npm - @etherisc/gif-next - Versions diffs - 0.0.2-fd4931b-974 → 0.0.2-fd4ee14-428 - Mend

@etherisc/gif-next 0.0.2-fd4931b-974 → 0.0.2-fd4ee14-428

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (393) hide show

package/contracts/instance/Instance.sol CHANGED Viewed

@@ -3,25 +3,30 @@ pragma solidity ^0.8.20;
 import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
+import {Amount} from "../type/Amount.sol";
 import {Key32} from "../type/Key32.sol";
 import {NftId} from "../type/NftId.sol";
 import {RiskId} from "../type/RiskId.sol";
 import {ObjectType, BUNDLE, DISTRIBUTION, INSTANCE, POLICY, POOL, ROLE, PRODUCT, TARGET, COMPONENT, DISTRIBUTOR, DISTRIBUTOR_TYPE} from "../type/ObjectType.sol";
 import {RoleId, RoleIdLib, eqRoleId, ADMIN_ROLE, INSTANCE_ROLE, INSTANCE_OWNER_ROLE} from "../type/RoleId.sol";
-import {VersionPart, VersionPartLib} from "../type/Version.sol";
 import {ClaimId} from "../type/ClaimId.sol";
 import {ReferralId} from "../type/Referral.sol";
 import {PayoutId} from "../type/PayoutId.sol";
 import {DistributorType} from "../type/DistributorType.sol";
+import {Seconds} from "../type/Seconds.sol";
+import {UFixed} from "../type/UFixed.sol";
+import {VersionPart, VersionPartLib} from "../type/Version.sol";
 import {Registerable} from "../shared/Registerable.sol";
 import {TokenHandler} from "../shared/TokenHandler.sol";
+import {AccessManagerExtendedInitializeable} from "../shared/AccessManagerExtendedInitializeable.sol";
 import {IRegistry} from "../registry/IRegistry.sol";
 import {IInstance} from "./IInstance.sol";
+import {IInstanceService} from "./IInstanceService.sol";
 import {InstanceReader} from "./InstanceReader.sol";
-import {InstanceAccessManager} from "./InstanceAccessManager.sol";
+import {InstanceAdmin} from "./InstanceAdmin.sol";
 import {BundleManager} from "./BundleManager.sol";
 import {InstanceStore} from "./InstanceStore.sol";
@@ -48,7 +53,8 @@ contract Instance is
     bool private _initialized;
-    InstanceAccessManager internal _accessManager;
+    IInstanceService internal _instanceService;
+    InstanceAdmin internal _instanceAdmin;
     InstanceReader internal _instanceReader;
     BundleManager internal _bundleManager;
     InstanceStore internal _instanceStore;
@@ -65,7 +71,7 @@ contract Instance is
         initializer()
     {
         if(authority == address(0)) {
-            revert ErrorInstanceInstanceAccessManagerZero();
+            revert ErrorInstanceInstanceAdminZero();
         }
         __AccessManaged_init(authority);
@@ -73,40 +79,82 @@ contract Instance is
         IRegistry registry = IRegistry(registryAddress);
         initializeRegisterable(registryAddress, registry.getNftId(), INSTANCE(), true, initialOwner, "");
+        _instanceService = IInstanceService(
+            getRegistry().getServiceAddress(
+                INSTANCE(),
+                getMajorVersion()));
         registerInterface(type(IInstance).interfaceId);
     }
+    //--- Staking ----------------------------------------------------------//
+    function setStakingLockingPeriod(Seconds stakeLockingPeriod)
+        external
+        // TODO decide if onlyOwner or restricted to instance owner role is better
+        onlyOwner()
+    {
+        _instanceService.setStakingLockingPeriod(stakeLockingPeriod);
+    }
+    function setStakingRewardRate(UFixed rewardRate)
+        external
+        onlyOwner()
+    {
+        _instanceService.setStakingRewardRate(rewardRate);
+    }
+    function refillStakingRewardReserves(Amount dipAmount)
+        external
+        onlyOwner()
+    {
+        address instanceOwner = msg.sender;
+        _instanceService.refillStakingRewardReserves(instanceOwner, dipAmount);
