npm - @layerzerolabs/protocol-stellar-v2 - Versions diffs - 0.2.35 → 0.2.37 - Mend

@layerzerolabs/protocol-stellar-v2 0.2.35 → 0.2.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/contracts/oapps/sac-manager/src/tests/test_helper.rs CHANGED Viewed

@@ -4,11 +4,11 @@
 extern crate std;
-use crate::{SacManager, SacManagerClient};
+use crate::{SACManager, SACManagerClient};
 use soroban_sdk::{
     testutils::{Address as _, MockAuth, MockAuthInvoke, StellarAssetContract},
     token::StellarAssetClient,
-    Address, Env, IntoVal, Val,
+    Address, Env, IntoVal, Symbol, Val,
 };
 // =========================================================================
@@ -25,27 +25,19 @@ use soroban_sdk::{
 /// ```
 pub struct TestSetupBuilder {
     manager_as_sac_admin: bool,
-    skip_minters_setup: bool,
 }
 impl TestSetupBuilder {
     fn new() -> Self {
-        Self { manager_as_sac_admin: false, skip_minters_setup: false }
+        Self { manager_as_sac_admin: false }
     }
-    /// Set the SacManager as SAC admin during setup.
+    /// Set the SACManager as SAC admin during setup.
     pub fn with_manager_as_sac_admin(mut self) -> Self {
         self.manager_as_sac_admin = true;
         self
     }
-    /// Skip setting minters during setup.
-    /// Use this to test `set_minter` auth or mint when no minter is set.
-    pub fn with_empty_minters(mut self) -> Self {
-        self.skip_minters_setup = true;
-        self
-    }
     /// Build the TestSetup with the configured options.
     pub fn build<'a>(self) -> TestSetup<'a> {
         let env = Env::default();
@@ -55,23 +47,22 @@ impl TestSetupBuilder {
         let sac_contract = env.register_stellar_asset_contract_v2(owner.clone());
         let sac = sac_contract.address();
-        let sac_manager = env.register(SacManager, (&sac, &owner));
-        let sac_manager_client = SacManagerClient::new(&env, &sac_manager);
+        let sac_manager = env.register(SACManager, (&sac, &owner));
+        let sac_manager_client = SACManagerClient::new(&env, &sac_manager);
         let sac_client = StellarAssetClient::new(&env, &sac);
-        if !self.skip_minters_setup {
-            env.mock_auths(&[MockAuth {
-                address: &owner,
-                invoke: &MockAuthInvoke {
-                    contract: &sac_manager,
-                    fn_name: "set_minter",
-                    args: (oft.clone(), true).into_val(&env),
-                    sub_invokes: &[],
-                },
-            }]);
-            sac_manager_client.set_minter(&oft, &true);
+        // Grant all roles to owner (owner is the authorizer so can grant any role)
+        for role_str in ["ADMIN_MGR", "MINTER", "BLKLISTR", "CLAWBACK"] {
+            let role = Symbol::new(&env, role_str);
+            mock_auth(&env, &sac_manager, &owner, "grant_role", (owner.clone(), role.clone(), owner.clone()));
+            sac_manager_client.grant_role(&owner, &role, &owner);
         }
+        // Grant MINTER_ROLE to oft so it can call mint in tests
+        let minter_role = Symbol::new(&env, "MINTER");
+        mock_auth(&env, &sac_manager, &owner, "grant_role", (oft.clone(), minter_role.clone(), owner.clone()));
+        sac_manager_client.grant_role(&oft, &minter_role, &owner);
         if self.manager_as_sac_admin {
             env.mock_auths(&[MockAuth {
                 address: &owner,
@@ -96,16 +87,16 @@ impl TestSetupBuilder {
 // TestSetup
 // =========================================================================
-/// Common test setup that creates a SAC and SacManager.
+/// Common test setup that creates a SAC and SACManager.
 pub struct TestSetup<'a> {
     pub env: Env,
     pub owner: Address,
-    /// Address used as a minter in default setup (in minters list).
+    /// Address that has MINTER_ROLE in default setup (used as operator for mint in tests).
     pub minter: Address,
     pub sac: Address,
     pub sac_contract: StellarAssetContract,
     pub sac_manager: Address,
-    pub sac_manager_client: SacManagerClient<'a>,
+    pub sac_manager_client: SACManagerClient<'a>,
     pub sac_client: StellarAssetClient<'a>,
 }

