npm - @etherisc/gif-next - Versions diffs - 0.0.2-f2b0fa2-473 → 0.0.2-f4f92b3-338 - Mend

@etherisc/gif-next 0.0.2-f2b0fa2-473 → 0.0.2-f4f92b3-338

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/contracts/instance/InstanceService.sol CHANGED Viewed

@@ -3,66 +3,311 @@ pragma solidity ^0.8.20;
 import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
-import {AccessManagerSimple} from "./AccessManagerSimple.sol";
-import {InstanceAccessManager} from "./InstanceAccessManager.sol";
 import {Instance} from "./Instance.sol";
+import {IInstance} from "./IInstance.sol";
+import {InstanceAccessManager} from "./InstanceAccessManager.sol";
 import {IInstanceService} from "./IInstanceService.sol";
-import {Service} from "../shared/Service.sol";
+import {InstanceReader} from "./InstanceReader.sol";
+import {BundleManager} from "./BundleManager.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
+import {IRegistryService} from "../registry/IRegistryService.sol";
+import {ChainNft} from "../registry/ChainNft.sol";
+import {Service} from "../../contracts/shared/Service.sol";
 import {IService} from "../shared/IService.sol";
-import {ContractDeployerLib} from "../shared/ContractDeployerLib.sol";
-import {NftId, NftIdLib, zeroNftId} from "../types/NftId.sol";
+import {NftId} from "../../contracts/types/NftId.sol";
+import {RoleId} from "../types/RoleId.sol";
+import {ADMIN_ROLE, DISTRIBUTION_OWNER_ROLE, POOL_OWNER_ROLE, PRODUCT_OWNER_ROLE, INSTANCE_SERVICE_ROLE, DISTRIBUTION_SERVICE_ROLE, POOL_SERVICE_ROLE, PRODUCT_SERVICE_ROLE, POLICY_SERVICE_ROLE, BUNDLE_SERVICE_ROLE} from "../types/RoleId.sol";
+import {ObjectType, INSTANCE, BUNDLE, POLICY, PRODUCT, DISTRIBUTION, REGISTRY, POOL} from "../types/ObjectType.sol";
 contract InstanceService is Service, IInstanceService {
-    address internal _registryAddress;
-    address internal _accessManagerMaster;
-    address internal _instanceAccessManagerMaster;
-    address internal _instanceMaster;
+    address internal _masterInstanceAccessManager;
+    address internal _masterInstance;
+    address internal _masterInstanceReader;
+    address internal _masterInstanceBundleManager;
     // TODO update to real hash when instance is stable
     bytes32 public constant INSTANCE_CREATION_CODE_HASH = bytes32(0);
-    string public constant NAME = "InstanceService";
+    modifier onlyInstanceOwner(NftId instanceNftId) {
+        IRegistry registry = getRegistry();
+        ChainNft chainNft = registry.getChainNft();
+        if( msg.sender != chainNft.ownerOf(instanceNftId.toInt())) {
+            revert ErrorInstanceServiceNotInstanceOwner(msg.sender, instanceNftId);
+        }
+        _;
+    }
+    modifier onlyRegisteredService() {
+        address caller = msg.sender;
+        if (! getRegistry().isRegisteredService(caller)) {
+            revert ErrorInstanceServiceRequestUnauhorized(caller);
+        }
+        _;
+    }
     function createInstanceClone()
         external
         returns (
-            AccessManagerSimple am,
-            InstanceAccessManager im,
-            Instance i
+            InstanceAccessManager clonedAccessManager,
+            Instance clonedInstance,
+            NftId clonedInstanceNftId,
+            InstanceReader clonedInstanceReader,
+            BundleManager clonedBundleManager
         )
     {
-        am = AccessManagerSimple(Clones.clone(_accessManagerMaster));
-        im = InstanceAccessManager(Clones.clone(_instanceAccessManagerMaster));
-        i = Instance(Clones.clone(_instanceMaster));
+        address instanceOwner = msg.sender;
+        IRegistry registry = getRegistry();
+        address registryAddress = address(registry);
+        NftId registryNftId = registry.getNftId(registryAddress);
+        address registryServiceAddress = registry.getServiceAddress(REGISTRY(), getMajorVersion());
+        IRegistryService registryService = IRegistryService(registryServiceAddress);
+        // initially set the authority of the access managar to this (being the instance service).
