@lazy-sol/access-control 1.0.3

package/test/include/deployment_routines.js

@@ -0,0 +1,150 @@
+/**
+ * Deploys USDT token, used to test non ERC20 compliant transfer function
+ * (doesn't return any value on successful operation)
+ *
+ * @param a0 smart contract owner
+ * @param H0 initial token holder address
+ * @returns USDT ERC20 instance
+ */
+async function deploy_usdt(a0, H0 = a0) {
+	// smart contracts required
+	const USDTContract = artifacts.require("TetherToken");
+
+	// deploy the token
+	const token = await USDTContract.new(0, "Tether USD", "USDT", 6, {from: a0});
+
+	// move the initial supply if required
+	if(H0 !== a0) {
+		await token.transfer(H0, S0, {from: a0});
+	}
+
+	// return the reference
+	return token;
+}
+
+/**
+ * Deploys AccessControl contract
+ *
+ * @param a0 smart contract deployer
+ * @param owner smart contract owner, super admin, optional
+ * @param features initial smart contract features, optional
+ * @returns AccessControl instance
+ */
+async function deploy_access_control(a0, owner = a0, features = 0) {
+	// deploy AccessControlMock
+	const AccessControlMock = artifacts.require("AccessControlMock");
+
+	// deploy and return the instance
+	return await AccessControlMock.new(owner, features, {from: a0});
+}
+
+/**
+ * Deploys OwnableToAccessControlAdapter
+ * Deploys OZ Ownable contract (TetherToken) if target is not specified
+ * Transfers the ownership on the ownable to the adapter
+ *
+ * @param a0 smart contract deployer, owner, super admin
+ * @param target target OZ Ownable contract address or instance, optional
+ * @returns OwnableToAccessControlAdapter instance
+ */
+async function deploy_ownable_to_ac_adapter(a0, target) {
+	// deploy the target if required
+	if(!target) {
+		target = await deploy_usdt(a0);
+	}
+	// wrap the target into the Ownable if required
+	else if(!target.address) {
+		const Ownable = artifacts.require("contracts/AdapterFactory.sol:Ownable");
+		target = await Ownable.at(target);
+	}
+
+	// deploy adapter
+	const adapter = await deploy_no_deps_ownable_to_ac_adapter(a0, target);
+
+	// transfer ownership to the adapter
+	await target.transferOwnership(adapter.address, {from: a0});
+
+	// return both instances
+	return {target, adapter};
+}
+
+/**
+ * Deploys OwnableToAccessControlAdapter
+ *
+ * @param a0 smart contract deployer, owner, super admin
+ * @param target target OZ Ownable contract address or instance, required
+ * @returns OwnableToAccessControlAdapter instance
+ */
+async function deploy_no_deps_ownable_to_ac_adapter(a0, target) {
+	// artifacts in use
+	const OwnableToAccessControlAdapter = artifacts.require("OwnableToAccessControlAdapter");
+	// deploy and return the deployd instance
+	return await OwnableToAccessControlAdapter.new(target.address || target, a0, {from: a0});
+}
+
+/**
+ * Deploys the AdapterFactory
+ *
+ * @param a0 deployer address, optional
+ * @returns AdapterFactory instance
+ */
+async function deploy_adapter_factory(a0) {
+	// artifacts in use
+	const AdapterFactory = artifacts.require("AdapterFactory");
+	// deploy and return the deployd instance
+	return await AdapterFactory.new(a0? {from: a0}: undefined);
+}
+
+/**
+ * Deploys OwnableToAccessControlAdapter via the AdapterFactory
+ * Deploys the AdapterFactory and target Ownable if required
+ *
+ * @param a0 deployer address, target owner, required
+ * @param factory AdapterFactory instance or address, optional
+ * @param target Ownable instance or address, optional
+ * @returns OwnableToAccessControlAdapter instance
+ */
+async function factory_deploy_ownable_to_ac_adapter(a0, factory, target) {
+	if(!factory) {
+		factory = await deploy_adapter_factory(a0);
+	}
+	else if(!factory.address) {
+		const AdapterFactory = artifacts.require("AdapterFactory");
+		factory = await AdapterFactory.at(factory);
+	}
+
+	if(!target) {
+		target = await deploy_usdt(a0);
+	}
+	else if(!target.address) {
+		const Ownable = artifacts.require("contracts/AdapterFactory.sol:Ownable");
+		target = await Ownable.at(target);
+	}
+
+	// deploy the adapter via the AdapterFactory
+	const receipt = await factory.deployNewOwnableToAccessControlAdapter(target.address, {from: a0});
+	const {
+		adapterAddress,
+		ownableTargetAddress,
+	} = receipt.logs.find(log => log.event === "NewOwnableToAccessControlAdapterDeployed").args;
+
+	// connect to the adapter
+	const OwnableToAccessControlAdapter = artifacts.require("OwnableToAccessControlAdapter");
+	const adapter = await OwnableToAccessControlAdapter.at(adapterAddress);
+
+	// transfer ownership to the adapter
+	await target.transferOwnership(adapter.address, {from: a0});
+
+	// return the results
+	return {factory, target, adapter};
+}
+
+// export public deployment API
+module.exports = {
+	deploy_usdt,
+	deploy_access_control,
+	deploy_no_deps_ownable_to_ac_adapter,
+	deploy_ownable_to_ac_adapter,
+	deploy_adapter_factory,
+	factory_deploy_ownable_to_ac_adapter,
+}

