@etherisc/gif-next 0.0.2-f1fe735-758 → 0.0.2-f2273b3-211

package/contracts/{shared → authorization}/AccessAdmin.sol

@@ -1,16 +1,23 @@
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.20;
 
-import {AccessManager} from "@openzeppelin/contracts/access/manager/AccessManager.sol";
 import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
 import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
+import {ReentrancyGuardUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/ReentrancyGuardUpgradeable.sol";
 
+import {AccessManagerCloneable} from "./AccessManagerCloneable.sol";
+import {ContractLib} from "../shared/ContractLib.sol";
 import {IAccessAdmin} from "./IAccessAdmin.sol";
-import {RoleId, RoleIdLib} from "../type/RoleId.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE} from "../type/RoleId.sol";
 import {Selector, SelectorLib, SelectorSetLib} from "../type/Selector.sol";
 import {Str, StrLib} from "../type/String.sol";
-import {Timestamp, TimestampLib} from "../type/Timestamp.sol";
+import {TimestampLib} from "../type/Timestamp.sol";
+import {VersionPart} from "../type/Version.sol";
 
+interface IAccessManagedChecker {
+    function authority() external view returns (address);
+}
 
 /**
  * @dev A generic access amin contract that implements role based access control based on OpenZeppelin's AccessManager contract.
@@ -19,6 +26,7 @@ import {Timestamp, TimestampLib} from "../type/Timestamp.sol";
  */ 
 contract AccessAdmin is
     AccessManagedUpgradeable,
+    ReentrancyGuardUpgradeable,
     IAccessAdmin
 {
     using EnumerableSet for EnumerableSet.AddressSet;
@@ -26,19 +34,13 @@ contract AccessAdmin is
     string public constant ADMIN_ROLE_NAME = "AdminRole";
     string public constant PUBLIC_ROLE_NAME = "PublicRole";
 
-    uint64 public constant MANAGER_ROLE = type(uint64).min + 1;
-    string public constant MANAGER_ROLE_NAME = "ManagerRole";
-
     /// @dev the OpenZeppelin access manager driving the access admin contract
-    AccessManager internal _authority;
+    AccessManagerCloneable internal _authority;
 
     /// @dev stores the deployer address and allows to create initializers
     /// that are restricted to the deployer address.
     address internal _deployer;
 
-    /// @dev required role for state changes to this contract
-    RoleId internal _managerRoleId;
-
     /// @dev store role info per role id
     mapping(RoleId roleId => RoleInfo info) internal _roleInfo;
 
@@ -63,15 +65,15 @@ contract AccessAdmin is
     /// @dev store all managed functions per target
     mapping(address target => SelectorSetLib.Set selectors) internal _targetFunctions;
 
-    /// @dev temporary dynamic function infos array
-    mapping(address target => mapping(Selector selector => Str functionName)) internal _functionName;
+    /// @dev function infos array
+    mapping(address target => mapping(Selector selector => FunctionInfo)) internal _functionInfo;
 
     /// @dev temporary dynamic functions array
     bytes4[] private _functions;
 
     modifier onlyDeployer() {
         // special case for cloned AccessAdmin contracts
-        // IMPORTANT cloning and _initializeAuthority needs to be done in a single transaction
+        // IMPORTANT cloning and initialize authority needs to be done in a single transaction
         if (_deployer == address(0)) {
             _deployer = msg.sender;
         }
@@ -83,11 +85,9 @@ contract AccessAdmin is
     }
 
     modifier onlyRoleAdmin(RoleId roleId) {
-        if (!roleExists(roleId)) {
-            revert ErrorRoleUnknown(roleId);
-        }
+        _checkRoleExists(roleId, false);
 
-        if (!hasRole(msg.sender, _roleInfo[roleId].adminRoleId)) {
+        if (!hasAdminRole(msg.sender, roleId)) {
             revert ErrorNotAdminOfRole(_roleInfo[roleId].adminRoleId);
         }
         _;
@@ -100,8 +100,15 @@ contract AccessAdmin is
         _;
     }
 