+    }
+    function withdrawStakingRewardReserves(Amount dipAmount)
+        external
+        onlyOwner()
+        returns (Amount newBalance)
+    {
+        return _instanceService.withdrawStakingRewardReserves(dipAmount);
+    }
     //--- Roles ------------------------------------------------------------//
     function createRole(string memory roleName, string memory adminName)
         external
+        // TODO decide if onlyOwner or restricted to instance owner role is better
         restricted // INSTANCE_OWNER_ROLE
         returns (RoleId roleId, RoleId admin)
     {
-        (roleId, admin) = _accessManager.createRole(roleName, adminName);
+        (roleId, admin) = _instanceAdmin.createRole(roleName, adminName);
     }
     function grantRole(RoleId roleId, address account)
         external
+        // TODO decide if onlyOwner or restricted to instance owner role is better
         restricted // INSTANCE_OWNER_ROLE
     {
-        _accessManager.grantRole(roleId, account);
+        AccessManagerExtendedInitializeable(authority()).grantRole(roleId.toInt(), account, 0);
     }
     function revokeRole(RoleId roleId, address account)
         external
+        // TODO decide if onlyOwner or restricted to instance owner role is better
         restricted // INSTANCE_OWNER_ROLE
     {
-        _accessManager.revokeRole(roleId, account);
+        AccessManagerExtendedInitializeable(authority()).revokeRole(roleId.toInt(), account);
     }
     //--- Targets ------------------------------------------------------------//
     function createTarget(address target, string memory name)
         external
+        // TODO decide if onlyOwner or restricted to instance owner role is better
         restricted // INSTANCE_OWNER_ROLE
     {
-        _accessManager.createTarget(target, name);
+        _instanceAdmin.createTarget(target, name);
     }
     function setTargetFunctionRole(
@@ -117,38 +165,41 @@ contract Instance is
         external
         restricted // INSTANCE_OWNER_ROLE
     {
-        _accessManager.setTargetFunctionRole(targetName, selectors, roleId);
+        _instanceAdmin.setTargetFunctionRoleByInstance(targetName, selectors, roleId);
     }
     function setTargetLocked(address target, bool locked)
         external
         restricted // INSTANCE_OWNER_ROLE
     {
-        _accessManager.setTargetLockedByInstance(target, locked);
+        _instanceAdmin.setTargetLockedByInstance(target, locked);
     }
-    //--- ITransferInterceptor ------------------------------------------------------------//
+    //--- ITransferInterceptor ----------------------------------------------//
+    // TODO interception of child components nfts
     function nftMint(address to, uint256 tokenId) external onlyChainNft {
-        assert(_accessManager.roleMembers(INSTANCE_OWNER_ROLE()) == 0);// temp
-        assert(_accessManager.grantRole(INSTANCE_OWNER_ROLE(), to) == true);
+        _instanceAdmin.transferInstanceOwnerRole(address(0), to);
     }
     function nftTransferFrom(address from, address to, uint256 tokenId) external onlyChainNft {
-        assert(_accessManager.revokeRole(INSTANCE_OWNER_ROLE(), from) == true);
-        assert(_accessManager.grantRole(INSTANCE_OWNER_ROLE(), to) == true);
+        _instanceAdmin.transferInstanceOwnerRole(from, to);
     }
+    //function nftBurn(address from, uint256 tokenId) external onlyChainNft {
+        //_instanceAdmin.transferInstanceOwnerRole(from, address(0));
+    //}
     //--- initial setup functions -------------------------------------------//
-    function setInstanceAccessManager(InstanceAccessManager accessManager) external restricted {
