(roleId)) {
+            return _roleInfo[roleId].name.toString();
+        }
+        return "<unknown-role>";
+    }
+    function _checkRoleExists(
+        RoleId roleId,
+        bool onlyActiveRole
+    )
+        internal
+        view
+    {
+        if (!roleExists(roleId)) {
+            revert ErrorRoleUnknown(roleId);
+        }
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        if (roleIdInt == _authority.ADMIN_ROLE()) {
+            revert ErrorRoleIsLocked(roleId);
+        }
+        // check if role is disabled
+        if (onlyActiveRole && _roleInfo[roleId].pausedAt <= TimestampLib.blockTimestamp()) {
+            revert ErrorRoleIsPaused(roleId);
+        }
+    }
+    /// @dev check if target exists and reverts if it doesn't
+    function _checkTarget(address target)
+        internal
+        view
+    {
+        if (!targetExists(target)) {
+            revert ErrorTargetUnknown(target);
+        }
+    }
 }

package/contracts/authorization/AccessManagerCloneable.sol CHANGED Viewed

@@ -2,15 +2,148 @@
 pragma solidity ^0.8.20;
 import {AccessManagerUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagerUpgradeable.sol";
+import {IAccessManaged} from "@openzeppelin/contracts/access/manager/IAccessManaged.sol";
+import {IAccessManager} from "@openzeppelin/contracts/access/manager/IAccessManager.sol";
+import {InitializableERC165} from "../shared/InitializableERC165.sol";
+import {RegistryLinked} from "../shared/RegistryLinked.sol";
+import {VersionPart, VersionLib} from "../type/Version.sol";
+/// @dev An AccessManager based on OpenZeppelin that is cloneable and has a central lock property.
+/// The lock property allows to lock all services of a release in a central place.
+/// Cloned by upon release preparation and instance cloning.
 contract AccessManagerCloneable is
-    AccessManagerUpgradeable
+    AccessManagerUpgradeable,
+    InitializableERC165,
+    RegistryLinked
 {
+    error ErrorAccessManagerCallerNotAdmin(address caller);
+    error ErrorAccessManagerRegistryAlreadySet(address registry);
+    error ErrorAccessManagerInvalidRelease(VersionPart release);
+    error ErrorAccessManagerTargetAdminLocked(address target);
+    error ErrorAccessManagerCallerAdminLocked(address caller);
-    function initialize(address initialAdmin)
+    VersionPart private _release;
+    bool private _isLocked;
+    modifier onlyAdminRole() {
+        (bool isMember, ) = hasRole(ADMIN_ROLE, msg.sender);
+        if(!isMember) {
+            revert ErrorAccessManagerCallerNotAdmin(msg.sender);
+        }
+        _;
+    }
+    function initialize(address admin)
         external
         initializer()
     {
-        __AccessManager_init(initialAdmin);
+        __AccessManager_init(admin);
+        _initializeERC165();
+        _registerInterface(type(IAccessManager).interfaceId);
+    }
+    /// @dev Completes the setup of the access manager.
+    /// Links the access manager to the registry and sets the release version.
+    function completeSetup(
+        address registry,
+        VersionPart release
+    )
+        external
+        onlyAdminRole
+        reinitializer(uint64(release.toInt()))
+    {
+        _completeSetup(registry, release, true);
+    }
+    /// @dev Completes the setup of the access manager.
+    /// Links the access manager to the registry and sets the release version.
+    function completeSetup(
+        address registry,
+        VersionPart release,
+        bool verifyRelease
+    )
+        public
+        onlyAdminRole
+        reinitializer(uint64(release.toInt()))
+    {
+        _completeSetup(registry, release, verifyRelease);
+    }
+    /// @dev Returns true if the caller is authorized to call the target with the given selector and the manager lock is not set to locked.
+    /// Feturn values as in OpenZeppelin AccessManager.
+    /// For a locked manager the function reverts with ErrorAccessManagerTargetAdminLocked.
+    function canCall(
+        address caller,
+        address target,
+        bytes4 selector
+    )
+        public
+        view
+        virtual override
+        returns (
+            bool immediate,
+            uint32 delay
+        )
+    {
+        (immediate, delay) = super.canCall(caller, target, selector);
+        // locking of all contracts under control of this access manager
+        if (isLocked()) {
+            revert ErrorAccessManagerTargetAdminLocked(target);
+        }
+    }
+    /// @dev Locks/unlocks all services of this access manager.
+    /// Only the corresponding access admin can lock/unlock the services.
+    function setLocked(bool locked)
+        external
+        onlyAdminRole()
+    {
+        _isLocked = locked;
+    }
+    /// @dev Returns the release version of this access manager.
+    /// For the registry admin release 3 is returned.
+    /// For the release admin and the instance admin the actual release version is returned.
+    function getRelease() external view returns (VersionPart release) {
+        return _release;
+    }
+    /// @dev Returns true iff all contracts of this access manager are locked.
+    function isLocked()
+        public
+        view
+        returns (bool)
+    {
+        return _isLocked;
+    }
+    function _completeSetup(
+        address registry,
+        VersionPart release,
+        bool verifyRelease
+    )
+        internal
+    {
+        // checks
+        if(address(getRegistry()) != address(0)) {
+            revert ErrorAccessManagerRegistryAlreadySet(address(getRegistry()) );
+        }
+        if (verifyRelease && !release.isValidRelease()) {
+            revert ErrorAccessManagerInvalidRelease(release);
+        }
+        // effects
+        __RegistryLinked_init(registry);
+        _release = release;
     }
 }