-    modifier onlyExistingRole(RoleId roleId) {
-        _checkRoleId(roleId);
+    modifier onlyExistingRole(
+        RoleId roleId, 
+        bool onlyActiveRole,
+        bool allowLockedRoles
+    )
+    {
+        if (!allowLockedRoles) {
+            _checkRoleExists(roleId, onlyActiveRole);
+        }
         _;
     }
 
@@ -110,159 +117,91 @@ contract AccessAdmin is
         _;
     }
 
-    constructor() {
-        _deployer = msg.sender;
-        _authority = new AccessManager(address(this));
+    //-------------- initialization functions ------------------------------//
 
-        _setAuthority(address(_authority));
-        _createInitialRoleSetup();
+    // event LogAccessAdminDebug(string message);
 
-        _disableInitializers();
-    }
-
-    //--- role management functions -----------------------------------------//
-
-    function createRole(
-        RoleId roleId, 
-        RoleId adminRoleId, 
-        string memory name,
-        uint256 maxMemberCount,
-        bool memberRemovalDisabled
+    /// @dev Initializes this admin with the provided accessManager (and authorization specification).
+    /// Internally initializes access manager with this admin and creates basic role setup.
+    function initialize(
+        AccessManagerCloneable authority 
     )
-        external
-        virtual
-        restricted()
+        public
+        initializer()
     {
-        _createRole(roleId, adminRoleId, name, maxMemberCount, memberRemovalDisabled);
+        __AccessAdmin_init(authority);
     }
 
-    function setRoleDisabled(
-        RoleId roleId, 
-        bool disabled
-    )
-        external
-        virtual
-        restricted()
-    {
-        _setRoleDisabled(roleId, disabled);
-    }
 
-    function grantRole(
-        address account, 
-        RoleId roleId
+    function __AccessAdmin_init(
+        AccessManagerCloneable authority 
     )
-        external
-        virtual
-        onlyRoleAdmin(roleId)
-        restricted()
+        internal
+        onlyInitializing()
+        onlyDeployer() // initializes deployer if not initialized yet
     {
-        _grantRoleToAccount(roleId, account);
-    }
+        authority.initialize(address(this));
 
-    function revokeRole(
-        address account, 
-        RoleId roleId
-    )
-        external
-        virtual
-        onlyRoleAdmin(roleId)
-        restricted()
-    {
-        _revokeRoleFromAccount(roleId, account);
-    }
+        // set and initialize this access manager contract as
+        // the admin (ADMIN_ROLE) of the provided authority
+        __AccessManaged_init(address(authority));
+        _authority = authority;
 
-    function renounceRole(
-        RoleId roleId
-    )
-        external
-        virtual
-        onlyRoleMember(roleId)
-        restricted()
-    {
-        _revokeRoleFromAccount(roleId, msg.sender);
+        // create admin and public roles
+        _initializeAdminAndPublicRoles();
+
+        // additional use case specific initialization
+        _initializeCustom();
     }
 
-    //--- target management functions ---------------------------------------//
 
-    function createTarget(
-        address target, 
-        string memory name
-    )
-        external
-        virtual
-        restricted()
-    {
-        _createTarget(target, name);
+    function getRegistry() public view returns (IRegistry registry) {
+        return _authority.getRegistry();
     }
 
-    function setTargetLocked(
-        address target, 
-        bool locked
-    )
-        external
-        virtual
-        onlyExistingTarget(target)
-        restricted()
-    {
-        _authority.setTargetClosed(target, locked);
 
-        // implizit logging: rely on OpenZeppelin log TargetClosed
+    function getRelease() public view returns (VersionPart release) {
+        return _authority.getRelease();
     }
 