+        // This will allow the instance service to bootstrap the authorizations of the instance
+        // and then transfer the ownership of the access manager to the instance owner once everything is setup
+        clonedAccessManager = InstanceAccessManager(Clones.clone(_masterInstanceAccessManager));
+        clonedAccessManager.initialize(address(this));
+        clonedInstance = Instance(Clones.clone(_masterInstance));
+        clonedInstance.initialize(address(clonedAccessManager), registryAddress, registryNftId, msg.sender);
+        clonedInstanceReader = InstanceReader(Clones.clone(address(_masterInstanceReader)));
+        clonedInstanceReader.initialize(registryAddress, address(clonedInstance));
+        clonedInstance.setInstanceReader(clonedInstanceReader);
+        clonedBundleManager = BundleManager(Clones.clone(_masterInstanceBundleManager));
+        clonedBundleManager.initialize(address(clonedAccessManager), registryAddress, address(clonedInstance));
+        clonedInstance.setBundleManager(clonedBundleManager);
+        // TODO amend setters with instance specific , policy manager ...
+        _grantInitialAuthorizations(clonedAccessManager, clonedInstance, clonedBundleManager);
+        // to complete setup switch instance ownership to the instance owner
+        // TODO: use a role less powerful than admin, maybe INSTANCE_ADMIN (does not exist yet)
+        clonedAccessManager.grantRole(ADMIN_ROLE(), instanceOwner);
+        clonedAccessManager.revokeRole(ADMIN_ROLE(), address(this));
+        IRegistry.ObjectInfo memory info = registryService.registerInstance(clonedInstance, instanceOwner);
+        clonedInstanceNftId = info.nftId;
+        // clonedInstance.linkToRegisteredNftId();
+        emit LogInstanceCloned(address(clonedAccessManager), address(clonedInstance), address(clonedInstanceReader), clonedInstanceNftId);
     }
-    function setAccessManagerMaster(address accessManager) external {
-        _accessManagerMaster = accessManager;
+    function _grantInitialAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+        _createGifRoles(clonedAccessManager);
+        _createGifTargets(clonedAccessManager, clonedInstance, clonedBundleManager);
+        _grantDistributionServiceAuthorizations(clonedAccessManager, clonedInstance);
+        _grantPoolServiceAuthorizations(clonedAccessManager, clonedInstance);
+        _grantProductServiceAuthorizations(clonedAccessManager, clonedInstance);
+        _grantPolicyServiceAuthorizations(clonedAccessManager, clonedInstance);
+        _grantBundleServiceAuthorizations(clonedAccessManager, clonedInstance, clonedBundleManager);
+        _grantInstanceServiceAuthorizations(clonedAccessManager, clonedInstance);
     }
-    function setInstanceAccessManagerMaster(address instanceAccessManager) external {
-        _instanceAccessManagerMaster = instanceAccessManager;
+    function _createGifRoles(InstanceAccessManager clonedAccessManager) internal {
+        clonedAccessManager.createGifRole(DISTRIBUTION_OWNER_ROLE(), "DistributionOwnerRole");
+        clonedAccessManager.createGifRole(POOL_OWNER_ROLE(), "PoolOwnerRole");
+        clonedAccessManager.createGifRole(PRODUCT_OWNER_ROLE(), "ProductOwnerRole");
+        clonedAccessManager.createGifRole(DISTRIBUTION_SERVICE_ROLE(), "DistributionServiceRole");
+        clonedAccessManager.createGifRole(POOL_SERVICE_ROLE(), "PoolServiceRole");
+        clonedAccessManager.createGifRole(PRODUCT_SERVICE_ROLE(), "ProductServiceRole");
+        clonedAccessManager.createGifRole(POLICY_SERVICE_ROLE(), "PolicyServiceRole");
+        clonedAccessManager.createGifRole(BUNDLE_SERVICE_ROLE(), "BundleServiceRole");