package/contracts/upgrader/src/lib.rs CHANGED Viewed

@@ -20,7 +20,7 @@
 //! ```
 use soroban_sdk::{contract, contractimpl, xdr::ToXdr, Address, Bytes, BytesN, Env};
-use utils::{auth::AuthClient, upgradeable::UpgradeableClient};
+use utils::{auth::AuthClient, errors::AuthError, option_ext::OptionExt, upgradeable::UpgradeableClient};
 /// Upgrader contract for managing upgrades of other contracts.
 ///
@@ -59,7 +59,10 @@ impl Upgrader {
     /// upgrader.upgrade_and_migrate(&contract_addr, &wasm_hash, &migration_data);
     /// ```
     pub fn upgrade_and_migrate(env: &Env, contract_address: &Address, wasm_hash: &BytesN<32>, migration_data: &Bytes) {
-        AuthClient::new(env, contract_address).authorizer().require_auth();
+        AuthClient::new(env, contract_address)
+            .authorizer()
+            .unwrap_or_panic(env, AuthError::AuthorizerNotFound)
+            .require_auth();
         let client = UpgradeableClient::new(env, contract_address);
         client.upgrade(wasm_hash);
         client.migrate(migration_data);

package/contracts/utils/src/auth.rs CHANGED Viewed

@@ -3,6 +3,7 @@
 //! The `Auth` trait provides a common interface for authorization that can be
 //! implemented by different access control patterns (e.g., single owner, multisig).
+use crate::{errors::AuthError, option_ext::OptionExt};
 use soroban_sdk::{contractclient, Address, Env};
 // ===========================================================================
@@ -20,7 +21,10 @@ pub trait Auth: Sized {
     /// For `Ownable` contracts, this returns the stored owner address.
     /// For `MultiSig` contracts, this returns the contract's own address
     /// (self-owning pattern).
-    fn authorizer(env: &Env) -> Address;
+    ///
+    /// Returns `None` when there is no authorizer (for example, when an Ownable
+    /// contract's owner has been renounced).
+    fn authorizer(env: &Env) -> Option<Address>;
 }
 // ===========================================================================
@@ -31,7 +35,7 @@ pub trait Auth: Sized {
 ///
 /// Panics if the authorizer has not provided authorization for this invocation.
 pub fn enforce_auth<T: Auth>(env: &Env) -> Address {
-    let authorizer = T::authorizer(env);
+    let authorizer = T::authorizer(env).unwrap_or_panic(env, AuthError::AuthorizerNotFound);
     authorizer.require_auth();
     authorizer
 }

package/contracts/utils/src/errors.rs CHANGED Viewed

@@ -62,3 +62,21 @@ pub enum MultiSigError {
     UnsortedSigners,
     ZeroThreshold,
 }
+/// AuthError: 1070-1079
+#[contract_error]
+pub enum AuthError {
+    AuthorizerNotFound = 1070,
+}
+/// RbacError: 1080-1089
+#[contract_error]
+pub enum RbacError {
+    AdminRoleNotFound = 1080,
+    IndexOutOfBounds,
+    MaxRolesExceeded,
+    RoleIsEmpty,
+    RoleNotFound,
+    RoleNotHeld,
+    Unauthorized,
+}

package/contracts/utils/src/lib.rs CHANGED Viewed

@@ -8,6 +8,7 @@ pub mod errors;
 pub mod multisig;
 pub mod option_ext;
 pub mod ownable;
+pub mod rbac;
 pub mod ttl_configurable;
 pub mod ttl_extendable;
 pub mod upgradeable;