-    function authorizeFunctions(
-        address target, 
-        RoleId roleId, 
-        Function[] memory functions
-    )
-        external
-        virtual
-        onlyExistingTarget(target)
-        onlyExistingRole(roleId)
-        restricted()
-    {
-        _authorizeTargetFunctions(target, roleId, functions);
-    }
 
-    function unauthorizeFunctions(
-        address target, 
-        Function[] memory functions
-    )
-        external
+    function _initializeAdminAndPublicRoles()
+        internal
         virtual
-        restricted()
+        onlyInitializing()
     {
-        _unauthorizeTargetFunctions(target, functions);
-    }
+        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
 
+        // setup admin role
+        _createRoleUnchecked(
+            ADMIN_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Contract,
+                maxMemberCount: 1,
+                name: ADMIN_ROLE_NAME}));
 
-    function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions) {
-        return SelectorSetLib.size(_targetFunctions[target]);
-    }
+        // add this contract as admin role member
+        _roleMembers[adminRoleId].add(address(this));
 
-    function getAuthorizedFunction(
-        address target, 
-        uint256 idx
-    )
-        external 
-        view 
-        returns (
-            Function memory func, 
-            RoleId roleId
-        )
-    {
-        Selector selector = SelectorSetLib.at(_targetFunctions[target], idx);
+        // setup public role
+        _createRoleUnchecked(
+            PUBLIC_ROLE(),
+            toRole({
+                adminRoleId: ADMIN_ROLE(),
+                roleType: RoleType.Gif,
+                maxMemberCount: type(uint32).max,
+                name: PUBLIC_ROLE_NAME}));
+    }
 
-        func = Function({
-            selector: selector, 
-            name: _functionName[target][selector]});
 
-        roleId = RoleIdLib.toRoleId(
-            _authority.getTargetFunctionRole(
-                target, 
-                selector.toBytes4()));
-    }
+    function _initializeCustom()
+        internal
+        virtual
+        onlyInitializing()
+    { }
 
-    //--- view functions ----------------------------------------------------//
+    //--- view functions for roles ------------------------------------------//
 
     function roles() external view returns (uint256 numberOfRoles) {
         return _roleIds.length;
@@ -280,16 +219,8 @@ contract AccessAdmin is
         return RoleId.wrap(_authority.PUBLIC_ROLE());
     }
 
-    function getManagerRole() public view returns (RoleId roleId) {
-        return _managerRoleId;
-    }
-
     function roleExists(RoleId roleId) public view returns (bool exists) {
-        return _roleInfo[roleId].exists;
-    }
-
-    function isRoleDisabled(RoleId roleId) public view returns (bool isActive) {
-        return _roleInfo[roleId].disabledAt <= TimestampLib.blockTimestamp();
+        return _roleInfo[roleId].createdAt.gtz();
     }
 
     function getRoleInfo(RoleId roleId) external view returns (RoleInfo memory) {
@@ -300,6 +231,15 @@ contract AccessAdmin is
         return _roleForName[name];
     }
 
+    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
+        return _roleMembers[roleId].length();
+    }
+
+    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address account) {
+        return _roleMembers[roleId].at(idx);
+    }
+
+    // TODO false because not role member or because role not exists?
     function hasRole(address account, RoleId roleId) public view returns (bool) {
         (bool isMember, ) = _authority.hasRole(
             RoleId.unwrap(roleId), 
@@ -307,22 +247,21 @@ contract AccessAdmin is
         return isMember;
     }
 
-    function roleMembers(RoleId roleId) external view returns (uint256 numberOfMembers) {
-        return _roleMembers[roleId].length();
+    function hasAdminRole(address account, RoleId roleId)
+        public 
+        virtual
+        view 
+        returns (bool)
+    {
+        return hasRole(account, _roleInfo[roleId].adminRoleId);
     }
 
-    function getRoleMember(RoleId roleId, uint256 idx) external view returns (address account) {
-        return _roleMembers[roleId].at(idx);
-    }
+    //--- view functions for targets ----------------------------------------//
 
     function targetExists(address target) public view returns (bool exists) {
         return _targetInfo[target].createdAt.gtz();
     }
 