+        clonedAccessManager.createGifRole(INSTANCE_SERVICE_ROLE(), "InstanceServiceRole");
+    }
+    function _createGifTargets(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+        clonedAccessManager.createGifTarget(address(clonedInstance), "Instance");
+        clonedAccessManager.createGifTarget(address(clonedBundleManager), "BundleManager");
+    }
+    function _grantDistributionServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+        // configure authorization for distribution service on instance
+        IRegistry registry = getRegistry();
+        address distributionServiceAddress = registry.getServiceAddress(DISTRIBUTION(), getMajorVersion());
+        clonedAccessManager.grantRole(DISTRIBUTION_SERVICE_ROLE(), distributionServiceAddress);
+        bytes4[] memory instanceDistributionServiceSelectors = new bytes4[](2);
+        instanceDistributionServiceSelectors[0] = clonedInstance.createDistributionSetup.selector;
+        instanceDistributionServiceSelectors[1] = clonedInstance.updateDistributionSetup.selector;
+        clonedAccessManager.setTargetFunctionRole(
+            "Instance",
+            instanceDistributionServiceSelectors,
+            DISTRIBUTION_SERVICE_ROLE());
+    }
+    function _grantPoolServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+        // configure authorization for pool service on instance
+        address poolServiceAddress = _registry.getServiceAddress(POOL(), getMajorVersion());
+        clonedAccessManager.grantRole(POOL_SERVICE_ROLE(), address(poolServiceAddress));
+        bytes4[] memory instancePoolServiceSelectors = new bytes4[](4);
+        instancePoolServiceSelectors[0] = clonedInstance.createPoolSetup.selector;
+        instancePoolServiceSelectors[1] = clonedInstance.updatePoolSetup.selector;
+        clonedAccessManager.setTargetFunctionRole(
+            "Instance",
+            instancePoolServiceSelectors,
+            POOL_SERVICE_ROLE());
+    }
+    function _grantProductServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+        // configure authorization for product service on instance
+        address productServiceAddress = _registry.getServiceAddress(PRODUCT(), getMajorVersion());
+        clonedAccessManager.grantRole(PRODUCT_SERVICE_ROLE(), address(productServiceAddress));
+        bytes4[] memory instanceProductServiceSelectors = new bytes4[](5);
+        instanceProductServiceSelectors[0] = clonedInstance.createProductSetup.selector;
+        instanceProductServiceSelectors[1] = clonedInstance.updateProductSetup.selector;
+        instanceProductServiceSelectors[2] = clonedInstance.createRisk.selector;
+        instanceProductServiceSelectors[3] = clonedInstance.updateRisk.selector;
+        instanceProductServiceSelectors[4] = clonedInstance.updateRiskState.selector;
+        clonedAccessManager.setTargetFunctionRole(
+            "Instance",
+            instanceProductServiceSelectors,
+            PRODUCT_SERVICE_ROLE());
     }
-    function setInstanceMaster(address instance) external {
-        _instanceMaster = instance;
+    function _grantPolicyServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+        // configure authorization for policy service on instance
+        address policyServiceAddress = _registry.getServiceAddress(POLICY(), getMajorVersion());
+        clonedAccessManager.grantRole(POLICY_SERVICE_ROLE(), address(policyServiceAddress));
+        bytes4[] memory instancePolicyServiceSelectors = new bytes4[](3);
+        instancePolicyServiceSelectors[0] = clonedInstance.createPolicy.selector;
+        instancePolicyServiceSelectors[1] = clonedInstance.updatePolicy.selector;