package/contracts/utils/src/multisig.rs CHANGED Viewed

@@ -179,7 +179,11 @@ pub fn recover_signer(env: &Env, digest: &BytesN<32>, signature: &BytesN<65>) ->
 /// Panics with `InvalidAuthorizer` if the authorizer is not the contract's own address.
 pub fn enforce_multisig_auth<T: MultiSig>(env: &Env) {
     // Ensure the authorizer is the contract's own address
-    assert_with_error!(env, T::authorizer(env) == env.current_contract_address(), MultiSigError::InvalidAuthorizer);
+    assert_with_error!(
+        env,
+        Some(env.current_contract_address()) == T::authorizer(env),
+        MultiSigError::InvalidAuthorizer
+    );
     env.current_contract_address().require_auth();
 }

package/contracts/utils/src/ownable.rs CHANGED Viewed

@@ -204,7 +204,7 @@ pub trait OwnableInitializer {
 pub fn enforce_owner_auth<T: Ownable>(env: &Env) -> Address {
     let owner = T::owner(env).unwrap_or_panic(env, OwnableError::OwnerNotSet);
     // Ensure the owner is the same as the authorizer
-    assert_with_error!(env, owner == T::authorizer(env), OwnableError::InvalidAuthorizer);
+    assert_with_error!(env, Some(&owner) == T::authorizer(env).as_ref(), OwnableError::InvalidAuthorizer);
     owner.require_auth();
     owner
 }