-    function isTargetLocked(address target) public view returns (bool locked) {
-        return _authority.isTargetClosed(target);
-    }
-
     function targets() external view returns (uint256 numberOfTargets) {
         return _targets.length;
     }
@@ -335,34 +274,61 @@ contract AccessAdmin is
         return _targetInfo[target];
     }
 
-    function getTargetForName(Str name) external view returns (address target) {
+    function getTargetForName(Str name) public view returns (address target) {
         return _targetForName[name];
     }
 
-    function isAccessManaged(address target) public view returns (bool) {
-        if (!_isContract(target)) {
-            return false;
-        }
+    function isTargetLocked(address target) public view returns (bool locked) {
+        return _authority.isTargetClosed(target);
+    }
 
-        (bool success, ) = target.staticcall(
-            abi.encodeWithSelector(
-                AccessManagedUpgradeable.authority.selector));
+    function authorizedFunctions(address target) external view returns (uint256 numberOfFunctions) {
+        return SelectorSetLib.size(_targetFunctions[target]);
+    }
 
-        return success;
+    function getAuthorizedFunction(
+        address target, 
+        uint256 idx
+    )
+        external 
+        view 
+        returns (
+            FunctionInfo memory func, 
+            RoleId roleId
+        )
+    {
+        Selector selector = SelectorSetLib.at(_targetFunctions[target], idx);
+        func = _functionInfo[target][selector];
+        roleId = RoleIdLib.toRoleId(
+            _authority.getTargetFunctionRole(
+                target, 
+                selector.toBytes4()));
     }
 
-    function canCall(address caller, address target, Selector selector) external view returns (bool can) {
+    function canCall(address caller, address target, Selector selector) external virtual view returns (bool can) {
         (can, ) = _authority.canCall(caller, target, selector.toBytes4());
     }
 
-    function deployer() public view returns (address) {
-        return _deployer;
+    function toRole(RoleId adminRoleId, RoleType roleType, uint32 maxMemberCount, string memory name) public view returns (RoleInfo memory) {
+        return RoleInfo({
+            name: StrLib.toStr(name),
+            adminRoleId: adminRoleId,
+            roleType: roleType,
+            maxMemberCount: maxMemberCount,
+            createdAt: TimestampLib.blockTimestamp(),
+            pausedAt: TimestampLib.max()
+        });
+    }
+
+    function toFunction(bytes4 selector, string memory name) public view returns (FunctionInfo memory) {
+        return FunctionInfo({
+            name: StrLib.toStr(name),
+            selector: SelectorLib.toSelector(selector),
+            createdAt: TimestampLib.blockTimestamp()});
     }
 
-    function toFunction(bytes4 selector, string memory name) public pure returns (Function memory) {
-            return Function({
-                selector: SelectorLib.toSelector(selector),
-                name: StrLib.toStr(name)});
+    function deployer() public view returns (address) {
+        return _deployer;
     }
 
     //--- internal/private functions -------------------------------------------------//
@@ -370,7 +336,7 @@ contract AccessAdmin is
     function _authorizeTargetFunctions(
         address target, 
         RoleId roleId, 
-        Function[] memory functions
+        FunctionInfo[] memory functions
     )
         internal
     {
@@ -378,37 +344,55 @@ contract AccessAdmin is
             revert ErrorAuthorizeForAdminRoleInvalid(target);
         }
 
-        bool addFunctions = true;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
+        (
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
+        ) = _processFunctionSelectors(target, functions, true);
 
