@layerzerolabs/protocol-stellar-v2 0.2.40 → 0.2.43

package/contracts/macro-integration-tests/tests/ui/upgradeable/pass/rbac.rs

@@ -0,0 +1,44 @@
+// UI (trybuild) test: `#[upgradeable(rbac)]` compiles with UpgradeableRbac.
+//
+// Purpose:
+// - Ensures the macro generates `impl UpgradeableRbac` when `rbac` is specified.
+// - Verifies upgrade/migrate take the extra `operator` parameter.
+
+use soroban_sdk::{contract, contractimpl, Address, Bytes, BytesN, Env};
+use utils::rbac::{grant_role_no_auth, RoleBasedAccessControl};
+use utils::upgradeable::{UpgradeableInternal, UPGRADER_ROLE};
+
+#[contract]
+#[common_macros::ownable]
+#[common_macros::upgradeable(rbac)]
+pub struct MyContract;
+
+impl UpgradeableInternal for MyContract {
+    type MigrationData = ();
+
+    fn __migrate(_env: &Env, _migration_data: &Self::MigrationData) {}
+}
+
+#[contractimpl(contracttrait)]
+impl RoleBasedAccessControl for MyContract {}
+
+#[contractimpl]
+impl MyContract {
+    pub fn init(env: Env, owner: Address) {
+        Self::init_owner(&env, &owner);
+    }
+
+    pub fn init_upgrader(env: Env, operator: Address) {
+        let upgrader_role = soroban_sdk::Symbol::new(&env, UPGRADER_ROLE);
+        grant_role_no_auth(&env, &operator, &upgrader_role, &env.current_contract_address());
+    }
+
+    pub fn smoke(env: Env, operator: Address) {
+        let hash = BytesN::<32>::from_array(&env, &[0u8; 32]);
+        let migration_data = Bytes::new(&env);
+        Self::upgrade(&env, &hash, &operator);
+        Self::migrate(&env, &migration_data, &operator);
+    }
+}
+
+fn main() {}

package/contracts/oapps/counter/integration_tests/utils.rs

@@ -2,7 +2,7 @@
 
 extern crate std;
 
-use crate::{codec::MsgType, counter::CounterClient, tests::mint_to};
+use crate::{codec::MsgType, counter::CounterClient, tests::{grant_oapp_admin, mint_to}};
 use endpoint_v2::{EndpointV2Client, MessagingFee, Origin, OutboundPacket};
 use message_lib_common::packet_codec_v1;
 use soroban_sdk::{
@@ -63,17 +63,19 @@ pub fn register_library(env: &Env, owner: &Address, endpoint: &EndpointV2Client<
 
 /// Sets the peer address for a counter on a destination EID.
 pub fn set_peer(env: &Env, owner: &Address, counter: &CounterClient<'_>, dst_eid: u32, peer: &BytesN<32>) {
+    grant_oapp_admin(env, &counter.address, owner);
+
     let peer_option = Some(peer.clone());
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {
             contract: &counter.address,
             fn_name: "set_peer",
-            args: (&dst_eid, &peer_option).into_val(env),
+            args: (&dst_eid, &peer_option, owner).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    counter.set_peer(&dst_eid, &peer_option);
+    counter.set_peer(&dst_eid, &peer_option, owner);
 }
 
 /// Decodes an outbound packet emitted by the endpoint.

package/contracts/oapps/counter/src/counter.rs

@@ -4,26 +4,27 @@ use crate::{
     options,
     storage::CounterStorage,
 };
-use common_macros::{contract_impl, only_auth};
+use common_macros::{contract_impl, lz_contract, only_auth};
 use endpoint_v2::{
     ILayerZeroComposer, LayerZeroEndpointV2Client, MessagingChannelClient, MessagingComposerClient, MessagingFee,
     Origin,
 };
 use oapp::{
-    oapp_core::{initialize_oapp, OAppCore},
+    oapp_core::{init_ownable_oapp, OAppCore},
     oapp_receiver::{LzReceiveInternal, OAppReceiver},
     oapp_sender::{FeePayer, OAppSenderInternal},
 };
 use oapp_macros::oapp;
 use soroban_sdk::{assert_with_error, panic_with_error, token::TokenClient, Address, Bytes, BytesN, Env};
 
+#[lz_contract]
 #[oapp(custom = [receiver])]
 pub struct Counter;
 
