npm - @lazy-sol/access-control-upgradeable - Versions diffs - 1.0.6 → 1.1.0 - Mend

@lazy-sol/access-control-upgradeable 1.0.6 → 1.1.0

Files changed (12) hide show

package/CHANGELOG.md +37 -0
package/contracts/InitializableAccessControl.sol +10 -273
package/contracts/InitializableAccessControlCore.sol +404 -0
package/contracts/UpgradeableAccessControl.sol +5 -22
package/contracts/UpgradeableAccessControlCore.sol +88 -0
package/contracts/mocks/UpgradeableAccessControlMocks.sol +7 -1
package/hardhat.config.js +1 -1
package/index.js +4 -0
package/package.json +10 -7
package/test/include/rbac.behaviour.js +20 -5
package/test/rbac_modifier.js +1 -1
package/test/rbac_upgradeable.js +2 -5

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,37 @@
+v1.1.0: Contact Size Optimizations
+- __Breaking Change:__ Solidity 0.8.4 is now required to compile the contracts (previously was 0.8.2).
+- Replaced "access denied" error with string literal (0.4.22) with the custom error AccessDenied() (0.8.4)
+- Introduced lighter modification of the "AccessControl" RBAC contract – "AccessControlCore" (RBAC-C).
+  The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+  making them internal and thus reducing the overall compiled implementation size.
+  | old name             | old modifier | new name              | new modifier |
+  |----------------------|--------------|-----------------------|--------------|
+  | `isFeatureEnabled()` | `public`     | `isFeatureEnabled()`  | `internal`   |
+  | `isSenderInRole()`   | `public`     | `_isSenderInRole()`   | `internal`   |
+  | `isOperatorInRole()` | `public`     | `_isOperatorInRole()` | `internal`   |
+- Added `_requireSenderInRole()` and `_requireAccessCondition()` internal functions for a convenient and gas-efficient
+  way of checking the access permissions and throwing the AccessDenied() error.
+- Added the CHANGELOG (this file)
+v1.0.7:
+- Exported the RBAC behavior
+v1.0.6:
+- Updated the documentation
+v1.0.5:
+- Exported RBAC JavaScript constants and functions
+v1.0.4:
+- Fixed broken dependencies
+- Upgraded npm libraries
+- Added Sepolia network support
+v1.0.3:
+- Allowed lower versions of Hardhat to be used
+v1.0.2:
+- Optimized npm dependencies