package/contracts/utils/src/rbac.rs ADDED Viewed

@@ -0,0 +1,428 @@
+//! Role-Based Access Control (RBAC) for Soroban contracts.
+//!
+//! Combines OpenZeppelin-style role management with the Auth pattern.
+//! The authorizer (e.g. owner from Ownable, or contract from MultiSig) replaces Admin.
+use crate::{self as utils, auth::Auth, errors::RbacError, option_ext::OptionExt};
+use common_macros::{contract_trait, only_auth, storage};
+use soroban_sdk::{assert_with_error, contractevent, Address, Env, Symbol, Vec};
+// ===========================================================================
+// Constants
+// ===========================================================================
+/// Maximum number of roles that can exist simultaneously.
+pub const MAX_ROLES: u32 = 256;
+// ===========================================================================
+// Events
+// ===========================================================================
+/// Event emitted when a role is granted.
+#[contractevent]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct RoleGranted {
+    #[topic]
+    pub role: Symbol,
+    #[topic]
+    pub account: Address,
+    pub caller: Address,
+}
+/// Event emitted when a role is revoked.
+#[contractevent]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct RoleRevoked {
+    #[topic]
+    pub role: Symbol,
+    #[topic]
+    pub account: Address,
+    pub caller: Address,
+}
+/// Event emitted when a role admin is changed.
+#[contractevent]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub struct RoleAdminChanged {
+    #[topic]
+    pub role: Symbol,
+    pub previous_admin_role: Option<Symbol>,
+    pub new_admin_role: Option<Symbol>,
+}
+// ===========================================================================
+// Storage
+// ===========================================================================
+#[storage]
+pub enum RbacStorage {
+    /// All roles that have at least one member
+    #[persistent(Vec<Symbol>)]
+    #[default(Vec::new(env))]
+    ExistingRoles,
+    /// (role, index) -> Address
+    #[persistent(Address)]
+    RoleIndexToAccount { role: Symbol, index: u32 },
+    /// (role, account) -> index
+    #[persistent(u32)]
+    RoleAccountToIndex { role: Symbol, account: Address },
+    /// role -> count of accounts
+    #[persistent(u32)]
+    #[default(0)]
+    RoleAccountsCount { role: Symbol },
+    /// role -> admin role (who can grant/revoke this role). Key removed when no admin.
+    #[persistent(Symbol)]
+    RoleAdmin { role: Symbol },
+}
+// ===========================================================================
+// Trait
+// ===========================================================================
+/// Trait for contracts with role-based access control.
+///
+/// Extends `Auth` — the authorizer replaces the traditional admin and can grant/revoke
+/// any role. Each role can also have an admin role for hierarchical control.
+#[contract_trait]
+pub trait RoleBasedAccessControl: Auth {
+    // ===========================================================================
+    // State-changing
+    // ===========================================================================
+    /// Grants a role to an account. Caller must be owner or have the role's admin role.
+    ///
+    /// # Arguments
+    /// * `account` - The account to grant the role to.
+    /// * `role` - The role to grant.
+    /// * `caller` - The account that is granting the role. Must be owner or have the role's admin role.
+    fn grant_role(
+        env: &soroban_sdk::Env,
+        account: &soroban_sdk::Address,
+        role: &soroban_sdk::Symbol,
+        caller: &soroban_sdk::Address,
+    ) {
+        caller.require_auth();
+        ensure_if_authorizer_or_role_admin::<Self>(env, role, caller);
+        grant_role_no_auth(env, account, role, caller);
+    }
+    /// Revokes a role from an account. Caller must be owner or have the role's admin role.
+    ///
+    /// # Arguments
+    /// * `account` - The account to revoke the role from.
+    /// * `role` - The role to revoke.
+    /// * `caller` - The account that is revoking the role. Must be owner or have the role's admin role.
+    fn revoke_role(
+        env: &soroban_sdk::Env,
+        account: &soroban_sdk::Address,
+        role: &soroban_sdk::Symbol,
+        caller: &soroban_sdk::Address,
+    ) {
+        caller.require_auth();
+        ensure_if_authorizer_or_role_admin::<Self>(env, role, caller);
+        revoke_role_no_auth(env, account, role, caller);
+    }
+    /// Allows an account to renounce a role assigned to itself.
+    /// Users can only renounce roles for their own account.
+    ///
+    /// # Arguments
+    /// * `role` - The role to renounce.
+    /// * `caller` - The account that is renouncing the role. Must be the account itself.
+    fn renounce_role(env: &soroban_sdk::Env, role: &soroban_sdk::Symbol, caller: &soroban_sdk::Address) {
+        caller.require_auth();
+        revoke_role_no_auth(env, caller, role, caller);
+    }
+    /// Sets `admin_role` as the admin role of `role`. Caller must be the authorizer.
+    ///
+    /// # Arguments
+    /// * `role` - The role to set the admin for.
+    /// * `admin_role` - The admin role to set for the role.
+    ///
+    /// # Notes
+    ///
+    /// The admin role can be any `Symbol`, including one with no members. If the admin
+    /// role has no members, only the authorizer can grant/revoke the role.
+    #[only_auth]
+    fn set_role_admin(env: &soroban_sdk::Env, role: &soroban_sdk::Symbol, admin_role: &soroban_sdk::Symbol) {
+        set_role_admin_no_auth(env, role, admin_role);
+    }
+    /// Removes the admin role for a specified role. Caller must be the authorizer.
+    ///
+    /// # Arguments
+    /// * `role` - The role to remove the admin for.