package/test/include/features_roles.js

@@ -0,0 +1,42 @@
+// copy and export all the features and roles constants from different contracts
+
+// Auxiliary BN stuff
+const BN = web3.utils.BN;
+const TWO = new BN(2);
+
+// Access manager is responsible for assigning the roles to users,
+// enabling/disabling global features of the smart contract
+const ROLE_ACCESS_MANAGER = TWO.pow(new BN(255));
+
+// Upgrade manager is responsible for smart contract upgrades
+const ROLE_UPGRADE_MANAGER = TWO.pow(new BN(254));
+
+// Access Roles manager is responsible for assigning the access roles to functions
+const ROLE_ACCESS_ROLES_MANAGER = TWO.pow(new BN(253));
+
+// Bitmask representing all the possible permissions (super admin role)
+const FULL_PRIVILEGES_MASK = TWO.pow(new BN(256)).subn(1);
+
+// combine the role (permission set) provided
+function or(...roles) {
+	let roles_sum = new BN(0);
+	for(let role of roles) {
+		roles_sum = roles_sum.or(new BN(role));
+	}
+	return roles_sum;
+}
+
+// negates the role (permission set) provided
+function not(...roles) {
+	return FULL_PRIVILEGES_MASK.xor(or(...roles));
+}
+
+// export public module API
+module.exports = {
+	ROLE_ACCESS_MANAGER,
+	ROLE_UPGRADE_MANAGER,
+	ROLE_ACCESS_ROLES_MANAGER,
+	FULL_PRIVILEGES_MASK,
+	or,
+	not,
+};