package/contracts/InitializableAccessControl.sol CHANGED Viewed

@@ -1,10 +1,10 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.2;
+pragma solidity >=0.8.4; // custom errors (0.8.4)
-import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
+import "./InitializableAccessControlCore.sol";
 /**
- * @title Initializable Role-based Access Control (RBAC)
+ * @title Initializable Role-based Access Control (I-RBAC)
  *
  * @notice Access control smart contract provides an API to check
  *      if a specific operation is permitted globally and/or
@@ -60,235 +60,7 @@ import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
  *
  * @author Basil Gorin
  */
-abstract contract InitializableAccessControl is Initializable {
-	/**
-	 * @dev Privileged addresses with defined roles/permissions
-	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Maps user address to the permissions bitmask (role), where each bit
-	 *      represents a permission
-	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-	 *      represents all possible permissions
-	 * @dev 'This' address mapping represents global features of the smart contract
-	 *
-	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
-	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
-	 */
-	mapping(address => uint256) private userRoles;
-	/**
-	 * @dev Empty reserved space in storage. The size of the __gap array is calculated so that
-	 *      the amount of storage used by a contract always adds up to the 50.
-	 *      See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
-	 */
-	uint256[49] private __gap;
-	/**
-	 * @notice Access manager is responsible for assigning the roles to users,
-	 *      enabling/disabling global features of the smart contract
-	 * @notice Access manager can add, remove and update user roles,
-	 *      remove and update global features
-	 *
-	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
-	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
-	 */
-	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
-	/**
-	 * @notice Upgrade manager is responsible for smart contract upgrades,
-	 *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
-	 *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
-	 *
-	 * @dev Role ROLE_UPGRADE_MANAGER allows passing the _authorizeUpgrade() check
-	 * @dev Role ROLE_UPGRADE_MANAGER has single bit at position 254 enabled
-	 */
-	uint256 public constant ROLE_UPGRADE_MANAGER = 0x4000000000000000000000000000000000000000000000000000000000000000;
-	/**
-	 * @dev Bitmask representing all the possible permissions (super admin role)
-	 * @dev Has all the bits are enabled (2^256 - 1 value)
-	 */
-	uint256 internal constant FULL_PRIVILEGES_MASK = type(uint256).max; // before 0.8.0: uint256(-1) overflows to 0xFFFF...
-	/**
-	 * @dev Fired in updateRole() and updateFeatures()
-	 *
-	 * @param operator address which was granted/revoked permissions
-	 * @param requested permissions requested
-	 * @param assigned permissions effectively set
-	 */
-	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
-	/**
-	 * @notice Function modifier making a function defined as public behave as restricted
-	 *      (so that only a pre-configured set of accounts can execute it)
-	 *
-	 * @param role the role transaction executor is required to have;
-	 *      the function throws an "access denied" exception if this condition is not met
-	 */
-	modifier restrictedTo(uint256 role) {
-		// verify the access permission
-		require(isSenderInRole(role), "access denied");
-		// execute the rest of the function
-		_;
-	}
-	/**
-	 * @dev Creates/deploys the RBAC implementation to be used in a proxy
-	 *
-	 * @dev Note:
-	 *      the implementation is already initialized and
-	 *      `_postConstruct` is not executable on the implementation
-	 *      `_postConstruct` is still available in the context of a proxy
-	 *      and should be executed on the proxy deployment (in the same tx)
-	 */
-	constructor() initializer {}
-	/**
-	 * @dev Contract initializer, sets the contract owner to have full privileges
-	 *
-	 * @dev Can be executed only once, reverts when executed second time
-	 *
-	 * @dev IMPORTANT:
-	 *      this function SHOULD be executed during proxy deployment (in the same transaction)
-	 *
-	 * @param _owner smart contract owner having full privileges, can be zero
-	 * @param _features initial features mask of the contract, can be zero
-	 */
-	function _postConstruct(address _owner, uint256 _features) internal virtual onlyInitializing {
-		// grant owner full privileges
-		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
-		// update initial features bitmask
-		__setRole(address(this), _features, _features);
-	}
-	/**
-	 * @dev Highest version that has been initialized.
-	 *      Non-zero value means contract was already initialized.
-	 * @dev see {Initializable}, {reinitializer}.
-	 *
-	 * @return highest version that has been initialized
-	 */
-	function getInitializedVersion() public view returns(uint64) {
-		// delegate to `_getInitializedVersion`
-		return _getInitializedVersion();
-	}
-	/**
-	 * @notice Retrieves globally set of features enabled
-	 *
-	 * @dev Effectively reads userRoles role for the contract itself
-	 *
-	 * @return 256-bit bitmask of the features enabled
-	 */
-	function features() public view returns (uint256) {
-		// features are stored in 'this' address mapping of `userRoles`
-		return getRole(address(this));
-	}
-	/**
-	 * @notice Updates set of the globally enabled features (`features`),
-	 *      taking into account sender's permissions
-	 *
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 * @dev Function is left for backward compatibility with older versions
-	 *
-	 * @param _mask bitmask representing a set of features to enable/disable
-	 */
-	function updateFeatures(uint256 _mask) public {
-		// delegate call to `updateRole`
-		updateRole(address(this), _mask);
-	}
-	/**
-	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
-	 *      (privileged addresses with defined roles/permissions)
-	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
-	 *      allow minting or burning tokens, transferring on behalf and so on
-	 *
-	 * @dev Having a simple getter instead of making the mapping public