 #[contract_impl]
 impl Counter {
     pub fn __constructor(env: &Env, owner: &Address, endpoint: &Address, delegate: &Address) {
-        initialize_oapp::<Self>(env, owner, endpoint, delegate);
+        init_ownable_oapp::<Self>(env, owner, endpoint, delegate);
         let endpoint_client = LayerZeroEndpointV2Client::new(env, endpoint);
         CounterStorage::set_eid(env, &endpoint_client.eid());
     }

package/contracts/oapps/counter/src/tests/mod.rs

@@ -1,7 +1,8 @@
+use oapp::oapp_core::OAPP_ADMIN_ROLE;
 use soroban_sdk::{
     testutils::{MockAuth, MockAuthInvoke},
     token::StellarAssetClient,
-    Address, Env, IntoVal,
+    Address, Env, IntoVal, Symbol,
 };
 
 pub mod test_codec;
@@ -23,3 +24,17 @@ pub fn mint_to(env: &Env, owner: &Address, native_token: &Address, to: &Address,
     sac.mint(to, &amount);
 }
 
+pub fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
+    let role = Symbol::new(env, OAPP_ADMIN_ROLE);
+    env.mock_auths(&[MockAuth {
+        address: owner,
+        invoke: &MockAuthInvoke {
+            contract,
+            fn_name: "grant_role",
+            args: (owner, &role, owner).into_val(env),
+            sub_invokes: &[],
+        },
+    }]);
+    utils::rbac::RoleBasedAccessControlClient::new(env, contract).grant_role(owner, &role, owner);
+}
+

package/contracts/oapps/counter/src/tests/test_counter.rs

@@ -88,17 +88,20 @@ fn setup<'a>() -> TestSetup<'a> {
 }
 
 fn setup_mock_peer(env: &Env, owner: &Address, counter: &CounterClient<'_>, dst_eid: u32) -> BytesN<32> {
+    super::grant_oapp_admin(env, &counter.address, owner);
+
     let peer = BytesN::from_array(env, &[1u8; 32]);
+    let peer_option = Some(peer.clone());
     env.mock_auths(&[MockAuth {
         address: owner,
         invoke: &MockAuthInvoke {
             contract: &counter.address,
             fn_name: "set_peer",
-            args: (&dst_eid, &Some(peer.clone())).into_val(env),
+            args: (&dst_eid, &peer_option, owner).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    counter.set_peer(&dst_eid, &Some(peer.clone()));
+    counter.set_peer(&dst_eid, &peer_option, owner);
     peer
 }
 

package/contracts/oapps/oapp/src/oapp_core.rs

@@ -1,8 +1,15 @@
 use crate::{errors::OAppError, oapp_receiver::RECEIVER_VERSION, oapp_sender::SENDER_VERSION};
-use common_macros::{contract_trait, only_auth, storage};
+use common_macros::{contract_trait, only_role, storage};
 use endpoint_v2::LayerZeroEndpointV2Client;
 use soroban_sdk::{contractevent, Address, BytesN, Env};
-use utils::{option_ext::OptionExt, ownable::{Ownable, OwnableInitializer}};
+use utils::{
+    option_ext::OptionExt,
+    ownable::{Ownable, OwnableInitializer},
+    rbac::RoleBasedAccessControl,
+};
+
+/// Role for OApp administrative actions (set_peer, set_delegate, set_enforced_options).
+pub const OAPP_ADMIN_ROLE: &str = "OAPP_ADMIN_ROLE";
 
 // =====================================================
 // OAppCore Storage and Events
@@ -31,7 +38,7 @@ pub struct PeerSet {
 // =====================================================
 