package/test/include/rbac.behaviour.js

@@ -0,0 +1,315 @@
+// Zeppelin test helpers
+const {
+	BN,
+	constants,
+	expectEvent,
+	expectRevert,
+} = require("@openzeppelin/test-helpers");
+const {
+	assert,
+	expect,
+} = require("chai");
+const {
+	ZERO_ADDRESS,
+	ZERO_BYTES32,
+	MAX_UINT256,
+} = constants;
+
+// BN utils
+const {
+	random_bn255,
+	random_bn256,
+} = require("@lazy-sol/a-missing-jem/bn_utils");
+
+// RBAC core features and roles
+const {
+	not,
+	ROLE_ACCESS_MANAGER, FULL_PRIVILEGES_MASK,
+} = require("./features_roles");
+
+/**
+ * RBAC core behaviour
+ *
+ * @param deployment_fn RBAC contract deployment function
+ * @param a0 deployer/admin account
+ * @param a1 participant 1
+ * @param a2 participant 2
+ */
+function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
+	// define the "players"
+	const by = a1;
+	const to = a2;
+
+	describe("deployment and initial state", function() {
+		function deploy_and_check(owner, features) {
+			let access_control;
+			beforeEach(async function() {
+				access_control = await deployment_fn.call(this, a0, owner, features);
+			});
+			it('"RoleUpdated(owner)" event is emitted correctly', async function() {
+				await expectEvent.inConstruction(access_control, "RoleUpdated", {
+					operator: owner,
+					requested: FULL_PRIVILEGES_MASK,
+					assigned: FULL_PRIVILEGES_MASK,
+				});
+			});
+			it('"RoleUpdated(this)" event is emitted correctly', async function() {
+				await expectEvent.inConstruction(access_control, "RoleUpdated", {
+					operator: access_control.address,
+					requested: features,
+					assigned: features,
+				});
+			});
+			it("owners' role is set correctly", async function() {
+				expect(await access_control.getRole(owner)).to.be.bignumber.that.equals(FULL_PRIVILEGES_MASK);
+			});
+			it("features are set correctly", async function() {
+				expect(await access_control.features()).to.be.bignumber.that.equals(features);
+			});
+		}
+
+		describe("owner = 0, features = 0", function() {
+			deploy_and_check(ZERO_ADDRESS, new BN(0));
+		});
+		describe("owner = 0, features ≠ 0", function() {
+			deploy_and_check(ZERO_ADDRESS, random_bn256());
+		});
+		describe("owner ≠ 0, features = 0", function() {
+			deploy_and_check(a1, new BN(0));
+		});
+		describe("owner ≠ 0, features ≠ 0", function() {
+			deploy_and_check(a1, random_bn256());
+		});
+	});
+	describe("when deployed with not initial features", function() {
+		let access_control;
+		beforeEach(async function() {
+			access_control = await deployment_fn.call(this, a0);
+		});
+
+		function test_suite(write_fn, read_fn, check_fn, to_fn) {
+			describe("when performed by ACCESS_MANAGER", function() {
+				beforeEach(async function() {
+					await access_control.updateRole(by, ROLE_ACCESS_MANAGER, {from: a0});
+				});
+				describe("when ACCESS_MANAGER has full set of permissions", function() {
+					beforeEach(async function() {
+						await access_control.updateRole(by, MAX_UINT256, {from: a0});
+					});
+					describe("what you set", function() {
+						let receipt, set;
+						beforeEach(async function() {
+							// do not touch the highest permission bit (ACCESS_MANAGER permission)
+							set = random_bn255();
+							receipt = await write_fn(by, to, set);
+						});
+						describe("is what you get", function() {
+							it('"userRoles" value', async function() {
+								expect(await read_fn(to)).to.be.bignumber.that.equals(set);
+							});
+							it("role check (isOperatorInRole/isFeatureEnabled)", async function() {
+								expect(await check_fn(to, set)).to.be.true;
+							});
+							it('"RoleUpdated" event', async function() {
+								expectEvent(receipt, "RoleUpdated", {
+									operator: to_fn(to),
+									requested: set,
+									assigned: set,
+								});
+							});
+						});
+					});
+					describe("what you remove", function() {
+						let receipt, remove;
+						beforeEach(async function() {
+							// do not touch the highest permission bit (ACCESS_MANAGER permission)
+							remove = random_bn255();
+							receipt = await write_fn(by, to, not(remove));
+						});
+						describe("is what gets removed", function() {
+							it('"userRoles" value', async function() {
+								expect(await read_fn(to)).to.be.bignumber.that.equals(not(remove));
+							});
+							it("role check (isOperatorInRole/isFeatureEnabled)", async function() {
+								expect(await check_fn(to, not(remove))).to.be.true;
+							});
+							it('"RoleUpdated" event', async function() {
+								expectEvent(receipt, "RoleUpdated", {
+									operator: to_fn(to),
+									requested: not(remove),
+									assigned: not(remove),
+								});
+							});
+						});
+					});
+				});
+				describe("when ACCESS_MANAGER doesn't have any permissions", function() {
+					describe("what you get, independently of what you set", function() {
+						let receipt, set;
+						beforeEach(async function() {
+							// do not touch the highest permission bit (ACCESS_MANAGER permission)
+							set = random_bn255();
+							receipt = await write_fn(by, to, set);
+						});
+						describe("is always zero", function() {
+							it('"userRoles" value', async function() {
+								expect(await read_fn(to)).to.be.bignumber.that.is.zero;
+							});
+							it("role check (isOperatorInRole/isFeatureEnabled)", async function() {
+								expect(await check_fn(to, set)).to.be.false;
+							});
+							it('"RoleUpdated" event', async function() {
+								expectEvent(receipt, "RoleUpdated", {
+									operator: to_fn(to),
+									requested: set,
+									assigned: "0",
+								});
+							});
+						});
+					});
+					describe("what you get, independently of what you remove", function() {
+						let receipt, remove;
+						beforeEach(async function() {
+							// do not touch the highest permission bit (ACCESS_MANAGER permission)