-	 *      allows enforcing the encapsulation of the mapping and protects from
-	 *      writing to it directly in the inheriting smart contracts
-	 *
-	 * @param operator address of a user to read permissions for,
-	 *      or self address to read global features of the smart contract
-	 */
-	function getRole(address operator) public view returns(uint256) {
-		// read the value from `userRoles` and return
-		return userRoles[operator];
-	}
-	/**
-	 * @notice Updates set of permissions (role) for a given user,
-	 *      taking into account sender's permissions.
-	 *
-	 * @dev Setting role to zero is equivalent to removing an all permissions
-	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
-	 *      copying senders' permissions (role) to the user
-	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param role bitmask representing a set of permissions to
-	 *      enable/disable for a user specified
-	 */
-	function updateRole(address operator, uint256 role) public {
-		// caller must have a permission to update user roles
-		require(isSenderInRole(ROLE_ACCESS_MANAGER), "access denied");
-		// evaluate the role and reassign it
-		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
-	}
-	/**
-	 * @notice Determines the permission bitmask an operator can set on the
-	 *      target permission set
-	 * @notice Used to calculate the permission bitmask to be set when requested
-	 *     in `updateRole` and `updateFeatures` functions
-	 *
-	 * @dev Calculated based on:
-	 *      1) operator's own permission set read from userRoles[operator]
-	 *      2) target permission set - what is already set on the target
-	 *      3) desired permission set - what do we want set target to
-	 *
-	 * @dev Corner cases:
-	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
-	 *        `desired` bitset is returned regardless of the `target` permission set value
-	 *        (what operator sets is what they get)
-	 *      2) Operator with no permissions (zero bitset):
-	 *        `target` bitset is returned regardless of the `desired` value
-	 *        (operator has no authority and cannot modify anything)
-	 *
-	 * @dev Example:
-	 *      Consider an operator with the permissions bitmask     00001111
-	 *      is about to modify the target permission set          01010101
-	 *      Operator wants to set that permission set to          00110011
-	 *      Based on their role, an operator has the permissions
-	 *      to update only lowest 4 bits on the target, meaning that
-	 *      high 4 bits of the target set in this example is left
-	 *      unchanged and low 4 bits get changed as desired:      01010011
-	 *
-	 * @param operator address of the contract operator which is about to set the permissions
-	 * @param target input set of permissions to operator is going to modify
-	 * @param desired desired set of permissions operator would like to set
-	 * @return resulting set of permissions given operator will set
-	 */
-	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
-		// read operator's permissions
-		uint256 p = getRole(operator);
-		// taking into account operator's permissions,
-		// 1) enable the permissions desired on the `target`
-		target |= p & desired;
-		// 2) disable the permissions desired on the `target`
-		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
-		// return calculated result
-		return target;
-	}
+abstract contract InitializableAccessControl is InitializableAccessControlCore {
 	/**
 	 * @notice Checks if requested set of features is enabled globally on the contract
 	 *
@@ -296,8 +68,8 @@ abstract contract InitializableAccessControl is Initializable {
 	 * @return true if all the features requested are enabled, false otherwise
 	 */
 	function isFeatureEnabled(uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing `features` property
-		return __hasRole(features(), required);
+		// delegate to internal `_isFeatureEnabled`
+		return _isFeatureEnabled(required);
 	}
 	/**
@@ -307,8 +79,8 @@ abstract contract InitializableAccessControl is Initializable {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isSenderInRole(uint256 required) public view returns (bool) {
-		// delegate call to `isOperatorInRole`, passing transaction sender
-		return isOperatorInRole(msg.sender, required);
+		// delegate to internal `_isSenderInRole`
+		return _isSenderInRole(required);
 	}
 	/**
@@ -319,42 +91,7 @@ abstract contract InitializableAccessControl is Initializable {
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
 	function isOperatorInRole(address operator, uint256 required) public view returns (bool) {
-		// delegate call to `__hasRole`, passing operator's permissions (role)
-		return __hasRole(getRole(operator), required);
-	}
-	/**
-	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
-	 *
-	 * @dev Unsafe:
-	 *      provides direct write access to `userRoles` mapping without any security checks,
-	 *      doesn't verify the executor (msg.sender) permissions,
-	 *      must be kept private at all times
-	 *
-	 * @param operator address of a user to alter permissions for,
-	 *       or self address to alter global features of the smart contract
-	 * @param requestedRole bitmask representing a set of permissions requested
-	 *      to be enabled/disabled for a user specified, used only to be logged into event
-	 * @param assignedRole bitmask representing a set of permissions to
-	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
-	 */
-	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
-		// assign the role to the operator
-		userRoles[operator] = assignedRole;
-		// fire an event
-		emit RoleUpdated(operator, requestedRole, assignedRole);
-	}
-	/**
-	 * @dev Checks if role `actual` contains all the permissions required `required`
-	 *
-	 * @param actual existent role
-	 * @param required required role
-	 * @return true if actual has required role (all permissions), false otherwise
-	 */
-	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
-		// check the bitmask for the role required and return the result
-		return actual & required == required;
+		// delegate to internal `_isOperatorInRole`
+		return _isOperatorInRole(operator, required);
 	}
 }