-        if(address(_accessManager) != address(0)) {
-            revert ErrorInstanceInstanceAccessManagerAlreadySet(address(_accessManager));
+    function setInstanceAdmin(InstanceAdmin accessManager) external restricted {
+        if(address(_instanceAdmin) != address(0)) {
+            revert ErrorInstanceInstanceAdminAlreadySet(address(_instanceAdmin));
         }
         if(accessManager.authority() != authority()) {
-            revert ErrorInstanceInstanceAccessManagerAuthorityMismatch(authority());
+            revert ErrorInstanceInstanceAdminAuthorityMismatch(authority());
         }
-        _accessManager = accessManager;
+        _instanceAdmin = accessManager;
     }
     function setBundleManager(BundleManager bundleManager) external restricted() {
@@ -172,20 +223,6 @@ contract Instance is
         _instanceReader = instanceReader;
     }
-    //--- external view functions -------------------------------------------//
-    function getInstanceReader() external view returns (InstanceReader) {
-        return _instanceReader;
-    }
-    function getBundleManager() external view returns (BundleManager) {
-        return _bundleManager;
-    }
-    function getInstanceAccessManager() external view returns (InstanceAccessManager) {
-        return _accessManager;
-    }
     function setInstanceStore(InstanceStore instanceStore) external restricted {
         if(address(_instanceStore) != address(0)) {
             revert ErrorInstanceInstanceStoreAlreadySet(address(_instanceStore));
@@ -196,32 +233,30 @@ contract Instance is
         _instanceStore = instanceStore;
     }
-    function getInstanceStore() external view returns (InstanceStore) {
-        return _instanceStore;
-    }
+    //--- external view functions -------------------------------------------//
-    function getMajorVersion() external pure returns (VersionPart majorVersion) {
-        return VersionPartLib.toVersionPart(GIF_MAJOR_VERSION);
+    function getInstanceReader() external view returns (InstanceReader) {
+        return _instanceReader;
     }
-    function getDistributionService() external view returns (IDistributionService) {
-        return IDistributionService(getRegistry().getServiceAddress(DISTRIBUTION(), VersionPart.wrap(3)));
+    function getBundleManager() external view returns (BundleManager) {
+        return _bundleManager;
     }
-    function getProductService() external view returns (IProductService) {
-        return IProductService(getRegistry().getServiceAddress(PRODUCT(), VersionPart.wrap(3)));
+    function getInstanceAdmin() external view returns (InstanceAdmin) {
+        return _instanceAdmin;
     }
-    function getPoolService() external view returns (IPoolService) {
-        return IPoolService(getRegistry().getServiceAddress(POOL(), VersionPart.wrap(3)));
+    function getInstanceAccessManager() external view returns (AccessManagerExtendedInitializeable) {
+        return AccessManagerExtendedInitializeable(authority());
     }
-    function getPolicyService() external view returns (IPolicyService) {
-        return IPolicyService(getRegistry().getServiceAddress(POLICY(), VersionPart.wrap(3)));
+    function getInstanceStore() external view returns (InstanceStore) {
+        return _instanceStore;
     }
-    function getBundleService() external view returns (IBundleService) {
-        return IBundleService(getRegistry().getServiceAddress(BUNDLE(), VersionPart.wrap(3)));
+    function getMajorVersion() public pure returns (VersionPart majorVersion) {
+        return VersionPartLib.toVersionPart(GIF_MAJOR_VERSION);
     }
     //--- internal view/pure functions --------------------------------------//