         // apply authz via access manager
-        _grantRoleAccessToFunctions(target, roleId, functionSelectors);
+        _grantRoleAccessToFunctions(
+            target, 
+            roleId, 
+            functionSelectors,
+            functionNames, 
+            false); // allow locked roles
     }
 
     function _unauthorizeTargetFunctions(
         address target, 
-        Function[] memory functions
+        FunctionInfo[] memory functions
     )
         internal
     {
-        bool addFunctions = false;
-        bytes4[] memory functionSelectors = _processFunctionSelectors(target, functions, addFunctions);
-        _grantRoleAccessToFunctions(target, getAdminRole(), functionSelectors);
+        (
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
+        ) = _processFunctionSelectors(target, functions, false);
+
+        _grantRoleAccessToFunctions(
+            target, 
+            getAdminRole(), 
+            functionSelectors, 
+            functionNames, 
+            true);  // allowLockedRoles
     }
 
     function _processFunctionSelectors(
         address target,
-        Function[] memory functions,
+        FunctionInfo[] memory functions,
         bool addFunctions
     )
         internal
+        onlyExistingTarget(target)
         returns (
-            bytes4[] memory functionSelectors
+            bytes4[] memory functionSelectors,
+            string[] memory functionNames
         )
     {
         uint256 n = functions.length;
         functionSelectors = new bytes4[](n);
-        Function memory func;
+        functionNames = new string[](n);
+        FunctionInfo memory func;
         Selector selector;
 
         for (uint256 i = 0; i < n; i++) {
@@ -420,102 +404,11 @@ contract AccessAdmin is
             else { SelectorSetLib.remove(_targetFunctions[target], selector); }
 
             // set function name
-            _functionName[target][selector] = func.name;
+            _functionInfo[target][selector] = func;
 
             // add bytes4 selector to function selector array
             functionSelectors[i] = selector.toBytes4();
-        }
-    }
-
-    function _initializeAuthority(
-        address authorityAddress
-    )
-        internal
-        virtual
-        onlyInitializing()
-        onlyDeployer()
-    {
-        if (authority() != address(0)) {
-            revert ErrorAuthorityAlreadySet();
-        }
-
-        _authority = AccessManager(authorityAddress);
-
-        if(!hasRole(address(this), RoleId.wrap(_authority.ADMIN_ROLE()))) {
-            revert ErrorAdminRoleMissing();
-        }
-
-        __AccessManaged_init(address(_authority));
-    }
-
-
-    function _initializeRoleSetup()
-        internal
-        virtual
-        onlyInitializing()
-    {
-        _createInitialRoleSetup();
-    }
-
-
-    function _createInitialRoleSetup()
-        internal
-    {
-        RoleId adminRoleId = RoleIdLib.toRoleId(_authority.ADMIN_ROLE());
-        Function[] memory functions;
-
-        // setup admin role
-        _createRoleUnchecked(
-            adminRoleId,
-            adminRoleId,
-            StrLib.toStr(ADMIN_ROLE_NAME),
-            1,
-            true);
-
-        // add this contract as admin role member
-        _roleMembers[adminRoleId].add(address(this));
-
-        // setup public role
-        _createRoleUnchecked(
-            RoleIdLib.toRoleId(_authority.PUBLIC_ROLE()),
-            adminRoleId,
-            StrLib.toStr(PUBLIC_ROLE_NAME),
-            type(uint256).max,
-            true);
-
-        // setup manager role
-        _managerRoleId = RoleIdLib.toRoleId(MANAGER_ROLE);
-        _createRole(
-            _managerRoleId, 
-            adminRoleId,
-            MANAGER_ROLE_NAME,
-            3, // TODO think about max member count
-            false);
-
-        // grant public role access to grant and revoke, renounce
-        functions = new Function[](3);
-        functions[0] = toFunction(IAccessAdmin.grantRole.selector, "grantRole");
-        functions[1] = toFunction(IAccessAdmin.revokeRole.selector, "revokeRole");
-        functions[2] = toFunction(IAccessAdmin.renounceRole.selector, "renounceRole");
-        _authorizeTargetFunctions(address(this), getPublicRole(), functions);
-
-        // grant manager role access to the specified functions 
-        functions = new Function[](6);
-        functions[0] = toFunction(IAccessAdmin.createRole.selector, "createRole");
-        functions[1] = toFunction(IAccessAdmin.setRoleDisabled.selector, "setRoleDisabled");
-        functions[2] = toFunction(IAccessAdmin.createTarget.selector, "createTarget");
-        functions[3] = toFunction(IAccessAdmin.setTargetLocked.selector, "setTargetLocked");
-        functions[4] = toFunction(IAccessAdmin.authorizeFunctions.selector, "authorizeFunctions");
-        functions[5] = toFunction(IAccessAdmin.unauthorizeFunctions.selector, "unauthorizeFunctions");
-        _authorizeTargetFunctions(address(this), getManagerRole(), functions);
-    }
-
-    /// @dev check if target exists and reverts if it doesn't
-    function _checkTarget(address target)
-        internal
-    {
-        if (_targetInfo[target].createdAt.eqz()) {
-            revert ErrorTargetUnknown(target);
+            functionNames[i] = func.name.toString();
         }
     }
 