package/contracts/InitializableAccessControlCore.sol ADDED Viewed

@@ -0,0 +1,404 @@
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.8.4; // custom errors (0.8.4)
+import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
+/**
+ * @title Initializable Role-based Access Control Core (I-RBAC-C)
+ *
+ * @notice Access control smart contract provides an API to check
+ *      if a specific operation is permitted globally and/or
+ *      if a particular user has a permission to execute it.
+ *
+ * @notice This contract is inherited by other contracts requiring the role-based access control (RBAC)
+ *      protection for the restricted access functions
+ *
+ * @notice It deals with two main entities: features and roles.
+ *
+ * @notice Features are designed to be used to enable/disable public functions
+ *      of the smart contract (used by a wide audience).
+ * @notice User roles are designed to control the access to restricted functions
+ *      of the smart contract (used by a limited set of maintainers).
+ *
+ * @notice Terms "role", "permissions" and "set of permissions" have equal meaning
+ *      in the documentation text and may be used interchangeably.
+ * @notice Terms "permission", "single permission" implies only one permission bit set.
+ *
+ * @notice Access manager is a special role which allows to grant/revoke other roles.
+ *      Access managers can only grant/revoke permissions which they have themselves.
+ *      As an example, access manager with no other roles set can only grant/revoke its own
+ *      access manager permission and nothing else.
+ *
+ * @notice Access manager permission should be treated carefully, as a super admin permission:
+ *      Access manager with even no other permission can interfere with another account by
+ *      granting own access manager permission to it and effectively creating more powerful
+ *      permission set than its own.
+ *
+ * @dev Both current and OpenZeppelin AccessControl implementations feature a similar API
+ *      to check/know "who is allowed to do this thing".
+ * @dev Zeppelin implementation is more flexible:
+ *      - it allows setting unlimited number of roles, while current is limited to 256 different roles
+ *      - it allows setting an admin for each role, while current allows having only one global admin
+ * @dev Current implementation is more lightweight:
+ *      - it uses only 1 bit per role, while Zeppelin uses 256 bits
+ *      - it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows
+ *        setting only one role in a single transaction
+ *
+ * @dev This smart contract is designed to be inherited by other
+ *      smart contracts which require access control management capabilities.
+ *
+ * @dev Access manager permission has a bit 255 set.
+ *      This bit must not be used by inheriting contracts for any other permissions/features.
+ *
+ * @dev This is an initializable version of the RBAC, based on Zeppelin implementation,
+ *      it can be used for EIP-1167 minimal proxies, for ERC1967 proxies, etc.
+ *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#Clones
+ *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
+ *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
+ *      see https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786
+ *      see https://eips.ethereum.org/EIPS/eip-1167
+ *
+ * @dev The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+ *      making them internal and thus reducing the overall compiled implementation size.
+ *      isFeatureEnabled() public -> _isFeatureEnabled() internal
+ *      isSenderInRole() public -> _isSenderInRole() internal
+ *      isOperatorInRole() public -> _isOperatorInRole() internal
+ *
+ * @custom:since 1.1.0
+ *
+ * @author Basil Gorin
+ */
+abstract contract InitializableAccessControlCore is Initializable {
+	/**
+	 * @dev Privileged addresses with defined roles/permissions
+	 * @dev In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Maps user address to the permissions bitmask (role), where each bit
+	 *      represents a permission
+	 * @dev Bitmask 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+	 *      represents all possible permissions
+	 * @dev 'This' address mapping represents global features of the smart contract
+	 *
+	 * @dev We keep the mapping private to prevent direct writes to it from the inheriting
+	 *      contracts, `getRole()` and `updateRole()` functions should be used instead
+	 */
+	mapping(address => uint256) private userRoles;
+	/**
+	 * @dev Empty reserved space in storage. The size of the __gap array is calculated so that
+	 *      the amount of storage used by a contract always adds up to the 50.
+	 *      See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
+	 */
+	uint256[49] private __gap;
+	/**
+	 * @notice Access manager is responsible for assigning the roles to users,
+	 *      enabling/disabling global features of the smart contract
+	 * @notice Access manager can add, remove and update user roles,
+	 *      remove and update global features
+	 *
+	 * @dev Role ROLE_ACCESS_MANAGER allows modifying user roles and global features
+	 * @dev Role ROLE_ACCESS_MANAGER has single bit at position 255 enabled
+	 */
+	uint256 public constant ROLE_ACCESS_MANAGER = 0x8000000000000000000000000000000000000000000000000000000000000000;
+	/**
+	 * @notice Upgrade manager is responsible for smart contract upgrades,
+	 *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
+	 *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
+	 *
+	 * @dev Role ROLE_UPGRADE_MANAGER allows passing the _authorizeUpgrade() check
+	 * @dev Role ROLE_UPGRADE_MANAGER has single bit at position 254 enabled
+	 */
+	uint256 public constant ROLE_UPGRADE_MANAGER = 0x4000000000000000000000000000000000000000000000000000000000000000;
+	/**
+	 * @dev Bitmask representing all the possible permissions (super admin role)
+	 * @dev Has all the bits are enabled (2^256 - 1 value)
+	 */
+	uint256 internal constant FULL_PRIVILEGES_MASK = type(uint256).max; // before 0.8.0: uint256(-1) overflows to 0xFFFF...
+	/**
+	 * @notice Thrown when a function is executed by an account that does not have
+	 *      the required access permission(s) (role)
+	 *
+	 * @dev This error is used to enforce role-based access control (RBAC) restrictions
+	 */
+	error AccessDenied();
+	/**
+	 * @dev Fired in updateRole() and updateFeatures()
+	 *
+	 * @param operator address which was granted/revoked permissions
+	 * @param requested permissions requested
+	 * @param assigned permissions effectively set
+	 */
+	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
+	/**
+	 * @notice Function modifier making a function defined as public behave as restricted
+	 *      (so that only a pre-configured set of accounts can execute it)
+	 *
+	 * @param role the role transaction executor is required to have;
+	 *      the function throws an "access denied" exception if this condition is not met
+	 */
+	modifier restrictedTo(uint256 role) {
+		// verify the access permission
+		_requireSenderInRole(role);
+		// execute the rest of the function
+		_;
+	}
+	/**
+	 * @dev Creates/deploys the RBAC implementation to be used in a proxy
+	 *
+	 * @dev Note:
+	 *      the implementation is already initialized and
+	 *      `_postConstruct` is not executable on the implementation
+	 *      `_postConstruct` is still available in the context of a proxy
+	 *      and should be executed on the proxy deployment (in the same tx)
+	 */
+	constructor() initializer {}
+	/**
+	 * @dev Contract initializer, sets the contract owner to have full privileges
+	 *
+	 * @dev Can be executed only once, reverts when executed second time
+	 *
+	 * @dev IMPORTANT:
+	 *      this function SHOULD be executed during proxy deployment (in the same transaction)
+	 *
+	 * @param _owner smart contract owner having full privileges, can be zero
+	 * @param _features initial features mask of the contract, can be zero
+	 */
+	function _postConstruct(address _owner, uint256 _features) internal virtual onlyInitializing {
+		// grant owner full privileges
+		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		// update initial features bitmask
+		__setRole(address(this), _features, _features);
+	}
+	/**
+	 * @dev Highest version that has been initialized.
+	 *      Non-zero value means contract was already initialized.
+	 * @dev see {Initializable}, {reinitializer}.
+	 *
+	 * @return highest version that has been initialized
+	 */