+    ///
+    /// # Errors
+    /// * `RbacError::AdminRoleNotFound` - If no admin role is set for the role.
+    #[only_auth]
+    fn remove_role_admin(env: &soroban_sdk::Env, role: &soroban_sdk::Symbol) {
+        remove_role_admin_no_auth(env, role);
+    }
+    // ===========================================================================
+    // View functions
+    // ===========================================================================
+    /// Returns `Some(index)` if the account has the specified role, where `index`
+    /// is the index of the account in the role. Returns `None` if not.
+    ///
+    /// # Arguments
+    /// * `account` - The account to check the role for.
+    /// * `role` - The role to check the account for.
+    fn has_role(env: &soroban_sdk::Env, account: &soroban_sdk::Address, role: &soroban_sdk::Symbol) -> Option<u32> {
+        RbacStorage::role_account_to_index(env, role, account)
+    }
+    /// Returns the admin role for a specific role, or None if not set.
+    ///
+    /// # Arguments
+    /// * `role` - The role to get the admin for.
+    fn get_role_admin(env: &soroban_sdk::Env, role: &soroban_sdk::Symbol) -> Option<soroban_sdk::Symbol> {
+        RbacStorage::role_admin(env, role)
+    }
+    /// Returns the number of accounts that have the specified role.
+    ///
+    /// # Arguments
+    /// * `role` - The role to get the member count for.
+    fn get_role_member_count(env: &soroban_sdk::Env, role: &soroban_sdk::Symbol) -> u32 {
+        RbacStorage::role_accounts_count(env, role)
+    }
+    /// Returns the account at the specified index for a given role.
+    ///
+    /// # Arguments
+    /// * `role` - The role to get the member for.
+    /// * `index` - The index of the member to get.
+    ///
+    /// # Errors
+    /// * `RbacError::IndexOutOfBounds` if the index is out of bounds.
+    fn get_role_member(env: &soroban_sdk::Env, role: &soroban_sdk::Symbol, index: u32) -> soroban_sdk::Address {
+        RbacStorage::role_index_to_account(env, role, index).unwrap_or_panic(env, RbacError::IndexOutOfBounds)
+    }
+    /// Returns all roles that currently have at least one member.
+    /// Defaults to empty vector if no roles exist.
+    ///
+    /// # Notes
+    ///
+    /// This function returns all roles that currently have at least one member.
+    /// The maximum number of roles is limited by [`MAX_ROLES`].
+    fn get_existing_roles(env: &soroban_sdk::Env) -> soroban_sdk::Vec<soroban_sdk::Symbol> {
+        RbacStorage::existing_roles(env)
+    }
+}
+// ===========================================================================
+// Public helpers
+// ===========================================================================
+/// Ensures the caller has the specified role.
+///
+/// # Arguments
+/// * `role` - The role to check the caller for.
+/// * `caller` - The account that is being checked. Must have the role.
+///
+/// # Errors
+/// * `Unauthorized` - If the caller does not have the role.
+pub fn ensure_role(env: &Env, role: &Symbol, caller: &Address) {
+    assert_with_error!(env, RbacStorage::has_role_account_to_index(env, role, caller), RbacError::Unauthorized);
+}
+/// Grants a role to an account without auth check.
+///
+/// # Arguments
+/// * `account` - The account to grant the role to.
+/// * `role` - The role to grant.
+/// * `caller` - The account that is granting the role. Must be owner or have the role's admin role.
+///
+/// # Security Warning
+///
+/// **IMPORTANT**: This function bypasses authorization checks and should only
+/// be used:
+/// - During contract initialization/construction
+/// - In admin functions that implement their own authorization logic
+///
+/// Using this function in public-facing methods creates significant security
+/// risks as it could allow unauthorized role assignments.
+pub fn grant_role_no_auth(env: &Env, account: &Address, role: &Symbol, caller: &Address) {
+    if RbacStorage::has_role_account_to_index(env, role, account) {
+        return;
+    }
+    add_to_role_enumeration(env, account, role);
+    RoleGranted { role: role.clone(), account: account.clone(), caller: caller.clone() }.publish(env);
+}
+/// Revokes a role from an account without auth check.
+///
+/// # Arguments
+/// * `account` - The account to revoke the role from.
+/// * `role` - The role to revoke.
+/// * `caller` - The account that is revoking the role. Must be owner or have the role's admin role.
+///
+/// # Security Warning
+///
+/// **IMPORTANT**: This function bypasses authorization checks and should only
+/// be used:
+/// - During contract initialization/construction
+/// - In admin functions that implement their own authorization logic
+///
+/// Using this function in public-facing methods creates significant security
+/// risks as it could allow unauthorized role revocations.
+pub fn revoke_role_no_auth(env: &Env, account: &Address, role: &Symbol, caller: &Address) {
+    assert_with_error!(env, RbacStorage::has_role_account_to_index(env, role, account), RbacError::RoleNotHeld);
+    remove_from_role_enumeration(env, account, role);
+    RoleRevoked { role: role.clone(), account: account.clone(), caller: caller.clone() }.publish(env);
+}
+/// Sets the admin role for a role without auth check. For constructor/init or when caller enforces own auth.
+///
+/// # Arguments
+/// * `role` - The role to set the admin for.
+/// * `admin_role` - The admin role to set for the role.
+///
+/// # Security Warning
+///
+/// **IMPORTANT**: This function bypasses authorization checks and should only
+/// be used:
+/// - During contract initialization/construction
+/// - In admin functions that implement their own authorization logic
+///
+/// Using this function in public-facing methods creates significant security