 #[contract_trait]
-pub trait OAppCore: Ownable {
+pub trait OAppCore: Ownable + RoleBasedAccessControl {
     /// Retrieves the OApp version information.
     ///
     /// # Returns
@@ -66,8 +73,14 @@ pub trait OAppCore: Ownable {
     /// # Arguments
     /// * `eid` - The endpoint ID
     /// * `peer` - The address of the peer to be associated with the corresponding endpoint, or None to remove the peer
-    #[only_auth]
-    fn set_peer(env: &soroban_sdk::Env, eid: u32, peer: &Option<soroban_sdk::BytesN<32>>) {
+    /// * `operator` - The address that must have OAPP_ADMIN_ROLE
+    #[only_role(operator, OAPP_ADMIN_ROLE)]
+    fn set_peer(
+        env: &soroban_sdk::Env,
+        eid: u32,
+        peer: &Option<soroban_sdk::BytesN<32>>,
+        operator: &soroban_sdk::Address,
+    ) {
         OAppCoreStorage::set_or_remove_peer(env, eid, peer);
         PeerSet { eid, peer: peer.clone() }.publish(env);
     }
@@ -76,8 +89,9 @@ pub trait OAppCore: Ownable {
     ///
     /// # Arguments
     /// * `delegate` - The address of the delegate to be set, or None to remove the delegate
-    #[only_auth]
-    fn set_delegate(env: &soroban_sdk::Env, delegate: &Option<soroban_sdk::Address>) {
+    /// * `operator` - The address that must have OAPP_ADMIN_ROLE
+    #[only_role(operator, OAPP_ADMIN_ROLE)]
+    fn set_delegate(env: &soroban_sdk::Env, delegate: &Option<soroban_sdk::Address>, operator: &soroban_sdk::Address) {
         endpoint_client::<Self>(env).set_delegate(&env.current_contract_address(), delegate);
     }
 }
@@ -96,7 +110,7 @@ pub trait OAppCore: Ownable {
 /// * `owner` - The address that will own this OApp
 /// * `endpoint` - The LayerZero endpoint address to associate with this OApp
 /// * `delegate` - The delegate address to set on the endpoint for this OApp
-pub fn initialize_oapp<T: OAppCore + OwnableInitializer>(
+pub fn init_ownable_oapp<T: OAppCore + OwnableInitializer>(
     env: &Env,
     owner: &Address,
     endpoint: &Address,

package/contracts/oapps/oapp/src/oapp_options_type3.rs

@@ -1,7 +1,7 @@
-use crate::{self as oapp, errors::OAppError};
-use common_macros::{contract_trait, only_auth, storage};
+use crate::{self as oapp, errors::OAppError, oapp_core::OAPP_ADMIN_ROLE};
+use common_macros::{contract_trait, only_role, storage};
 use soroban_sdk::{assert_with_error, contractevent, contracttype, panic_with_error, Bytes, Env, Vec};
-use utils::{auth::Auth, buffer_reader::BufferReader};
+use utils::{buffer_reader::BufferReader, rbac::RoleBasedAccessControl};
 
 pub const OPTION_TYPE3: u16 = 3;
 
@@ -30,7 +30,7 @@ pub struct EnforcedOptionSet {
 // =========================================================================
 
 #[contract_trait]
-pub trait OAppOptionsType3: Auth {
+pub trait OAppOptionsType3: RoleBasedAccessControl {
     /// Retrieves the enforced options for a given endpoint and message type.
     ///
     /// # Arguments
@@ -53,10 +53,12 @@ pub trait OAppOptionsType3: Auth {
     ///
     /// # Arguments
     /// * `options` - A vector of EnforcedOptionParam structures specifying enforced options
-    #[only_auth]
+    /// * `operator` - The address that must have OAPP_ADMIN_ROLE
+    #[only_role(operator, OAPP_ADMIN_ROLE)]
     fn set_enforced_options(
         env: &soroban_sdk::Env,
         options: &soroban_sdk::Vec<oapp::oapp_options_type3::EnforcedOptionParam>,
+        operator: &soroban_sdk::Address,
     ) {
         for param in options {
             if let Some(ref opts) = param.options {

package/contracts/oapps/oapp/src/tests/mod.rs

@@ -3,3 +3,24 @@ mod oapp_options_type3;
 mod oapp_receiver;
 mod oapp_sender;
 mod test_macros;
+
+use crate::oapp_core::OAPP_ADMIN_ROLE;
+use soroban_sdk::{
+    testutils::{MockAuth, MockAuthInvoke},
+    Address, Env, IntoVal, Symbol,
+};
+
+/// Grants `OAPP_ADMIN_ROLE` to `owner` via the public `grant_role` interface.
+pub(super) fn grant_oapp_admin(env: &Env, contract: &Address, owner: &Address) {
+    let role = Symbol::new(env, OAPP_ADMIN_ROLE);
+    env.mock_auths(&[MockAuth {
+        address: owner,
+        invoke: &MockAuthInvoke {
+            contract,
+            fn_name: "grant_role",
+            args: (owner, &role, owner).into_val(env),
+            sub_invokes: &[],
+        },
+    }]);
+    utils::rbac::RoleBasedAccessControlClient::new(env, contract).grant_role(owner, &role, owner);
+}