@@ -523,90 +416,85 @@ contract AccessAdmin is
     function _grantRoleAccessToFunctions(
         address target,
         RoleId roleId, 
-        bytes4[] memory functionSelectors
+        bytes4[] memory functionSelectors,
+        string[] memory functionNames,
+        bool allowLockedRoles // admin and public roles are locked
     )
         internal
+        onlyExistingTarget(target)
+        onlyExistingRole(roleId, true, allowLockedRoles)
     {
+
         _authority.setTargetFunctionRole(
             target,
             functionSelectors,
             RoleId.unwrap(roleId));
 
-        // implizit logging: rely on OpenZeppelin log TargetFunctionRoleUpdated
+        for (uint256 i = 0; i < functionSelectors.length; i++) {
+            emit LogAccessAdminFunctionGranted(
+                target, 
+                // _getAccountName(target), 
+                // string(abi.encodePacked("", functionSelectors[i])), 
+                functionNames[i], 
+                _getRoleName(roleId));
+        }
     }
 
+
     /// @dev grant the specified role to the provided account
     function _grantRoleToAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, true, false)
     {
-        _checkRoleId(roleId);
-        _checkRoleIsActive(roleId);
-
         // check max role members will not be exceeded
         if (_roleMembers[roleId].length() >= _roleInfo[roleId].maxMemberCount) {
             revert ErrorRoleMembersLimitReached(roleId, _roleInfo[roleId].maxMemberCount);
         }
 
+        // check account is contract for contract role
+        if (
+            _roleInfo[roleId].roleType == RoleType.Contract &&
+            !ContractLib.isContract(account) // will fail in account's constructor
+        ) {
+            revert ErrorRoleMemberNotContract(roleId, account);
+        }
+
+        // TODO check account already have roleId
         _roleMembers[roleId].add(account);
         _authority.grantRole(
             RoleId.unwrap(roleId), 
             account, 
             0);
         
-        // indirect logging: rely on OpenZeppelin log RoleGranted
+        emit LogAccessAdminRoleGranted(account, _getRoleName(roleId));
     }
 
     /// @dev revoke the specified role from the provided account
     function _revokeRoleFromAccount(RoleId roleId, address account)
         internal
+        onlyExistingRole(roleId, false, false)
     {
-        _checkRoleId(roleId);
 
         // check role removal is permitted
-        if (_roleInfo[roleId].memberRemovalDisabled) {
-            revert ErrorRoleRemovalDisabled(roleId);
+        if (_roleInfo[roleId].roleType == RoleType.Contract) {
+            revert ErrorRoleMemberRemovalDisabled(roleId, account);
         }
 
+        // TODO check account have roleId?
         _roleMembers[roleId].remove(account);
         _authority.revokeRole(
             RoleId.unwrap(roleId), 
             account);
 