package/contracts/instance/InstanceAdmin.sol ADDED Viewed

@@ -0,0 +1,331 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.20;
+import {AccessManagedUpgradeable} from "@openzeppelin/contracts-upgradeable/access/manager/AccessManagedUpgradeable.sol";
+import {EnumerableSet} from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol";
+import {RoleId, RoleIdLib, ADMIN_ROLE, PUBLIC_ROLE, INSTANCE_SERVICE_ROLE, INSTANCE_OWNER_ROLE, INSTANCE_ROLE} from "../type/RoleId.sol";
+import {TimestampLib} from "../type/Timestamp.sol";
+import {NftId} from "../type/NftId.sol";
+import {AccessManagerExtendedInitializeable} from "../shared/AccessManagerExtendedInitializeable.sol";
+import {IRegistry} from "../registry/IRegistry.sol";
+import {IInstance} from "./IInstance.sol";
+import {IAccess} from "./module/IAccess.sol";
+contract InstanceAdmin is
+    AccessManagedUpgradeable
+{
+    using RoleIdLib for RoleId;
+    string public constant INSTANCE_ROLE_NAME = "InstanceRole";
+    string public constant INSTANCE_OWNER_ROLE_NAME = "InstanceOwnerRole";
+    string public constant INSTANCE_ADMIN_TARGET_NAME = "InstanceAdmin";
+    uint64 public constant CUSTOM_ROLE_ID_MIN = 10000; // MUST be even
+    uint32 public constant EXECUTION_DELAY = 0;
+    mapping(address target => IAccess.Type) _targetType;
+    mapping(RoleId roleId => IAccess.Type) _roleType;
+    uint64 _idNext;
+    AccessManagerExtendedInitializeable internal _accessManager;
+    address _instance;
+    IRegistry internal _registry;
+    // instance owner role is granted upon instance nft minting in callback function
+    // assume this contract is already a member of ADMIN_ROLE, the only member
+    function initialize(address instanceAddress) external initializer
+    {
+        IInstance instance = IInstance(instanceAddress);
+        IRegistry registry = instance.getRegistry();
+        address authority = instance.authority();
+        __AccessManaged_init(authority);
+        _accessManager = AccessManagerExtendedInitializeable(authority);
+        _instance = instanceAddress;
+        _registry = registry;
+        _idNext = CUSTOM_ROLE_ID_MIN;
+        // minimum configuration required for nft interception
+        _createRole(INSTANCE_ROLE(), INSTANCE_ROLE_NAME, IAccess.Type.Core);
+        _createRole(INSTANCE_OWNER_ROLE(), INSTANCE_OWNER_ROLE_NAME, IAccess.Type.Core);
+        _grantRole(INSTANCE_ROLE(), address(instance));
+        _createTarget(address(this), INSTANCE_ADMIN_TARGET_NAME, IAccess.Type.Core);
+        bytes4[] memory instanceAdminInstanceSelectors = new bytes4[](1);
+        instanceAdminInstanceSelectors[0] = this.transferInstanceOwnerRole.selector;
+        _setTargetFunctionRole(address(this), instanceAdminInstanceSelectors, INSTANCE_ROLE());
+    }
+    //--- Role ------------------------------------------------------//
+    // ADMIN_ROLE
+    // assume all core roles are known at deployment time
+    // assume core roles are set and granted only during instance cloning
+    // assume core roles are never revoked -> core roles admin is never active after intialization
+    function createCoreRole(RoleId roleId, string memory name) external restricted() {
+        _createRole(roleId, name, IAccess.Type.Core);
+    }
+    // ADMIN_ROLE
+    // assume gif roles can be revoked
+    // assume admin is INSTANCE_OWNER_ROLE or INSTANCE_ROLE
+    function createGifRole(RoleId roleId, string memory name, RoleId admin) external restricted() {
+        _createRole(roleId, name, IAccess.Type.Gif);
+        _setRoleAdmin(roleId, admin);
+    }
+    // INSTANCE_ROLE
+    // TODO specify how many owners role can have -> many roles MUST have exactly 1 member?