package/contracts/oapps/oapp/src/tests/oapp_core.rs

@@ -32,6 +32,7 @@ impl DummyEndpoint {
 }
 
 #[oapp_macros::oapp]
+#[common_macros::lz_contract]
 pub struct DummyOApp;
 
 impl LzReceiveInternal for DummyOApp {
@@ -51,7 +52,7 @@ impl LzReceiveInternal for DummyOApp {
 #[contractimpl]
 impl DummyOApp {
     pub fn __constructor(env: &Env, owner: &Address, endpoint: &Address) {
-        oapp::oapp_core::initialize_oapp::<Self>(env, owner, endpoint, owner);
+        oapp::oapp_core::init_ownable_oapp::<Self>(env, owner, endpoint, owner);
     }
 }
 
@@ -75,6 +76,8 @@ fn setup<'a>() -> TestSetup<'a> {
     let oapp = env.register(DummyOApp, (&owner, &endpoint));
     soroban_sdk::log!(&env, "oapp: {}", oapp);
     let oapp_client = DummyOAppClient::new(&env, &oapp);
+    super::grant_oapp_admin(&env, &oapp, &owner);
+
     TestSetup { env, owner, endpoint, oapp_client }
 }
 
@@ -90,11 +93,11 @@ fn set_peer_with_auth(
         invoke: &MockAuthInvoke {
             contract: &oapp_client.address,
             fn_name: "set_peer",
-            args: (&eid, peer).into_val(env),
+            args: (&eid, peer, signer).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    oapp_client.set_peer(&eid, peer);
+    oapp_client.set_peer(&eid, peer, signer);
 }
 
 fn set_delegate_with_auth(env: &Env, signer: &Address, oapp_client: &DummyOAppClient<'_>, delegate: &Option<Address>) {
@@ -103,11 +106,11 @@ fn set_delegate_with_auth(env: &Env, signer: &Address, oapp_client: &DummyOAppCl
         invoke: &MockAuthInvoke {
             contract: &oapp_client.address,
             fn_name: "set_delegate",
-            args: (delegate,).into_val(env),
+            args: (delegate, signer).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    oapp_client.set_delegate(delegate);
+    oapp_client.set_delegate(delegate, signer);
 }
 
 #[test]
@@ -166,14 +169,14 @@ fn test_peer_lifecycle_set_get_update_remove_and_events() {
 #[test]
 #[should_panic(expected = "HostError: Error(Auth, InvalidAction)")]
 fn test_set_peer_unauthorized() {
-    let TestSetup { env, oapp_client, .. } = setup();
+    let TestSetup { env, owner, oapp_client, .. } = setup();
 
     let test_peer: BytesN<32> = BytesN::from_array(&env, &[33; 32]);
-    oapp_client.set_peer(&REMOTE_EID, &Some(test_peer));
+    oapp_client.set_peer(&REMOTE_EID, &Some(test_peer), &owner);
 }
 
 #[test]
-#[should_panic(expected = "HostError: Error(Auth, InvalidAction)")]
+#[should_panic(expected = "Error(Contract, #1086)")] // RbacError::Unauthorized
 fn test_set_peer_non_owner_authorized() {
     let TestSetup { env, owner, oapp_client, .. } = setup();
     let non_owner = Address::generate(&env);
@@ -204,14 +207,14 @@ fn test_set_delegate_updates_and_clears_endpoint_delegate() {
 #[test]
 #[should_panic(expected = "HostError: Error(Auth, InvalidAction)")]
 fn test_set_delegate_unauthorized() {
-    let TestSetup { env, oapp_client, .. } = setup();
+    let TestSetup { env, owner, oapp_client, .. } = setup();
 
     let delegate = Address::generate(&env);
-    oapp_client.set_delegate(&Some(delegate));
+    oapp_client.set_delegate(&Some(delegate), &owner);
 }
 