-        // indirect logging: rely on OpenZeppelin log RoleGranted
-    }
-
-
-    function _checkRoleId(RoleId roleId)
-        internal
-    {
-        if (!_roleInfo[roleId].exists) {
-            revert ErrorRoleUnknown(roleId);
-        }
-
-        uint64 roleIdInt = RoleId.unwrap(roleId);
-        if (roleIdInt == _authority.ADMIN_ROLE()
-            || roleIdInt == _authority.PUBLIC_ROLE())
-        {
-            revert ErrorRoleIsLocked(roleId);
-        }
-    }
-
-
-    function _checkRoleIsActive(RoleId roleId)
-        internal
-    {
-        if (isRoleDisabled(roleId)) {
-            revert ErrorRoleIsDisabled(roleId);
-        }
+        emit LogAccessAdminRoleRevoked(account, _roleInfo[roleId].name.toString());
     }
 
 
+    /// @dev Creates a role based on the provided parameters.
+    /// Checks that the provided role and role id and role name not already used.
     function _createRole(
         RoleId roleId, 
-        RoleId adminRoleId, 
-        string memory roleName,
-        uint256 maxMemberCount,
-        bool memberRemovalDisabled
+        RoleInfo memory info
     )
         internal
     {
@@ -618,83 +506,55 @@ contract AccessAdmin is
         }
 
         // check admin role exists
-        if(!roleExists(adminRoleId)) {
-            revert ErrorRoleAdminNotExisting(adminRoleId);
+        if(!roleExists(info.adminRoleId)) {
+            revert ErrorRoleAdminNotExisting(info.adminRoleId);
         }
 
         // check role name is not empty
-        Str name = StrLib.toStr(roleName);
-        if(name.length() == 0) {
+        if(info.name.length() == 0) {
             revert ErrorRoleNameEmpty(roleId);
         }
 
         // check role name is not used for another role
-        if(_roleForName[name].exists) {
+        if(_roleForName[info.name].exists) {
             revert ErrorRoleNameAlreadyExists(
                 roleId, 
-                roleName,
-                _roleForName[name].roleId);
-        }
-
-        _createRoleUnchecked(
-            roleId, adminRoleId, 
-            name, 
-            maxMemberCount, 
-            memberRemovalDisabled);
-    }
-
-
-    function _setRoleDisabled(
-        RoleId roleId, 
-        bool disabled
-    )
-        internal
-    {
-
-        _checkRoleId(roleId);
-        Timestamp disabledAtOld = _roleInfo[roleId].disabledAt;
-
-        if (disabled) {
-            _roleInfo[roleId].disabledAt = TimestampLib.blockTimestamp();
-        } else {
-            _roleInfo[roleId].disabledAt = TimestampLib.max();
+                info.name.toString(),
+                _roleForName[info.name].roleId);
         }
 
-        emit LogRoleDisabled(roleId, disabled, disabledAtOld);
+        _createRoleUnchecked(roleId, info);
     }
 
 
     function _createRoleUnchecked(
         RoleId roleId, 
-        RoleId adminRoleId, 
-        Str name,
-        uint256 maxMemberCount,
-        bool memberRemovalDisabled
+        RoleInfo memory info
     )
         private
     {
         // create role info
-        _roleInfo[roleId] = RoleInfo({
-            adminRoleId: adminRoleId,
-            name: name,
-            maxMemberCount: maxMemberCount,
-            memberRemovalDisabled: memberRemovalDisabled,
-            disabledAt: TimestampLib.max(),
-            exists: true});
+        info.createdAt = TimestampLib.blockTimestamp();
+        _roleInfo[roleId] = info;
 
         // create role name info
-        _roleForName[name] = RoleNameInfo({
+        _roleForName[info.name] = RoleNameInfo({
             roleId: roleId,
             exists: true});
 
         // add role to list of roles
         _roleIds.push(roleId);
 
-        emit LogRoleCreated(roleId, adminRoleId, name.toString());
+        emit LogAccessAdminRoleCreated(roleId, info.roleType, info.adminRoleId, info.name.toString());
     }
 