+	function getInitializedVersion() public view returns(uint64) {
+		// delegate to `_getInitializedVersion`
+		return _getInitializedVersion();
+	}
+	/**
+	 * @notice Retrieves globally set of features enabled
+	 *
+	 * @dev Effectively reads userRoles role for the contract itself
+	 *
+	 * @return 256-bit bitmask of the features enabled
+	 */
+	function features() public view returns (uint256) {
+		// features are stored in 'this' address mapping of `userRoles`
+		return getRole(address(this));
+	}
+	/**
+	 * @notice Updates set of the globally enabled features (`features`),
+	 *      taking into account sender's permissions
+	 *
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 * @dev Function is left for backward compatibility with older versions
+	 *
+	 * @param _mask bitmask representing a set of features to enable/disable
+	 */
+	function updateFeatures(uint256 _mask) public {
+		// delegate call to `updateRole`
+		updateRole(address(this), _mask);
+	}
+	/**
+	 * @notice Reads the permissions (role) for a given user from the `userRoles` mapping
+	 *      (privileged addresses with defined roles/permissions)
+	 * @notice In the context of ERC20/ERC721 tokens these can be permissions to
+	 *      allow minting or burning tokens, transferring on behalf and so on
+	 *
+	 * @dev Having a simple getter instead of making the mapping public
+	 *      allows enforcing the encapsulation of the mapping and protects from
+	 *      writing to it directly in the inheriting smart contracts
+	 *
+	 * @param operator address of a user to read permissions for,
+	 *      or self address to read global features of the smart contract
+	 */
+	function getRole(address operator) public view returns(uint256) {
+		// read the value from `userRoles` and return
+		return userRoles[operator];
+	}
+	/**
+	 * @notice Updates set of permissions (role) for a given user,
+	 *      taking into account sender's permissions.
+	 *
+	 * @dev Setting role to zero is equivalent to removing an all permissions
+	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
+	 *      copying senders' permissions (role) to the user
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param role bitmask representing a set of permissions to
+	 *      enable/disable for a user specified
+	 */
+	function updateRole(address operator, uint256 role) public {
+		// caller must have a permission to update user roles
+		_requireSenderInRole(ROLE_ACCESS_MANAGER);
+		// evaluate the role and reassign it
+		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	}
+	/**
+	 * @notice Determines the permission bitmask an operator can set on the
+	 *      target permission set
+	 * @notice Used to calculate the permission bitmask to be set when requested
+	 *     in `updateRole` and `updateFeatures` functions
+	 *
+	 * @dev Calculated based on:
+	 *      1) operator's own permission set read from userRoles[operator]
+	 *      2) target permission set - what is already set on the target
+	 *      3) desired permission set - what do we want set target to
+	 *
+	 * @dev Corner cases:
+	 *      1) Operator is super admin and its permission set is `FULL_PRIVILEGES_MASK`:
+	 *        `desired` bitset is returned regardless of the `target` permission set value
+	 *        (what operator sets is what they get)
+	 *      2) Operator with no permissions (zero bitset):
+	 *        `target` bitset is returned regardless of the `desired` value
+	 *        (operator has no authority and cannot modify anything)
+	 *
+	 * @dev Example:
+	 *      Consider an operator with the permissions bitmask     00001111
+	 *      is about to modify the target permission set          01010101
+	 *      Operator wants to set that permission set to          00110011
+	 *      Based on their role, an operator has the permissions
+	 *      to update only lowest 4 bits on the target, meaning that
+	 *      high 4 bits of the target set in this example is left
+	 *      unchanged and low 4 bits get changed as desired:      01010011
+	 *
+	 * @param operator address of the contract operator which is about to set the permissions
+	 * @param target input set of permissions to operator is going to modify
+	 * @param desired desired set of permissions operator would like to set
+	 * @return resulting set of permissions given operator will set
+	 */
+	function _evaluateBy(address operator, uint256 target, uint256 desired) internal view returns (uint256) {
+		// read operator's permissions
+		uint256 p = getRole(operator);
+		// taking into account operator's permissions,
+		// 1) enable the permissions desired on the `target`
+		target |= p & desired;
+		// 2) disable the permissions desired on the `target`
+		target &= FULL_PRIVILEGES_MASK ^ (p & (FULL_PRIVILEGES_MASK ^ desired));
+		// return calculated result
+		return target;
+	}
+	/**
+	 * @notice Ensures that the transaction sender has the required access permission(s) (role)
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the sender does not have the required role
+	 *
+	 * @param required the set of permissions (role) that the transaction sender is required to have
+	 */
+	function _requireSenderInRole(uint256 required) internal view {
+		// check if the transaction has the required permission(s),
+		// reverting with the "access denied" error if not
+		_requireAccessCondition(_isSenderInRole(required));
+	}
+	/**
+	 * @notice Ensures that a specific condition is met
+	 *
+	 * @dev Reverts with an `AccessDenied` error if the condition is not met
+	 *
+	 * @param condition the condition that needs to be true for the function to proceed
+	 */
+	function _requireAccessCondition(bool condition) internal pure {
+		// check if the condition holds
+		if(!condition) {
+			// revert with the "access denied" error if not
+			revert AccessDenied();
+		}
+	}
+	/**
+	 * @notice Checks if requested set of features is enabled globally on the contract
+	 *
+	 * @param required set of features to check against
+	 * @return true if all the features requested are enabled, false otherwise
+	 */
+	function _isFeatureEnabled(uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing `features` property
+		return __hasRole(features(), required);
+	}
+	/**
+	 * @notice Checks if transaction sender `msg.sender` has all the permissions required
+	 *
+	 * @param required set of permissions (role) to check against
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isSenderInRole(uint256 required) internal view returns (bool) {
+		// delegate call to `isOperatorInRole`, passing transaction sender
+		return _isOperatorInRole(msg.sender, required);
+	}
+	/**
+	 * @notice Checks if operator has all the permissions (role) required
+	 *
+	 * @param operator address of the user to check role for
+	 * @param required set of permissions (role) to check
+	 * @return true if all the permissions requested are enabled, false otherwise
+	 */
+	function _isOperatorInRole(address operator, uint256 required) internal view returns (bool) {
+		// delegate call to `__hasRole`, passing operator's permissions (role)
+		return __hasRole(getRole(operator), required);
+	}
+	/**
+	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
+	 *
+	 * @dev Unsafe:
+	 *      provides direct write access to `userRoles` mapping without any security checks,
+	 *      doesn't verify the executor (msg.sender) permissions,
+	 *      must be kept private at all times
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param requestedRole bitmask representing a set of permissions requested
+	 *      to be enabled/disabled for a user specified, used only to be logged into event
+	 * @param assignedRole bitmask representing a set of permissions to
+	 *      enable/disable for a user specified, used to update the mapping and to be logged into event
+	 */
+	function __setRole(address operator, uint256 requestedRole, uint256 assignedRole) private {
+		// assign the role to the operator
+		userRoles[operator] = assignedRole;
+		// fire an event
+		emit RoleUpdated(operator, requestedRole, assignedRole);
+	}
+	/**
+	 * @dev Checks if role `actual` contains all the permissions required `required`
+	 *
+	 * @param actual existent role
+	 * @param required required role
+	 * @return true if actual has required role (all permissions), false otherwise
+	 */
+	function __hasRole(uint256 actual, uint256 required) private pure returns (bool) {
+		// check the bitmask for the role required and return the result
+		return actual & required == required;
+	}
+}