 #[test]
-#[should_panic(expected = "HostError: Error(Auth, InvalidAction)")]
+#[should_panic(expected = "Error(Contract, #1086)")] // RbacError::Unauthorized
 fn test_set_delegate_non_owner_authorized() {
     let TestSetup { env, owner, oapp_client, .. } = setup();
     let non_owner = Address::generate(&env);

package/contracts/oapps/oapp/src/tests/oapp_options_type3.rs

@@ -30,8 +30,12 @@ impl DummyEndpoint {
 }
 
 #[oapp_macros::oapp(custom = [core, sender, receiver])]
+#[common_macros::lz_contract]
 pub struct DummyOAppOptionsType3;
 
+#[contract_impl(contracttrait)]
+impl utils::rbac::RoleBasedAccessControl for DummyOAppOptionsType3 {}
+
 #[contract_impl(contracttrait)]
 impl OAppCore for DummyOAppOptionsType3 {}
 
@@ -55,7 +59,7 @@ impl OAppReceiver for DummyOAppOptionsType3 {}
 #[contract_impl]
 impl DummyOAppOptionsType3 {
     pub fn __constructor(env: &Env, owner: &Address, endpoint: &Address, delegate: &Address) {
-        oapp::oapp_core::initialize_oapp::<Self>(env, owner, endpoint, delegate);
+        oapp::oapp_core::init_ownable_oapp::<Self>(env, owner, endpoint, delegate);
     }
 }
 
@@ -73,6 +77,7 @@ fn setup<'a>() -> TestSetup<'a> {
     let delegate = owner.clone();
     let oapp = env.register(DummyOAppOptionsType3, (&owner, &endpoint, &delegate));
     let oapp_client = DummyOAppOptionsType3Client::new(&env, &oapp);
+    super::grant_oapp_admin(&env, &oapp, &owner);
 
     TestSetup { env, owner, oapp_client }
 }
@@ -94,11 +99,11 @@ fn set_enforced_options_with_auth(
         invoke: &MockAuthInvoke {
             contract: &oapp_client.address,
             fn_name: "set_enforced_options",
-            args: (enforced_params,).into_val(env),
+            args: (enforced_params, signer).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    oapp_client.set_enforced_options(enforced_params);
+    oapp_client.set_enforced_options(enforced_params, signer);
 }
 
 #[test]
@@ -164,16 +169,16 @@ fn test_combine_options() {
 #[test]
 #[should_panic(expected = "HostError: Error(Auth, InvalidAction)")]
 fn test_set_enforced_options_unauthorized() {
-    let TestSetup { env, oapp_client, .. } = setup();
+    let TestSetup { env, owner, oapp_client, .. } = setup();
 
     let options = create_valid_options(&env, &[1, 2, 3, 4]);
     let enforced_params =
         vec![&env, EnforcedOptionParam { eid: REMOTE_EID_1, msg_type: MSG_TYPE_SEND, options: Some(options.clone()) }];
-    oapp_client.set_enforced_options(&enforced_params);
+    oapp_client.set_enforced_options(&enforced_params, &owner);
 }
 
 #[test]
-#[should_panic(expected = "HostError: Error(Auth, InvalidAction)")]
+#[should_panic(expected = "Error(Contract, #1086)")] // RbacError::Unauthorized
 fn test_set_enforced_options_non_owner_authorized() {
     let TestSetup { env, owner, oapp_client, .. } = setup();
     let non_owner = Address::generate(&env);
@@ -202,11 +207,11 @@ fn test_set_enforced_options_invalid_options_returns_error() {
         invoke: &MockAuthInvoke {
             contract: &oapp_client.address,
             fn_name: "set_enforced_options",
-            args: (&enforced_params,).into_val(&env),
+            args: (&enforced_params, &owner).into_val(&env),
             sub_invokes: &[],
         },
     }]);
-    let result = oapp_client.try_set_enforced_options(&enforced_params);
+    let result = oapp_client.try_set_enforced_options(&enforced_params, &owner);
     assert_eq!(result.err().unwrap().ok().unwrap(), OAppError::InvalidOptions.into());
 }
 
@@ -215,7 +220,8 @@ fn test_combine_options_extra_invalid_type_returns_error_when_enforced_present()
     let TestSetup { env, owner, oapp_client, .. } = setup();
 
     let enforced = create_valid_options(&env, &[1, 2, 3]);
-    let params = vec![&env, EnforcedOptionParam { eid: REMOTE_EID_1, msg_type: MSG_TYPE_SEND, options: Some(enforced) }];
+    let params =
+        vec![&env, EnforcedOptionParam { eid: REMOTE_EID_1, msg_type: MSG_TYPE_SEND, options: Some(enforced) }];
     set_enforced_options_with_auth(&env, &owner, &oapp_client, &params);
 