 
-    function _createTarget(address target, string memory targetName)
+    function _createTarget(
+        address target, 
+        string memory targetName, 
+        bool checkAuthority,
+        bool custom
+    )
         internal
     {
         // check target does not yet exist
@@ -710,7 +570,7 @@ contract AccessAdmin is
             revert ErrorTargetNameEmpty(target);
         }
 
-        // check target name is not used for another role
+        // check target name is not used for another target
         if( _targetForName[name] != address(0)) {
             revert ErrorTargetNameAlreadyExists(
                 target, 
@@ -719,19 +579,22 @@ contract AccessAdmin is
         }
 
         // check target is an access managed contract
-        if (!isAccessManaged(target)) {
+        if (!_isAccessManaged(target)) {
             revert ErrorTargetNotAccessManaged(target);
         }
 
         // check target shares authority with this contract
-        address targetAuthority = AccessManagedUpgradeable(target).authority();
-        if (targetAuthority != authority()) {
-            revert ErrorTargetAuthorityMismatch(authority(), targetAuthority);
+        if (checkAuthority) {
+            address targetAuthority = AccessManagedUpgradeable(target).authority();
+            if (targetAuthority != authority()) {
+                revert ErrorTargetAuthorityMismatch(authority(), targetAuthority);
+            }
         }
 
         // create target info
         _targetInfo[target] = TargetInfo({
             name: name,
+            isCustom: custom,
             createdAt: TimestampLib.blockTimestamp()
         });
 
@@ -741,19 +604,86 @@ contract AccessAdmin is
         // add role to list of roles
         _targets.push(target);
 
-        emit LogTargetCreated(target, targetName);
+        emit LogAccessAdminTargetCreated(target, targetName);
     }
 
-    function _isContract(address target)
+
+    function _isAccessManaged(address target)
         internal
-        view 
+        view
         returns (bool)
     {
-        uint256 size;
-        assembly {
-            size := extcodesize(target)
+        if (!ContractLib.isContract(target)) {
+            return false;
+        }
+
+        (bool success, ) = target.staticcall(
+            abi.encodeWithSelector(
+                IAccessManagedChecker.authority.selector));
+
+        return success;
+    }
+
+
+    function _setTargetClosed(address target, bool locked)
+        internal
+    {
+        _checkTarget(target);
+
+        // target locked/unlocked already
+        if(_authority.isTargetClosed(target) == locked) {
+            revert ErrorTargetAlreadyLocked(target, locked);
+        }
+
+        _authority.setTargetClosed(target, locked);
+    }
+
+    function _getAccountName(address account) internal view returns (string memory) {
+        if (targetExists(account)) {
+            return _targetInfo[account].name.toString();
+        }
+        return "<unknown-account>";
+    }
+
+
+    function _getRoleName(RoleId roleId) internal view returns (string memory) {
+        if (roleExists(roleId)) {
+            return _roleInfo[roleId].name.toString();
+        }
+        return "<unknown-role>";
+    }
+
+
+    function _checkRoleExists(
+        RoleId roleId, 
+        bool onlyActiveRole
+    )
+        internal
+        view
+    {
+        if (!roleExists(roleId)) {
+            revert ErrorRoleUnknown(roleId);
+        }
+
+        uint64 roleIdInt = RoleId.unwrap(roleId);
+        if (roleIdInt == _authority.ADMIN_ROLE()) {
+            revert ErrorRoleIsLocked(roleId);
+        }
+
+        // check if role is disabled
+        if (onlyActiveRole && _roleInfo[roleId].pausedAt <= TimestampLib.blockTimestamp()) {
+            revert ErrorRoleIsPaused(roleId);
+        }
+    }
+
+
+    /// @dev check if target exists and reverts if it doesn't
+    function _checkTarget(address target)
+        internal
+        view
+    {
+        if (!targetExists(target)) {
+            revert ErrorTargetUnknown(target);
         }
-        return size > 0;
     }
-    
 }