+        instancePolicyServiceSelectors[2] = clonedInstance.updatePolicyState.selector;
+        clonedAccessManager.setTargetFunctionRole(
+            "Instance",
+            instancePolicyServiceSelectors,
+            POLICY_SERVICE_ROLE());
     }
-    function getAccessManagerMaster() external view returns (address) { return address(_accessManagerMaster); }
-    function getInstanceAccessManagerMaster() external view returns (address) { return address(_instanceAccessManagerMaster); }
-    function getInstanceMaster() external view returns (address) { return address(_instanceMaster); }
+    function _grantBundleServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance, BundleManager clonedBundleManager) internal {
+        // configure authorization for bundle service on instance
+        address bundleServiceAddress = _registry.getServiceAddress(BUNDLE(), getMajorVersion());
+        clonedAccessManager.grantRole(BUNDLE_SERVICE_ROLE(), address(bundleServiceAddress));
+        bytes4[] memory instanceBundleServiceSelectors = new bytes4[](2);
+        instanceBundleServiceSelectors[0] = clonedInstance.createBundle.selector;
+        instanceBundleServiceSelectors[1] = clonedInstance.updateBundle.selector;
+        clonedAccessManager.setTargetFunctionRole(
+            "Instance",
+            instanceBundleServiceSelectors,
+            BUNDLE_SERVICE_ROLE());
+        // configure authorization for bundle service on bundle manager
+        bytes4[] memory bundleManagerBundleServiceSelectors = new bytes4[](5);
+        bundleManagerBundleServiceSelectors[0] = clonedBundleManager.linkPolicy.selector;
+        bundleManagerBundleServiceSelectors[1] = clonedBundleManager.unlinkPolicy.selector;
+        bundleManagerBundleServiceSelectors[2] = clonedBundleManager.add.selector;
+        bundleManagerBundleServiceSelectors[3] = clonedBundleManager.lock.selector;
+        bundleManagerBundleServiceSelectors[4] = clonedBundleManager.unlock.selector;
+        clonedAccessManager.setTargetFunctionRole(
+            "BundleManager",
+            bundleManagerBundleServiceSelectors,
+            BUNDLE_SERVICE_ROLE());
+    }
+    function _grantInstanceServiceAuthorizations(InstanceAccessManager clonedAccessManager, Instance clonedInstance) internal {
+// configure authorization for instance service on instance
+        address instanceServiceAddress = _registry.getServiceAddress(INSTANCE(), getMajorVersion());
+        clonedAccessManager.grantRole(INSTANCE_SERVICE_ROLE(), instanceServiceAddress);
+        bytes4[] memory instanceInstanceServiceSelectors = new bytes4[](1);
+        instanceInstanceServiceSelectors[0] = clonedInstance.setInstanceReader.selector;
+        clonedAccessManager.setTargetFunctionRole(
+            "Instance",
+            instanceInstanceServiceSelectors,
+            INSTANCE_SERVICE_ROLE());
+    }
+    function setAndRegisterMasterInstance(
+        address accessManagerAddress,
+        address instanceAddress,
+        address instanceReaderAddress,
+        address bundleManagerAddress)
+            external
+            onlyOwner
+            returns(NftId masterInstanceNftId)
+    {
+        require(_masterInstanceAccessManager == address(0), "ERROR:CRD-001:ACCESS_MANAGER_MASTER_ALREADY_SET");
+        require(_masterInstance == address(0), "ERROR:CRD-002:INSTANCE_MASTER_ALREADY_SET");
+        require(_masterInstanceBundleManager == address(0), "ERROR:CRD-004:BUNDLE_MANAGER_MASTER_ALREADY_SET");
+        require (accessManagerAddress != address(0), "ERROR:CRD-005:ACCESS_MANAGER_ZERO");