     // extra has wrong option type (not 3) but len >= 2 -> validated and should panic
@@ -230,7 +236,8 @@ fn test_combine_options_extra_too_short_returns_error_when_enforced_present() {
     let TestSetup { env, owner, oapp_client, .. } = setup();
 
     let enforced = create_valid_options(&env, &[1, 2, 3]);
-    let params = vec![&env, EnforcedOptionParam { eid: REMOTE_EID_1, msg_type: MSG_TYPE_SEND, options: Some(enforced) }];
+    let params =
+        vec![&env, EnforcedOptionParam { eid: REMOTE_EID_1, msg_type: MSG_TYPE_SEND, options: Some(enforced) }];
     set_enforced_options_with_auth(&env, &owner, &oapp_client, &params);
 
     // extra is non-empty but len < 2 -> should panic

package/contracts/oapps/oapp/src/tests/oapp_receiver.rs

@@ -8,6 +8,7 @@ use soroban_sdk::{
 };
 
 #[oapp_macros::oapp]
+#[common_macros::lz_contract]
 pub struct DummyOAppReceiver;
 
 impl LzReceiveInternal for DummyOAppReceiver {
@@ -27,7 +28,7 @@ impl LzReceiveInternal for DummyOAppReceiver {
 #[contractimpl]
 impl DummyOAppReceiver {
     pub fn __constructor(env: &Env, owner: &Address, endpoint: &Address) {
-        oapp::oapp_core::initialize_oapp::<Self>(env, owner, endpoint, owner);
+        oapp::oapp_core::init_ownable_oapp::<Self>(env, owner, endpoint, owner);
     }
 }
 
@@ -95,6 +96,8 @@ fn setup<'a>() -> TestSetup<'a> {
     let endpoint = env.register(MockEndpoint, (&native_token,));
     let oapp = env.register(DummyOAppReceiver, (&owner, &endpoint));
     let oapp_client = DummyOAppReceiverClient::new(&env, &oapp);
+    super::grant_oapp_admin(&env, &oapp, &owner);
+
     TestSetup { env, owner, endpoint, token_admin, native_token, native_token_admin_client, oapp_client }
 }
 
@@ -105,11 +108,11 @@ fn set_peer(env: &Env, owner: &Address, oapp_client: &DummyOAppReceiverClient<'_
         invoke: &MockAuthInvoke {
             contract: &oapp_client.address,
             fn_name: "set_peer",
-            args: (&eid, &peer_option).into_val(env),
+            args: (&eid, &peer_option, owner).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    oapp_client.set_peer(&eid, &peer_option);
+    oapp_client.set_peer(&eid, &peer_option, owner);
 }
 
 fn lz_receive(

package/contracts/oapps/oapp/src/tests/oapp_sender.rs

@@ -64,6 +64,7 @@ impl MockEndpoint {
 }
 
 #[oapp_macros::oapp]
+#[common_macros::lz_contract]
 pub struct DummyOAppSender;
 
 impl LzReceiveInternal for DummyOAppSender {
@@ -83,7 +84,7 @@ impl LzReceiveInternal for DummyOAppSender {
 #[contractimpl]
 impl DummyOAppSender {
     pub fn __constructor(env: &Env, owner: &Address, endpoint: &Address) {
-        oapp::oapp_core::initialize_oapp::<Self>(env, owner, endpoint, owner);
+        oapp::oapp_core::init_ownable_oapp::<Self>(env, owner, endpoint, owner);
     }
 
     pub fn quote(env: &Env, dst_eid: u32, message: &Bytes, options: &Bytes, pay_in_zro: bool) -> MessagingFee {
@@ -152,6 +153,7 @@ fn setup<'a>() -> TestSetup<'a> {
     // Deploy OApp
     let oapp = env.register(DummyOAppSender, (&owner, &endpoint));
     let oapp_client = DummyOAppSenderClient::new(&env, &oapp);
+    super::grant_oapp_admin(&env, &oapp, &owner);
 