+							remove = random_bn255();
+							await write_fn(a0, to, MAX_UINT256);
+							receipt = await write_fn(by, to, not(remove));
+						});
+						describe("is always what you had", function() {
+							it('"userRoles" value', async function() {
+								expect(await read_fn(to)).to.be.bignumber.that.equals(MAX_UINT256);
+							});
+							it("role check (isOperatorInRole/isFeatureEnabled)", async function() {
+								expect(await check_fn(to, MAX_UINT256)).to.be.true;
+							});
+							it('"RoleUpdated" event', async function() {
+								expectEvent(receipt, "RoleUpdated", {
+									operator: to_fn(to),
+									requested: not(remove),
+									assigned: MAX_UINT256,
+								});
+							});
+						});
+					});
+				});
+				describe("when ACCESS_MANAGER has some permissions", function() {
+					let role;
+					beforeEach(async function() {
+						// do not touch the highest permission bit (ACCESS_MANAGER permission)
+						role = random_bn255();
+						await access_control.updateRole(by, ROLE_ACCESS_MANAGER.or(role), {from: a0});
+					});
+					describe("what you get", function() {
+						let receipt, set;
+						beforeEach(async function() {
+							// do not touch the highest permission bit (ACCESS_MANAGER permission)
+							set = random_bn255();
+							receipt = await write_fn(by, to, set);
+						});
+						describe("is an intersection of what you set and what you have", function() {
+							it('"userRoles" value', async function() {
+								expect(await read_fn(to)).to.be.bignumber.that.equals(role.and(set));
+							});
+							it("role check (isOperatorInRole/isFeatureEnabled)", async function() {
+								expect(await check_fn(to, role.and(set))).to.be.true;
+							});
+							it('"RoleUpdated" event', async function() {
+								expectEvent(receipt, "RoleUpdated", {
+									operator: to_fn(to),
+									requested: set,
+									assigned: role.and(set),
+								});
+							});
+						});
+					});
+					describe("what you remove", function() {
+						let receipt, remove;
+						beforeEach(async function() {
+							// do not touch the highest permission bit (ACCESS_MANAGER permission)
+							remove = random_bn255();
+							await write_fn(a0, to, MAX_UINT256);
+							receipt = await write_fn(by, to, not(remove));
+						});
+						describe("is an intersection of what you tried to remove and what you have", function() {
+							it('"userRoles" value', async function() {
+								expect(await read_fn(to)).to.be.bignumber.that.equals(not(role.and(remove)));
+							});
+							it("role check (isOperatorInRole/isFeatureEnabled)", async function() {
+								expect(await check_fn(to, not(role.and(remove)))).to.be.true;
+							});
+							it('"RoleUpdated" event', async function() {
+								expectEvent(receipt, "RoleUpdated", {
+									operator: to_fn(to),
+									requested: not(remove),
+									assigned: not(role.and(remove)),
+								});
+							});
+						});
+					});
+				});
+				describe("ACCESS_MANAGER updates itself", function() {
+					beforeEach(async function() {
+						// do not touch the highest permission bit (ACCESS_MANAGER permission)
+						const role = random_bn255();
+						await access_control.updateRole(by, ROLE_ACCESS_MANAGER.or(role), {from: a0});
+					});
+					it("and degrades to zero with the 99.99% probability in 14 runs", async function() {
+						// randomly remove 255 bits of permissions
+						for(let i = 0; i < 14; i++) {
+							// do not touch the highest permission bit (ACCESS_MANAGER permission)
+							const role = random_bn255();
+							await access_control.updateRole(by, not(role), {from: by});
+						}
+						// this may fail with the probability 2^(-14) < 0.01%
+						expect(await access_control.getRole(by)).to.be.bignumber.that.equals(ROLE_ACCESS_MANAGER);
+					})
+				});
+				describe("when ACCESS_MANAGER grants ACCESS_MANAGER permission", function() {
+					beforeEach(async function() {
+						await access_control.updateRole(to, ROLE_ACCESS_MANAGER, {from: by});
+					});
+					it("operator becomes an ACCESS_MANAGER", async function() {
+						expect(await access_control.isOperatorInRole(to, ROLE_ACCESS_MANAGER), "operator").to.be.true;
+						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: to}), "sender").to.be.true;
+					});
+				});
+				describe("when ACCESS_MANAGER revokes ACCESS_MANAGER permission from itself", function() {
+					beforeEach(async function() {
+						await access_control.updateRole(by, 0, {from: by});
+					});
+					it("operator ceases to be an ACCESS_MANAGER", async function() {
+						expect(await access_control.isOperatorInRole(by, ROLE_ACCESS_MANAGER), "operator").to.be.false;
+						expect(await access_control.isSenderInRole(ROLE_ACCESS_MANAGER, {from: by}), "sender").to.be.false;
+					});
+				});
+			});
+			describe("otherwise (no ACCESS_MANAGER permission)", function() {
+				it("updateFeatures reverts", async function() {
+					await expectRevert(access_control.updateFeatures(1, {from: by}), "access denied");
+				});
+				it("updateRole reverts", async function() {
+					await expectRevert(access_control.updateRole(to, 1, {from: by}), "access denied");
+				});
+			});
+		}
+
+		// run two test suites to test get/set role and get/set features
+		test_suite(
+			async(by, to, set) => await access_control.updateRole(to, set, {from: by}),
+			async(op) => await access_control.getRole(op),
+			async(op, role) => await access_control.isOperatorInRole(op, role),
+			(to) => to
+		);
+		test_suite(
+			async(by, to, set) => await access_control.updateFeatures(set, {from: by}),
+			async(op) => await access_control.features(),
+			async(op, role) => await access_control.isFeatureEnabled(role),
+			(to) => access_control.address
+		);
+	});
+}
+
+// export the RBAC core behaviour
+module.exports = {
+	behavesLikeRBAC,
+}