+        require (instanceAddress != address(0), "ERROR:CRD-006:INSTANCE_ZERO");
+        require (instanceReaderAddress != address(0), "ERROR:CRD-007:INSTANCE_READER_ZERO");
+        require (bundleManagerAddress != address(0), "ERROR:CRD-008:BUNDLE_MANAGER_ZERO");
+        IInstance instance = IInstance(instanceAddress);
+        InstanceReader instanceReader = InstanceReader(instanceReaderAddress);
+        BundleManager bundleManager = BundleManager(bundleManagerAddress);
+        require(instance.authority() == accessManagerAddress, "ERROR:CRD-009:INSTANCE_AUTHORITY_MISMATCH");
+        require(instanceReader.getInstance() == instance, "ERROR:CRD-010:INSTANCE_READER_INSTANCE_MISMATCH");
+        require(bundleManager.getInstance() == instance, "ERROR:CRD-011:BUNDLE_MANAGER_INSTANCE_MISMATCH");
+        _masterInstanceAccessManager = accessManagerAddress;
+        _masterInstance = instanceAddress;
+        _masterInstanceReader = instanceReaderAddress;
+        _masterInstanceBundleManager = bundleManagerAddress;
+        IRegistryService registryService = IRegistryService(getRegistry().getServiceAddress(REGISTRY(), getMajorVersion()));
+        IInstance masterInstance = IInstance(_masterInstance);
+        IRegistry.ObjectInfo memory info = registryService.registerInstance(masterInstance, getOwner());
+        masterInstanceNftId = info.nftId;
+        // masterInstance.linkToRegisteredNftId();
+    }
+    function setMasterInstanceReader(address instanceReaderAddress) external onlyOwner {
+        require(_masterInstanceReader != address(0), "ERROR:CRD-003:INSTANCE_READER_MASTER_NOT_SET");
+        require (instanceReaderAddress != address(0), "ERROR:CRD-012:INSTANCE_READER_ZERO");
+        require(instanceReaderAddress != _masterInstanceReader, "ERROR:CRD-014:INSTANCE_READER_MASTER_SAME_AS_NEW");
+        InstanceReader instanceReader = InstanceReader(instanceReaderAddress);
+        require(instanceReader.getInstance() == IInstance(_masterInstance), "ERROR:CRD-015:INSTANCE_READER_INSTANCE_MISMATCH");
+        _masterInstanceReader = instanceReaderAddress;
+    }
+    // TODO access restriction
+    function upgradeInstanceReader(NftId instanceNftId) external {
+        IRegistry registry = getRegistry();
+        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
+        Instance instance = Instance(instanceInfo.objectAddress);
+        address owner = instance.getOwner();
+        if (msg.sender != owner) {
+            revert ErrorInstanceServiceRequestUnauhorized(msg.sender);
+        }
+        InstanceReader upgradedInstanceReaderClone = InstanceReader(Clones.clone(address(_masterInstanceReader)));
+        upgradedInstanceReaderClone.initialize(address(registry), address(instance));
+        instance.setInstanceReader(upgradedInstanceReaderClone);
+    }
+    function getMasterInstanceReader() external view returns (address) {
+        return _masterInstanceReader;
+    }
+    function getMasterInstance() external view returns (address) {
+        return _masterInstance;
+    }
+    function getMasterInstanceAccessManager() external view returns (address) {
+        return _masterInstanceAccessManager;
+    }
+    function getMasterInstanceBundleManager() external view returns (address) {
+        return _masterInstanceBundleManager;
+    }
     // From IService
-    function getName() public pure override(IService, Service) returns(string memory) {
-        return NAME;
+    function getDomain() public pure override(Service, IService) returns(ObjectType) {
+        return INSTANCE();
     }
     /// @dev top level initializer
-    // 1) registry is non upgradeable -> don't need a proxy and uses constructor !