+/// risks as it could allow unauthorized admin role assignments.
+///
+/// # Circular Admin Warning
+///
+/// **CAUTION**: This function allows the creation of circular admin
+/// relationships between roles. For example, it's possible to assign MINT_ADMIN
+/// as the admin of MINT_ROLE while also making MINT_ROLE the admin of
+/// MINT_ADMIN. Such circular relationships can lead to unintended consequences,
+/// including:
+///
+/// - Race conditions where each role can revoke the other
+/// - Potential security vulnerabilities in role management
+/// - Confusing governance structures that are difficult to reason about
+///
+/// When designing your role hierarchy, carefully consider the relationships
+/// between roles and avoid creating circular dependencies.
+pub fn set_role_admin_no_auth(env: &Env, role: &Symbol, admin_role: &Symbol) {
+    let previous = RbacStorage::role_admin(env, role);
+    RbacStorage::set_role_admin(env, role, admin_role);
+    RoleAdminChanged { role: role.clone(), previous_admin_role: previous, new_admin_role: Some(admin_role.clone()) }
+        .publish(env);
+}
+/// Removes the admin role for a specified role without auth check.
+///
+/// For use in admin functions that implement their own authorization logic,
+/// or when cleaning up unused roles.
+///
+/// # Arguments
+/// * `role` - The role to remove the admin for.
+///
+/// # Errors
+/// * `RbacError::AdminRoleNotFound` - If no admin role is set for the role.
+///
+/// # Security Warning
+///
+/// **IMPORTANT**: This function bypasses authorization checks and should only
+/// be used:
+/// - In admin functions that implement their own authorization logic
+/// - When cleaning up unused roles
+pub fn remove_role_admin_no_auth(env: &Env, role: &Symbol) {
+    let previous = RbacStorage::role_admin(env, role);
+    assert_with_error!(env, previous.is_some(), RbacError::AdminRoleNotFound);
+    RbacStorage::remove_role_admin(env, role);
+    RoleAdminChanged { role: role.clone(), previous_admin_role: previous, new_admin_role: None }.publish(env);
+}
+// ===========================================================================
+// Private helpers
+// ===========================================================================
+/// Ensures the caller is the authorizer or has the role's admin role.
+///
+/// # Arguments
+/// * `role` - The role to check the caller for.
+/// * `caller` - The account that is being checked. Must be the authorizer or have the role's admin role.
+///
+/// # Errors
+/// * `Unauthorized` - If the caller is neither the authorizer nor has the role's admin role.
+fn ensure_if_authorizer_or_role_admin<T: RoleBasedAccessControl>(env: &Env, role: &Symbol, caller: &Address) {
+    assert_with_error!(
+        env,
+        T::get_role_admin(env, role).is_some_and(|admin_role| T::has_role(env, caller, &admin_role).is_some())
+            || Some(caller) == T::authorizer(env).as_ref(),
+        RbacError::Unauthorized
+    );
+}
+/// Adds an account to the role enumeration.
+///
+/// # Arguments
+/// * `account` - The account to add to the role enumeration.
+/// * `role` - The role to add the account to.
+fn add_to_role_enumeration(env: &Env, account: &Address, role: &Symbol) {
+    let count = RbacStorage::role_accounts_count(env, role);
+    // If the role has no accounts, add it to the existing roles
+    if count == 0 {
+        let mut existing = RbacStorage::existing_roles(env);
+        assert_with_error!(env, existing.len() < MAX_ROLES, RbacError::MaxRolesExceeded);
+        existing.push_back(role.clone());
+        RbacStorage::set_existing_roles(env, &existing);
+    }
+    RbacStorage::set_role_index_to_account(env, role, count, account);
+    RbacStorage::set_role_account_to_index(env, role, account, &count);
+    RbacStorage::set_role_accounts_count(env, role, &(count + 1));
+}
+/// Removes an account from the role enumeration.
+///
+/// # Arguments
+/// * `account` - The account to remove from the role enumeration.
+/// * `role` - The role to remove the account from.
+fn remove_from_role_enumeration(env: &Env, account: &Address, role: &Symbol) {
+    let count = RbacStorage::role_accounts_count(env, role);
+    assert_with_error!(env, count > 0, RbacError::RoleIsEmpty);
+    // Get the index of the account to remove
+    let to_remove_idx =
+        RbacStorage::role_account_to_index(env, role, account).unwrap_or_panic(env, RbacError::RoleNotHeld);
+    // Get the index of the last account for the role
+    let last_idx = count - 1;
+    // Remove the target account's mappings
+    RbacStorage::remove_role_index_to_account(env, role, to_remove_idx);
+    RbacStorage::remove_role_account_to_index(env, role, account);
+    // If the removed account wasn't the last, move the last account into the vacated slot
+    if to_remove_idx != last_idx {
+        // Get the last account and remove the mapping from index to account
+        let last_account =
+            RbacStorage::role_index_to_account(env, role, last_idx).unwrap_or_panic(env, RbacError::IndexOutOfBounds);
+        RbacStorage::remove_role_index_to_account(env, role, last_idx);
+        // Move the last account into the vacated slot
+        RbacStorage::set_role_index_to_account(env, role, to_remove_idx, &last_account);
+        RbacStorage::set_role_account_to_index(env, role, &last_account, &to_remove_idx);
+    }
+    RbacStorage::set_role_accounts_count(env, role, &last_idx);
+    // If this was the last account with this role, remove the role from the existing roles
+    if last_idx == 0 {
+        let mut existing = RbacStorage::existing_roles(env);
+        let pos = existing.first_index_of(role).unwrap_or_panic(env, RbacError::RoleNotFound);
+        existing.remove(pos);
+        RbacStorage::set_existing_roles(env, &existing);
+    }
+}