     TestSetup {
         env,
@@ -180,11 +182,11 @@ fn set_peer_with_auth(
         invoke: &MockAuthInvoke {
             contract: &oapp_client.address,
             fn_name: "set_peer",
-            args: (&eid, &peer_option).into_val(env),
+            args: (&eid, &peer_option, owner).into_val(env),
             sub_invokes: &[],
         },
     }]);
-    oapp_client.set_peer(&eid, &peer_option);
+    oapp_client.set_peer(&eid, &peer_option, owner);
 }
 
 fn mint_to(

package/contracts/oapps/oapp/src/tests/test_macros.rs

@@ -10,6 +10,7 @@ mod test_full_default {
     use soroban_sdk::{Address, Bytes, BytesN, Env};
 
     #[oapp]
+    #[common_macros::lz_contract]
     struct TestFullDefault;
 
     impl LzReceiveInternal for TestFullDefault {
@@ -40,8 +41,12 @@ mod test_full_manual_core {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [core])]
+    #[common_macros::lz_contract]
     struct TestFullManualCore;
 
+    #[soroban_sdk::contractimpl(contracttrait)]
+    impl utils::rbac::RoleBasedAccessControl for TestFullManualCore {}
+
     #[contractimpl(contracttrait)]
     impl OAppCore for TestFullManualCore {
         fn oapp_version(_env: &Env) -> (u64, u64) {
@@ -77,6 +82,7 @@ mod test_full_manual_sender {
     use soroban_sdk::{Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [sender])]
+    #[common_macros::lz_contract]
     struct TestFullManualSender;
 
     impl OAppSenderInternal for TestFullManualSender {
@@ -110,6 +116,7 @@ mod test_full_manual_receiver {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [receiver])]
+    #[common_macros::lz_contract]
     struct TestFullManualReceiver;
 
     impl LzReceiveInternal for TestFullManualReceiver {
@@ -155,6 +162,7 @@ mod test_full_manual_options {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [options_type3])]
+    #[common_macros::lz_contract]
     struct TestFullManualOptions;
 
     impl LzReceiveInternal for TestFullManualOptions {
@@ -189,8 +197,12 @@ mod test_full_manual_core_sender {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [core, sender])]
+    #[common_macros::lz_contract]
     struct TestFullManualCoreSender;
 
+    #[soroban_sdk::contractimpl(contracttrait)]
+    impl utils::rbac::RoleBasedAccessControl for TestFullManualCoreSender {}
+
     #[contractimpl(contracttrait)]
     impl OAppCore for TestFullManualCoreSender {
         fn oapp_version(_env: &Env) -> (u64, u64) {
@@ -232,8 +244,12 @@ mod test_full_manual_core_receiver {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [core, receiver])]
+    #[common_macros::lz_contract]
     struct TestFullManualCoreReceiver;
 
+    #[soroban_sdk::contractimpl(contracttrait)]
+    impl utils::rbac::RoleBasedAccessControl for TestFullManualCoreReceiver {}
+
     #[contractimpl(contracttrait)]
     impl OAppCore for TestFullManualCoreReceiver {
         fn oapp_version(_env: &Env) -> (u64, u64) {
@@ -274,6 +290,7 @@ mod test_full_manual_sender_receiver {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [sender, receiver])]
+    #[common_macros::lz_contract]
     struct TestFullManualSenderReceiver;
 
     impl OAppSenderInternal for TestFullManualSenderReceiver {
@@ -314,8 +331,12 @@ mod test_full_manual_all_except_options {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [core, sender, receiver])]
+    #[common_macros::lz_contract]
     struct TestFullManualAllExceptOptions;
 
+    #[soroban_sdk::contractimpl(contracttrait)]
+    impl utils::rbac::RoleBasedAccessControl for TestFullManualAllExceptOptions {}
+
     #[contractimpl(contracttrait)]
     impl OAppCore for TestFullManualAllExceptOptions {
         fn oapp_version(_env: &Env) -> (u64, u64) {
@@ -362,8 +383,12 @@ mod test_full_manual_all {
     use soroban_sdk::{contractimpl, Address, Bytes, BytesN, Env};
 
     #[oapp(custom = [core, sender, receiver, options_type3])]
+    #[common_macros::lz_contract]
     struct TestFullManualAll;
 
+    #[soroban_sdk::contractimpl(contracttrait)]
+    impl utils::rbac::RoleBasedAccessControl for TestFullManualAll {}
+
     #[contractimpl(contracttrait)]
     impl OAppCore for TestFullManualAll {
         fn oapp_version(_env: &Env) -> (u64, u64) {