-    // 2) deploy registry service first -> from its initialization func it is easier to deploy registry then vice versa
-    // 3) deploy registry -> pass registry service address as constructor argument
-    // registry is getting instantiated and locked to registry service address forever
     function _initialize(
         address owner,
         bytes memory data
@@ -71,32 +316,47 @@ contract InstanceService is Service, IInstanceService {
         initializer
         virtual override
     {
-        // bytes memory encodedConstructorArguments = abi.encode(
-        //     _registryAddress);
+        address initialOwner;
+        address registryAddress;
+        (registryAddress, initialOwner) = abi.decode(data, (address, address));
+        // TODO while InstanceService is not deployed in InstanceServiceManager constructor
+        //      owner is InstanceServiceManager deployer
+        _initializeService(registryAddress, owner);
+        _registerInterface(type(IInstanceService).interfaceId);
+    }
-        // bytes memory instanceCreationCode = ContractDeployerLib.getCreationCode(
-        //     instanceByteCodeWithInitCode,
-        //     encodedConstructorArguments);
+    function hasRole(address account, RoleId role, address instanceAddress) public view returns (bool) {
+        Instance instance = Instance(instanceAddress);
+        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        return accessManager.hasRole(role, account);
+    }
-        // address instanceAddress = ContractDeployerLib.deploy(
-        //     instanceCreationCode,
-        //     INSTANCE_CREATION_CODE_HASH);
+    function createTarget(NftId instanceNftId, address targetAddress, string memory targetName) external onlyRegisteredService {
+        IRegistry registry = getRegistry();
+        IRegistry.ObjectInfo memory instanceInfo = registry.getObjectInfo(instanceNftId);
+        Instance instance = Instance(instanceInfo.objectAddress);
+        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        accessManager.createTarget(targetAddress, targetName);
+    }
-        address initialOwner = address(0);
-        (_registryAddress, initialOwner) = abi.decode(data, (address, address));
+    function setTargetLocked(string memory targetName, bool locked) external {
+        address componentAddress = msg.sender;
+        IRegistry registry = getRegistry();
+        IRegistry.ObjectInfo memory componentInfo = registry.getObjectInfo(componentAddress);
+        if (componentInfo.nftId.eqz()) {
+            revert ErrorInstanceServiceComponentNotRegistered(componentAddress);
+        }
-        // // TODO register instance in registry
-        IRegistry registry = IRegistry(_registryAddress);
-        NftId registryNftId = registry.getNftId(_registryAddress);
+        // TODO validate component type
-        _initializeService(_registryAddress, initialOwner);
-        _registerInterface(type(IService).interfaceId);
-        _registerInterface(type(IInstanceService).interfaceId);
-    }
-    function getInstance() external view returns (Instance) {
-        return Instance(address(this));
+        address instanceAddress = registry.getObjectInfo(componentInfo.parentNftId).objectAddress;
+        IInstance instance = IInstance(instanceAddress);
+        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        accessManager.setTargetClosed(targetName, locked);
     }
 }

package/contracts/instance/InstanceServiceManager.sol CHANGED Viewed

@@ -7,7 +7,7 @@ import {ProxyManager} from "../shared/ProxyManager.sol";
 import {InstanceService} from "./InstanceService.sol";
 import {Registry} from "../registry/Registry.sol";
 import {RegistryService} from "../registry/RegistryService.sol";
-import {VersionLib} from "../types/Version.sol";
+import {REGISTRY} from "../types/ObjectType.sol";
 contract InstanceServiceManager is ProxyManager {
@@ -28,20 +28,18 @@ contract InstanceServiceManager is ProxyManager {
         _instanceService = InstanceService(address(versionable));
-        Registry registry = Registry(registryAddress);
-        address registryServiceAddress = registry.getServiceAddress("RegistryService", VersionLib.toVersion(3, 0, 0).toMajorPart());
-        RegistryService registryService = RegistryService(registryServiceAddress);
-        registryService.registerService(_instanceService);
+        // TODO `this` must have a role or own nft to register service
+        //Registry registry = Registry(registryAddress);
+        //address registryServiceAddress = registry.getServiceAddress(REGISTRY(), _instanceService.getMajorVersion());