package/contracts/UpgradeableAccessControl.sol CHANGED Viewed

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.2;
+pragma solidity >=0.8.4;
 import "./InitializableAccessControl.sol";
-import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+import "./UpgradeableAccessControlCore.sol";
 /**
- * @title Upgradeable Role-based Access Control (RBAC) // ERC1967Proxy
+ * @title Upgradeable Role-based Access Control (U-RBAC) // ERC1967Proxy
  *
  * @notice Access control smart contract provides an API to check
  *      if a specific operation is permitted globally and/or
@@ -58,23 +58,6 @@ import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
  *
  * @author Basil Gorin
  */
-abstract contract UpgradeableAccessControl is InitializableAccessControl, UUPSUpgradeable {
-	/**
-	 * @notice Returns an address of the implementation smart contract,
-	 *      see ERC1967Upgrade._getImplementation()
-	 *
-	 * @return the current implementation address
-	 */
-	function getImplementation() public view virtual returns (address) {
-		// delegate to `ERC1967Upgrade._getImplementation()`
-		return _getImplementation();
-	}
-	/**
-	 * @inheritdoc UUPSUpgradeable
-	 */
-	function _authorizeUpgrade(address) internal virtual override {
-		// caller must have a permission to upgrade the contract
-		require(isSenderInRole(ROLE_UPGRADE_MANAGER), "access denied");
-	}
+abstract contract UpgradeableAccessControl is InitializableAccessControl, UpgradeableAccessControlCore {
 }