+    function createRole(string memory roleName, string memory adminName)
+        external
+        restricted()
+        returns(RoleId roleId, RoleId admin)
+    {
+        (roleId, admin) = _getNextCustomRoleId();
+        _createRole(roleId, roleName, IAccess.Type.Custom);
+        _createRole(admin, adminName, IAccess.Type.Custom);
+        _setRoleAdmin(roleId, admin);
+        _setRoleAdmin(admin, INSTANCE_OWNER_ROLE());
+    }
+    // ADMIN_ROLE
+    // assume used by instance service only during instance cloning
+    // assume used only by this.createRole(), this.createGifRole() afterwards
+    function setRoleAdmin(RoleId roleId, RoleId admin) public restricted() {
+        _setRoleAdmin(roleId, admin);
+    }
+    // INSTANCE_ROLE
+    function transferInstanceOwnerRole(address from, address to) external restricted() {
+        // temp pre transfer checks
+        assert(_getRoleMembers(INSTANCE_ROLE()) == 1);
+        assert(_hasRole(INSTANCE_ROLE(), _instance));
+        assert(_getRoleAdmin(INSTANCE_OWNER_ROLE()).toInt() == ADMIN_ROLE().toInt());
+        if(from != address(0)) { // nft transfer
+            assert(_getRoleMembers(INSTANCE_OWNER_ROLE()) == 1);
+        } else { // nft minting
+            assert(_getRoleMembers(INSTANCE_OWNER_ROLE()) == 0);
+        }
+        // transfer
+        assert(from != to);
+        _grantRole(INSTANCE_OWNER_ROLE(), to);
+        if(from != address(0)) { // nft transfer
+            _revokeRole(INSTANCE_OWNER_ROLE(), from);
+        }
+        // temp post transfer checks
+        assert(_getRoleMembers(INSTANCE_OWNER_ROLE()) == 1);// temp
+        assert(_hasRole(INSTANCE_OWNER_ROLE(), to));
+    }
+    //--- Target ------------------------------------------------------//
+    // ADMIN_ROLE
+    // assume some core targets are registred (instance) while others are not (instance accesss manager, instance reader, bundle manager)
+    function createCoreTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, IAccess.Type.Core);
+    }
+    // INSTANCE_SERVICE_ROLE
+    function createGifTarget(address target, string memory name) external restricted()
+    {
+        if(!_registry.isRegistered(target)) {
+            revert IAccess.ErrorIAccessTargetNotRegistered(target);
+        }
+        NftId targetParentNftId = _registry.getObjectInfo(target).parentNftId;
+        NftId instanceNftId = _registry.getObjectInfo(_instance).nftId;
+        if(targetParentNftId != instanceNftId) {
+            revert IAccess.ErrorIAccessTargetInstanceMismatch(target, targetParentNftId, instanceNftId);
+        }
+        _createTarget(target, name, IAccess.Type.Gif);
+    }
+    // INSTANCE_ROLE
+    // assume custom target.authority() is constant -> target MUST not be used with different instance access manager
+    // assume custom target can not be registered as component -> each service which is doing component registration MUST register a gif target
+    // assume custom target can not be registered as instance or service -> why?
+    // TODO check target associated with instance owner or instance or instance components or components helpers
+    function createTarget(address target, string memory name) external restricted() {
+        _createTarget(target, name, IAccess.Type.Custom);
+    }
+    // TODO instance owner locks component instead of revoking it access to the instance...
+    // INSTANCE_SERVICE_ROLE
+    function setTargetLockedByService(address target, bool locked) external restricted {
+        _setTargetLocked(target, locked);
+    }
+    // INSTANCE_ROLE
+    function setTargetLockedByInstance(address target, bool locked) external restricted {
+        _setTargetLocked(target, locked);
+    }
+    // allowed combinations of roles and targets:
+    //1) set core role for core target
+    //2) set gif role for gif target
+    //3) set custom role for gif target
+    //4) set custom role for custom target
+    // ADMIN_ROLE if used only during initialization, works with:
+    //      any roles for any targets
+    // INSTANCE_SERVICE_ROLE if used not only during initilization, works with:
+    //      core roles for core targets
+    //      gif roles for gif targets
+    function setTargetFunctionRoleByService(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId
+    )
+        public
+        virtual
+        restricted
+    {
+        address target = _accessManager.getTargetAddress(targetName);
+        // not custom target
+        if(_targetType[target] == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Custom);
+        }
+        // not custom role