+        //RegistryService registryService = RegistryService(registryServiceAddress);
+        //registryService.registerService(_instanceService);
         // RegistryService registryService = _instanceService.getRegistryService();
+        // TODO no nft to link yet
         // link ownership of instance service manager ot nft owner of instance service
-        _linkToNftOwnable(
-            address(registryAddress),
-            address(_instanceService));
-        // implies that after this constructor call only upgrade functionality is available
-        _isDeployed = true;
+        //_linkToNftOwnable(
+        //    address(registryAddress),
+        //    address(_instanceService));
     }
     //--- view functions ----------------------------------------------------//

package/contracts/instance/ObjectManager.sol ADDED Viewed

@@ -0,0 +1,84 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.20;
+import {Cloneable} from "./Cloneable.sol";
+import {IInstance} from "./IInstance.sol";
+import {INSTANCE} from "../types/ObjectType.sol";
+import {InstanceReader} from "./InstanceReader.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {LibNftIdSet} from "../types/NftIdSet.sol";
+import {NftId} from "../types/NftId.sol";
+contract ObjectManager is
+    Cloneable
+{
+    event LogObjectManagerInitialized(address instance);
+    error ErrorObjectManagerNftIdInvalid(NftId instanceNftId);
+    error ErrorObjectManagerAlreadyAdded(NftId componentNftId, NftId objectNftId);
+    mapping(NftId compnentNftId => LibNftIdSet.Set objects) internal _activeObjects;
+    mapping(NftId compnentNftId => LibNftIdSet.Set objects) internal _allObjects;
+    IInstance internal _instance; // store instance address -> more flexible, instance may not be registered during ObjectManager initialization
+    /// @dev call to initialize MUST be made in the same transaction as cloning of the contract
+    function initialize(
+        address authority,
+        address registry,
+        address instance
+    )
+        external
+    {
+        initialize(authority, registry);
+        _instance = IInstance(instance);
+        emit LogObjectManagerInitialized(instance);
+    }
+    function getInstance() external view returns (IInstance) {
+        return _instance;
+    }
+    function _add(NftId componentNftId, NftId objectNftId) internal {
+        LibNftIdSet.Set storage allSet = _allObjects[componentNftId];
+        LibNftIdSet.Set storage activeSet = _activeObjects[componentNftId];
+        LibNftIdSet.add(allSet, objectNftId);
+        LibNftIdSet.add(activeSet, objectNftId);
+    }
+    function _activate(NftId componentNftId, NftId objectNftId) internal {
+        LibNftIdSet.add(_activeObjects[componentNftId], objectNftId);
+    }
+    function _deactivate(NftId componentNftId, NftId objectNftId) internal {
+        LibNftIdSet.remove(_activeObjects[componentNftId], objectNftId);
+    }
+    function _objects(NftId componentNftId) internal view returns (uint256) {
+        return LibNftIdSet.size(_allObjects[componentNftId]);
+    }
+    function _contains(NftId componentNftId, NftId objectNftId) internal view returns (bool) {
+        return LibNftIdSet.contains(_allObjects[componentNftId], objectNftId);
+    }
+    function _getObject(NftId componentNftId, uint256 idx) internal view returns (NftId) {
+        return LibNftIdSet.getElementAt(_allObjects[componentNftId], idx);
+    }
+    function _activeObjs(NftId componentNftId) internal view returns (uint256)  {
+        return LibNftIdSet.size(_activeObjects[componentNftId]);
+    }
+    function _isActive(NftId componentNftId, NftId objectNftId) internal view returns (bool) {
+        return LibNftIdSet.contains(_activeObjects[componentNftId], objectNftId);
+    }
+    function _getActiveObject(NftId componentNftId, uint256 idx) internal view returns (NftId) {
+        return LibNftIdSet.getElementAt(_activeObjects[componentNftId], idx);
+    }
+}

package/contracts/instance/base/ComponentService.sol ADDED Viewed

@@ -0,0 +1,134 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.19;
+import {IComponent} from "../../components/IComponent.sol";
+import {IRegistry} from "../../registry/IRegistry.sol";
+import {IRegistryService} from "../../registry/IRegistryService.sol";
+import {IInstance} from "../../instance/IInstance.sol";
+import {IAccess} from "../module/IAccess.sol";
+import {ObjectType, INSTANCE, REGISTRY} from "../../types/ObjectType.sol";
+import {NftId} from "../../types/NftId.sol";
+import {RoleId} from "../../types/RoleId.sol";
+import {Service} from "../../shared/Service.sol";
+import {InstanceService} from "../InstanceService.sol";