package/contracts/UpgradeableAccessControlCore.sol ADDED Viewed

@@ -0,0 +1,88 @@
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.8.4;
+import "./InitializableAccessControlCore.sol";
+import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
+/**
+ * @title Upgradeable Role-based Access Control Core (U-RBAC-C) // ERC1967Proxy
+ *
+ * @notice Access control smart contract provides an API to check
+ *      if a specific operation is permitted globally and/or
+ *      if a particular user has a permission to execute it.
+ *
+ * @notice This contract is inherited by other contracts requiring the role-based access control (RBAC)
+ *      protection for the restricted access functions
+ *
+ * @notice It deals with two main entities: features and roles.
+ *
+ * @notice Features are designed to be used to enable/disable public functions
+ *      of the smart contract (used by a wide audience).
+ * @notice User roles are designed to control the access to restricted functions
+ *      of the smart contract (used by a limited set of maintainers).
+ *
+ * @notice Terms "role", "permissions" and "set of permissions" have equal meaning
+ *      in the documentation text and may be used interchangeably.
+ * @notice Terms "permission", "single permission" implies only one permission bit set.
+ *
+ * @notice Access manager is a special role which allows to grant/revoke other roles.
+ *      Access managers can only grant/revoke permissions which they have themselves.
+ *      As an example, access manager with no other roles set can only grant/revoke its own
+ *      access manager permission and nothing else.
+ *
+ * @notice Access manager permission should be treated carefully, as a super admin permission:
+ *      Access manager with even no other permission can interfere with another account by
+ *      granting own access manager permission to it and effectively creating more powerful
+ *      permission set than its own.
+ *
+ * @dev Both current and OpenZeppelin AccessControl implementations feature a similar API
+ *      to check/know "who is allowed to do this thing".
+ * @dev Zeppelin implementation is more flexible:
+ *      - it allows setting unlimited number of roles, while current is limited to 256 different roles
+ *      - it allows setting an admin for each role, while current allows having only one global admin
+ * @dev Current implementation is more lightweight:
+ *      - it uses only 1 bit per role, while Zeppelin uses 256 bits
+ *      - it allows setting up to 256 roles at once, in a single transaction, while Zeppelin allows
+ *        setting only one role in a single transaction
+ *
+ * @dev This smart contract is designed to be inherited by other
+ *      smart contracts which require access control management capabilities.
+ *
+ * @dev Access manager permission has a bit 255 set.
+ *      This bit must not be used by inheriting contracts for any other permissions/features.
+ *
+ * @dev This is an upgradeable version of the RBAC, based on Zeppelin implementation for ERC1967,
+ *      see https://docs.openzeppelin.com/contracts/4.x/upgradeable
+ *      see https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable
+ *      see https://forum.openzeppelin.com/t/uups-proxies-tutorial-solidity-javascript/7786
+ *
+ * @dev The 'core' version of the RBAC contract hides three rarely used external functions from the public ABI,
+ *      making them internal and thus reducing the overall compiled implementation size.
+ *      isFeatureEnabled() public -> _isFeatureEnabled() internal
+ *      isSenderInRole() public -> _isSenderInRole() internal
+ *      isOperatorInRole() public -> _isOperatorInRole() internal
+ *
+ * @custom:since 1.1.0
+ *
+ * @author Basil Gorin
+ */
+abstract contract UpgradeableAccessControlCore is InitializableAccessControlCore, UUPSUpgradeable {
+	/**
+	 * @notice Returns an address of the implementation smart contract,
+	 *      see ERC1967Upgrade._getImplementation()
+	 *
+	 * @return the current implementation address
+	 */
+	function getImplementation() public view virtual returns (address) {
+		// delegate to `ERC1967Upgrade._getImplementation()`
+		return _getImplementation();
+	}
+	/**
+	 * @inheritdoc UUPSUpgradeable
+	 */
+	function _authorizeUpgrade(address) internal virtual override {
+		// caller must have a permission to upgrade the contract
+		_requireSenderInRole(ROLE_UPGRADE_MANAGER);
+	}
+}

package/contracts/mocks/UpgradeableAccessControlMocks.sol CHANGED Viewed

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity ^0.8.2;
+pragma solidity >=0.8.4;
 import "../UpgradeableAccessControl.sol";
@@ -10,6 +10,12 @@ contract UpgradeableAccessControlMock is UpgradeableAccessControl {
 	function restricted() public restrictedTo(RESTRICTED_ROLE) {
 		emit Restricted();
 	}
+	function requireSenderInRole(uint256 required) public view {
+		_requireSenderInRole(required);
+	}
+	function requireAccessCondition(bool condition) public pure {
+		_requireAccessCondition(condition);
+	}
 }
 contract UpgradeableAccessControl1 is UpgradeableAccessControlMock {

package/hardhat.config.js CHANGED Viewed

@@ -50,7 +50,7 @@ module.exports = {
 		// https://hardhat.org/guides/compile-contracts.html
 		compilers: [
 			{
-				version: "0.8.2",
+				version: "0.8.4",
 				settings: {
 					optimizer: {
 						enabled: true,

package/index.js CHANGED Viewed

@@ -9,6 +9,9 @@ const {
 	not,
 } = require("./scripts/include/features_roles");
+// RBAC behaviours
+const {behavesLikeRBAC} = require("./test/include/rbac.behaviour");
 // Re-export the functions
 module.exports = {
 	ROLE_ACCESS_MANAGER,
@@ -16,4 +19,5 @@ module.exports = {
 	FULL_PRIVILEGES_MASK,
 	or,
 	not,
+	behavesLikeRBAC,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lazy-sol/access-control-upgradeable",
-  "version": "1.0.6",
+  "version": "1.1.0",
   "description": "Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC) into the smart contracts",
   "main": "index.js",
   "scripts": {
@@ -11,7 +11,7 @@
     "deploy": "hardhat deploy"
   },
   "engines": {
-    "node": ">=16.0.0"
+    "node": ">=18.0.0"
   },
   "keywords": [
     "RBAC",
@@ -25,19 +25,22 @@
     "@lazy-sol/a-missing-gem": "^1.0.9",
     "@nomiclabs/hardhat-truffle5": "^2.0.7",
     "@openzeppelin/contracts-upgradeable": "^4.9.6",
-    "audit": "^0.0.6",
-    "hardhat": "^2.22.6",
+    "hardhat": "^2.22.9",
     "hardhat-deploy": "^0.11.45"
   },
   "devDependencies": {
-    "@lazy-sol/zeppelin-test-helpers": "^1.0.1",
+    "@lazy-sol/zeppelin-test-helpers": "^1.0.5",
     "@openzeppelin/contracts": "^4.9.6",
     "hardhat-dependency-injector": "^1.0.1",
     "hardhat-gas-reporter": "^1.0.10",
-    "solidity-coverage": "^0.8.12"
+    "solidity-coverage": "^0.8.13"
   },
   "overrides": {
+    "axios": ">=1.7.5",
+    "micromatch": "^4.0.8",
+    "tar": "^6.2.1",
     "tough-cookie": "^4.1.3",
-    "yargs-parser": "^5.0.1"
+    "yargs-parser": "^5.0.1",
+    "ws": "^8.0.0"
   }
 }