package/test/ownable_to_rbac_adapter.js

@@ -0,0 +1,100 @@
+// OwnableToAccessControlAdapter tests
+
+// Zeppelin test helpers
+const {
+	BN,
+	constants,
+	expectEvent,
+	expectRevert,
+} = require("@openzeppelin/test-helpers");
+const {
+	assert,
+	expect,
+} = require("chai");
+const {
+	ZERO_ADDRESS,
+	ZERO_BYTES32,
+	MAX_UINT256,
+} = constants;
+
+// deployment routines in use
+const {
+	deploy_ownable_to_ac_adapter,
+	deploy_no_deps_ownable_to_ac_adapter,
+} = require("./include/deployment_routines");
+
+// run OwnableToAccessControlAdapter tests
+contract("OwnableToAccessControlAdapter tests", function(accounts) {
+	// extract accounts to be used:
+	// A0 – special default zero account accounts[0] used by Truffle, reserved
+	// a0 – deployment account having all the permissions, reserved
+	// H0 – initial token holder account
+	// a1, a2,... – working accounts to perform tests on
+	const [A0, a0, H0, a1, a2, a3] = accounts;
+
+	it("Adapter won't deploy targeting to a zero address", async function() {
+		await expectRevert(deploy_no_deps_ownable_to_ac_adapter(a0, ZERO_ADDRESS), "zero address");
+	});
+	describe("after the Adapter is deployed and target Ownable ownership transferred to the Adapter", function() {
+		let target, adapter;
+		beforeEach(async function() {
+			({target, adapter} = await deploy_ownable_to_ac_adapter(a0));
+		});
+
+		it("it is impossible to send ether to the non-payable target contract via the adapter", async function() {
+			await expectRevert(web3.eth.sendTransaction({
+				from: a0,
+				to: adapter.address,
+				value: 1_000_000_000, // 1 gwei
+			}), "execution failed");
+		});
+		it("it is impossible to execute transferOwnership function before its access role is configured", async function() {
+			await expectRevert(web3.eth.sendTransaction({
+				from: a0,
+				to: adapter.address,
+				data: target.contract.methods.transferOwnership(a2).encodeABI(),
+			}), "access role not set");
+		});
+		describe("once transferOwnership function access control is configured", function() {
+			const ROLE_OWNERSHIP_MANAGER = 0x00010000;
+			let receipt;
+			beforeEach(async function() {
+				receipt = await adapter.updateAccessRole("transferOwnership(address)", ROLE_OWNERSHIP_MANAGER, {from: a0});
+			});
+			it('"AccessRoleUpdated" event is emitted', async function() {
+				expectEvent(receipt, "AccessRoleUpdated", {
+					selector: web3.eth.abi.encodeFunctionSignature("transferOwnership(address)"),
+					role: "" + ROLE_OWNERSHIP_MANAGER,
+				});
+			});
+			it("it is impossible to execute transferOwnership function from unauthorized account", async function() {
+				await expectRevert(web3.eth.sendTransaction({
+					from: a1,
+					to: adapter.address,
+					data: target.contract.methods.transferOwnership(a2).encodeABI(),
+				}), "access denied");
+			});
+			describe("once an account has authorization to execute transferOwnership function", function() {
+				beforeEach(async function() {
+					await adapter.updateRole(a1, ROLE_OWNERSHIP_MANAGER, {from: a0});
+				});
+				it("execution of the transferOwnership function succeeds", async function() {
+					await web3.eth.sendTransaction({
+						from: a1,
+						to: adapter.address,
+						data: target.contract.methods.transferOwnership(a2).encodeABI(),
+					});
+					expect(await target.owner(), "wrong owner after ownership transfer").to.equal(a2);
+				});
+				it("execution of the transferOwnership non-payable function fails if ether is supplied", async function() {
+					await expectRevert(web3.eth.sendTransaction({
+						from: a1,
+						to: adapter.address,
+						data: target.contract.methods.transferOwnership(a2).encodeABI(),
+						value: 1_000_000_000, // 1 gwei
+					}), "execution failed");
+				});
+			});
+		});
+	});
+});