+import {InstanceAccessManager} from "../InstanceAccessManager.sol";
+abstract contract ComponentService is Service {
+    error ErrorComponentServiceAlreadyRegistered(address component, NftId nftId);
+    error ErrorComponentServiceNotComponent(address component);
+    error ErrorComponentServiceInvalidType(address component, ObjectType requiredType, ObjectType componentType);
+    error ErrorComponentServiceSenderNotOwner(address component, address initialOwner, address sender);
+    error ErrorComponentServiceExpectedRoleMissing(NftId instanceNftId, RoleId requiredRole, address sender);
+    error ErrorComponentServiceComponentLocked(address component);
+    /// @dev modifier to check if caller is a registered service
+    modifier onlyService() {
+        address caller = msg.sender;
+        require(getRegistry().isRegisteredService(caller), "ERROR_NOT_SERVICE");
+        _;
+    }
+    // view functions
+    function getRegistryService() public view virtual returns (IRegistryService) {
+        address service = getRegistry().getServiceAddress(REGISTRY(), getMajorVersion());
+        return IRegistryService(service);
+    }
+    function getInstanceService() public view returns (InstanceService) {
+        address service = getRegistry().getServiceAddress(INSTANCE(), getMajorVersion());
+        return InstanceService(service);
+    }
+    // internal functions
+    function _checkComponentForRegistration(
+        address componentAddress,
+        ObjectType requiredType,
+        RoleId requiredRole
+    )
+        internal
+        view
+        returns (
+            IComponent component,
+            address owner,
+            IInstance instance,
+            NftId instanceNftId
+        )
+    {
+        // component may only be registerd by initial owner of component
+        owner = msg.sender;
+        // check component has not already been registerd
+        NftId compoentNftId = _registry.getNftId(componentAddress);
+        if(compoentNftId.gtz()) {
+            revert ErrorComponentServiceAlreadyRegistered(componentAddress, compoentNftId);
+        }
+        // check this is a component
+        component = IComponent(componentAddress);
+        if(!component.supportsInterface(type(IComponent).interfaceId)) {
+            revert ErrorComponentServiceNotComponent(componentAddress);
+        }
+        // check component is of required type
+        IRegistry.ObjectInfo memory componentInfo = component.getInitialInfo();
+        if(componentInfo.objectType != requiredType) {
+            revert ErrorComponentServiceInvalidType(componentAddress, requiredType, componentInfo.objectType);
+        }
+        // check msg.sender is component owner
+        address initialOwner = componentInfo.initialOwner;
+        if(owner != initialOwner) {
+            revert ErrorComponentServiceSenderNotOwner(componentAddress, componentInfo.initialOwner, owner);
+        }
+        // check instance has assigned required role to owner
+        instanceNftId = componentInfo.parentNftId;
+        instance = _getInstance(instanceNftId);
+        bool hasRole = getInstanceService().hasRole(
+            owner,
+            requiredRole,
+            address(instance));
+        if(!hasRole) {
+            revert ErrorComponentServiceExpectedRoleMissing(instanceNftId, requiredRole, owner);
+        }
+    }
+    // internal view functions
+    function _getInstance(NftId instanceNftId) internal view returns (IInstance) {
+        IRegistry.ObjectInfo memory instanceInfo = getRegistry().getObjectInfo(instanceNftId);
+        return IInstance(instanceInfo.objectAddress);
+    }
+    function _getAndVerifyComponentInfoAndInstance(
+        //address component,
+        ObjectType expectedType
+    )
+        internal
+        view
+        returns(
+            IRegistry.ObjectInfo memory info,
+            IInstance instance
+        )
+    {
+        IRegistry registry = getRegistry();
+        //TODO redundant check -> just check type
+        //NftId componentNftId = registry.getNftId(component);
+        //require(componentNftId.gtz(), "ERROR_COMPONENT_UNKNOWN");
+        info = registry.getObjectInfo(msg.sender);
+        require(info.objectType == expectedType, "OBJECT_TYPE_INVALID");
+        address instanceAddress = registry.getObjectInfo(info.parentNftId).objectAddress;
+        instance = IInstance(instanceAddress);
+        InstanceAccessManager accessManager = InstanceAccessManager(instance.authority());
+        if (accessManager.isTargetLocked(info.objectAddress)) {
+            revert IAccess.ErrorIAccessTargetLocked(info.objectAddress);
+        }
+    }
+}