+        if(_roleType[roleId] == IAccess.Type.Custom) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Custom);
+        }
+        _setTargetFunctionRole(target, selectors, roleId);
+    }
+    // INSTANCE_ROLE
+    // gif role for gif target
+    // gif role for custom target
+    // custom role for gif target -> need to prohibit
+    // custom role for custom target
+    // TODO instance owner can mess with gif target (component) -> e.g. set custom role for function intendent to work with gif role
+    function setTargetFunctionRoleByInstance(
+        string memory targetName,
+        bytes4[] calldata selectors,
+        RoleId roleId// string memory roleName
+    )
+        public
+        virtual
+        restricted()
+    {
+        address target = _accessManager.getTargetAddress(targetName);
+        // not core target
+        if(_targetType[target] == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, IAccess.Type.Core);
+        }
+        // not core role
+        if(_roleType[roleId] == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
+        }
+        _setTargetFunctionRole(target, selectors, roleId);
+    }
+    //--- Role internal view/pure functions --------------------------------------//
+    function _createRole(RoleId roleId, string memory name, IAccess.Type rtype) internal {
+        _validateRole(roleId, rtype);
+        _roleType[roleId] = rtype;
+        _accessManager.createRole(roleId.toInt(), name);
+    }
+    function _validateRole(RoleId roleId, IAccess.Type rtype) internal pure
+    {
+        uint roleIdInt = roleId.toInt();
+        if(rtype == IAccess.Type.Custom && roleIdInt < CUSTOM_ROLE_ID_MIN) {
+            revert IAccess.ErrorIAccessRoleIdTooSmall(roleId);
+        }
+        if(
+            rtype != IAccess.Type.Custom &&
+            roleIdInt >= CUSTOM_ROLE_ID_MIN &&
+            roleIdInt != PUBLIC_ROLE().toInt())
+        {
+            revert IAccess.ErrorIAccessRoleIdTooBig(roleId);
+        }
+    }
+    function _grantRole(RoleId roleId, address account) internal {
+        _accessManager.grantRole(roleId.toInt(), account, EXECUTION_DELAY);
+    }
+    function _revokeRole(RoleId roleId, address member) internal {
+        _accessManager.revokeRole(roleId.toInt(), member);
+    }
+    function _setRoleAdmin(RoleId roleId, RoleId admin) internal {
+        if(_roleType[roleId] == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessRoleTypeInvalid(roleId, IAccess.Type.Core);
+        }
+        _accessManager.setRoleAdmin(roleId.toInt(), admin.toInt());
+    }
+    function _getRoleAdmin(RoleId roleId) internal view returns (RoleId admin) {
+        return RoleIdLib.toRoleId(_accessManager.getRoleAdmin(roleId.toInt()));
+    }
+    function _hasRole(RoleId roleId, address account) internal view returns (bool accountHasRole) {
+        uint32 executionDelay;
+        (accountHasRole, executionDelay) = _accessManager.hasRole(roleId.toInt(), account);
+        assert(executionDelay == 0);
+    }
+    function _getRoleMembers(RoleId roleId) internal view returns (uint) {
+        return _accessManager.getRoleMembers(roleId.toInt());
+    }
+    function _getNextCustomRoleId() internal returns(RoleId roleId, RoleId admin) {
+        uint64 roleIdInt = _idNext;
+        uint64 adminInt = roleIdInt + 1;
+        _idNext = roleIdInt + 2;
+        roleId = RoleIdLib.toRoleId(roleIdInt);
+        admin = RoleIdLib.toRoleId(adminInt);
+    }
+    //--- Target internal view/pure functions --------------------------------------//
+    function _createTarget(address target, string memory name, IAccess.Type ttype)
+        internal
+    {
+        _validateTarget(target, ttype);
+        _targetType[target] = ttype;
+        _accessManager.createTarget(target, name);
+    }
+    function _validateTarget(address target, IAccess.Type ttype)
+        internal
+        view
+    {}
+    // IMPORTANT: instance admin MUST be of Core type -> otherwise can be locked forever
+    // TODO: consider locking gif targets in a separate function?
+    function _setTargetLocked(address target, bool locked) internal
+    {
+        IAccess.Type targetType = _targetType[target];
+        if(targetType == IAccess.Type.Core) {
+            revert IAccess.ErrorIAccessTargetTypeInvalid(target, targetType);
+        }
+        _accessManager.setTargetClosed(target, locked);
+    }
+    function _setTargetFunctionRole(address target, bytes4[] memory selectors, RoleId roleId) internal {
+        _accessManager.setTargetFunctionRole(target, selectors, roleId.toInt());
+    }
+}