package/test/include/rbac.behaviour.js CHANGED Viewed

@@ -24,7 +24,8 @@ const {
 // RBAC core features and roles
 const {
 	not,
-	ROLE_ACCESS_MANAGER, FULL_PRIVILEGES_MASK,
+	ROLE_ACCESS_MANAGER,
+	FULL_PRIVILEGES_MASK,
 } = require("../../scripts/include/features_roles");
 /**
@@ -40,6 +41,18 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 	const by = a1;
 	const to = a2;
+	describe("requireAccessCondition(condition) pure function", function() {
+		let access_control;
+		beforeEach(async function() {
+			access_control = await deployment_fn.call(this, a0, ZERO_ADDRESS, 0);
+		});
+		it("throws if condition is false", async function() {
+			await expectRevert(access_control.requireAccessCondition(false, {from: a0}), "AccessDenied()");
+		});
+		it("succeeds if condition is true", async function() {
+			await access_control.requireAccessCondition(true, {from: a0});
+		});
+	});
 	describe("deployment and initial state", function() {
 		function deploy_and_check(owner, features) {
 			let access_control;
@@ -81,7 +94,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 			deploy_and_check(a1, random_bn256());
 		});
 	});
-	describe("when deployed with not initial features", function() {
+	describe("when deployed with no initial features", function() {
 		let access_control;
 		beforeEach(async function() {
 			access_control = await deployment_fn.call(this, a0);
@@ -92,7 +105,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 				beforeEach(async function() {
 					await access_control.updateRole(by, ROLE_ACCESS_MANAGER, {from: a0});
 				});
-				describe("when ACCESS_MANAGER has full set of permissions", function() {
+				describe("when ACCESS_MANAGER has the full set of permissions", function() {
 					beforeEach(async function() {
 						await access_control.updateRole(by, MAX_UINT256, {from: a0});
 					});
@@ -271,6 +284,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 					it("operator becomes an ACCESS_MANAGER", async function() {
 						expect(await access_control.isOperatorInRole(to, ROLE_ACCESS_MANAGER), "operator").to.be.true;
 						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: to}), "sender").to.be.true;
+						await access_control.requireSenderInRole(ROLE_ACCESS_MANAGER, {from: to});
 					});
 				});
 				describe("when ACCESS_MANAGER revokes ACCESS_MANAGER permission from itself", function() {
@@ -280,15 +294,16 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 					it("operator ceases to be an ACCESS_MANAGER", async function() {
 						expect(await access_control.isOperatorInRole(by, ROLE_ACCESS_MANAGER), "operator").to.be.false;
 						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: by}), "sender").to.be.false;
+						await expectRevert(access_control.requireSenderInRole(ROLE_ACCESS_MANAGER, {from: to}), "AccessDenied()");
 					});
 				});
 			});
 			describe("otherwise (no ACCESS_MANAGER permission)", function() {
 				it("updateFeatures reverts", async function() {
-					await expectRevert(access_control.updateFeatures(1, {from: by}), "access denied");
+					await expectRevert(access_control.updateFeatures(1, {from: by}), "AccessDenied()");
 				});
 				it("updateRole reverts", async function() {
-					await expectRevert(access_control.updateRole(to, 1, {from: by}), "access denied");
+					await expectRevert(access_control.updateRole(to, 1, {from: by}), "AccessDenied()");
 				});
 			});
 		}

package/test/rbac_modifier.js CHANGED Viewed

@@ -44,7 +44,7 @@ contract('AccessControlUpgradeable (U-RBAC) "restrictedTo" Modifier tests', func
 			access_control = await deploy_access_control(a0);
 		});
 		it("function protected with restrictedTo modifier fails when run not by an admin", async function() {
-			await expectRevert(access_control.restricted({from: a1}), "access denied");
+			await expectRevert(access_control.restricted({from: a1}), "AccessDenied()");
 		});
 		describe("function protected with restrictedTo modifier succeeds when run by admin", async function() {
 			let receipt;

package/test/rbac_upgradeable.js CHANGED Viewed

@@ -101,13 +101,10 @@ contract("UpgradeableAccessControl (U-RBAC) Core tests", function(accounts) {
 				const init_data = ac.contract.methods.postConstruct(ZERO_ADDRESS, 0).encodeABI();
 				// and upgrade the implementation
-				await expectRevert(
-					ac.upgradeToAndCall(impl2.address, init_data, {from: by}),
-					"access denied"
-				);
+				await expectRevert(ac.upgradeToAndCall(impl2.address, init_data, {from: by}), "AccessDenied()");
 			});
 			it("implementation upgrade without initialization reverts", async function() {
-				await expectRevert(ac.upgradeTo(impl2.address, {from: by}), "access denied");
+				await expectRevert(ac.upgradeTo(impl2.address, {from: by}), "AccessDenied()");
 			});
 			it("direct initialization of the implementation (bypassing proxy) fails", async function() {
 				await expectRevert(impl1.postConstruct(ZERO_ADDRESS, 0, {from: by}), "Initializable: contract is already initialized");