package/contracts/utils/src/tests/auth.rs CHANGED Viewed

@@ -39,8 +39,8 @@ impl AuthTestContract {
 /// `Auth` implementation for the test contract - uses a stored address as the authorizer.
 impl Auth for AuthTestContract {
-    fn authorizer(env: &Env) -> Address {
-        env.storage().instance().get(&authorizer_key(env)).expect("authorizer must be set in tests")
+    fn authorizer(env: &Env) -> Option<Address> {
+        env.storage().instance().get(&authorizer_key(env))
     }
 }

package/contracts/utils/src/tests/mod.rs CHANGED Viewed

@@ -5,6 +5,7 @@ mod bytes_ext;
 mod multisig;
 mod option_ext;
 mod ownable;
+mod rbac;
 mod test_helper;
 mod testing_utils;
 mod ttl_configurable;

package/contracts/utils/src/tests/multisig.rs CHANGED Viewed

@@ -23,8 +23,8 @@ impl TestContract {
 /// This allows multisig quorum approval to serve as the authorizer.
 #[contractimpl]
 impl Auth for TestContract {
-    fn authorizer(env: &Env) -> Address {
-        env.current_contract_address()
+    fn authorizer(env: &Env) -> Option<Address> {
+        Some(env.current_contract_address())
     }
 }