package/test/ownable_to_rbac_adapter_rbac.js

@@ -0,0 +1,57 @@
+// OwnableToAccessControlAdapter: RBAC tests
+
+// Zeppelin test helpers
+const {
+	BN,
+	constants,
+	expectEvent,
+	expectRevert,
+} = require("@openzeppelin/test-helpers");
+const {
+	assert,
+	expect,
+} = require("chai");
+const {
+	ZERO_ADDRESS,
+	ZERO_BYTES32,
+	MAX_UINT256,
+} = constants;
+
+// RBAC core features and roles
+const {
+	not,
+	ROLE_ACCESS_ROLES_MANAGER,
+} = require("./include/features_roles");
+
+// deployment routines in use
+const {
+	deploy_ownable_to_ac_adapter,
+} = require("./include/deployment_routines");
+
+// run OwnableToAccessControlAdapter: RBAC tests
+contract("OwnableToAccessControlAdapter: RBAC tests", function(accounts) {
+	// extract accounts to be used:
+	// A0 – special default zero account accounts[0] used by Truffle, reserved
+	// a0 – deployment account having all the permissions, reserved
+	// H0 – initial token holder account
+	// a1, a2,... – working accounts to perform tests on
+	const [A0, a0, H0, a1, a2, a3] = accounts;
+
+	describe("after the Adapter is deployed and target Ownable ownership transferred to the Adapter", function() {
+		let target, adapter;
+		beforeEach(async function() {
+			({target, adapter} = await deploy_ownable_to_ac_adapter(a0));
+		});
+
+		it("it is impossible to configure the access role from unauthorized account", async function() {
+			const operator = a1;
+			await adapter.updateRole(operator, not(ROLE_ACCESS_ROLES_MANAGER), {from: a0});
+			await expectRevert(adapter.updateAccessRole("1", 1, {from: operator}), "access denied");
+		});
+		it("it is possible to configure the access role from authorized account", async function() {
+			const operator = a1;
+			await adapter.updateRole(operator, ROLE_ACCESS_ROLES_MANAGER, {from: a0});
+			adapter.updateAccessRole("1", 1, {from: operator});
+		});
+	});
+});

package/test/rbac_core.js

@@ -0,0 +1,24 @@
+// AccessControl (RBAC) Core Tests
+
+// import the core RBAC behaviour to use
+const {
+	behavesLikeRBAC,
+} = require("./include/rbac.behaviour");
+
+// deployment routines in use
+const {
+	deploy_access_control,
+} = require("./include/deployment_routines");
+
+// run AccessControl (RBAC) tests
+contract("AccessControl (RBAC) Core tests", function(accounts) {
+	// extract accounts to be used:
+	// A0 – special default zero account accounts[0] used by Truffle, reserved
+	// a0 – deployment account having all the permissions, reserved
+	// H0 – initial token holder account
+	// a1, a2,... – working accounts to perform tests on
+	const [A0, a0, H0, a1, a2, a3] = accounts;
+
+	// run the core RBACs behaviour test
+	behavesLikeRBAC(deploy_access_control, a0, a1, a2);
+});