// SPDX-License-Identifier: MIT pragma solidity ^0.8.20; import {IAccessManager} from "./IAccessManager.sol"; import {IAccessManaged} from "./IAccessManaged.sol"; import {Address} from "../../utils/Address.sol"; import {Context} from "../../utils/Context.sol"; import {Multicall} from "../../utils/Multicall.sol"; import {Math} from "../../utils/math/Math.sol"; import {Time} from "../../utils/types/Time.sol"; /** * @dev AccessManager is a central contract to store the permissions of a system. * * The smart contracts under the control of an AccessManager instance will have a set of "restricted" functions, and the * exact details of how access is restricted for each of those functions is configurable by the admins of the instance. * These restrictions are expressed in terms of "roles". * * An AccessManager instance will define a set of roles. Accounts can be added into any number of these roles. Each of * them defines a role, and may confer access to some of the restricted functions in the system, as configured by admins * through the use of {setFunctionAllowedRoles}. * * Note that a function in a target contract may become permissioned in this way only when: 1) said contract is * {AccessManaged} and is connected to this contract as its manager, and 2) said function is decorated with the * `restricted` modifier. * * There is a special role defined by default named "public" which all accounts automatically have. * * In addition to the access rules defined by each target's functions being assigned to roles, then entire target can * be "closed". This "closed" mode is set/unset by the admin using {setTargetClosed} and can be used to lock a contract * while permissions are being (re-)configured. * * Since all the permissions of the managed system can be modified by the admins of this instance, it is expected that * they will be highly secured (e.g., a multisig or a well-configured DAO). * * NOTE: This contract implements a form of the {IAuthority} interface, but {canCall} has additional return data so it * doesn't inherit `IAuthority`. It is however compatible with the `IAuthority` interface since the first 32 bytes of * the return data are a boolean as expected by that interface. * * NOTE: Systems that implement other access control mechanisms (for example using {Ownable}) can be paired with an * {AccessManager} by transferring permissions (ownership in the case of {Ownable}) directly to the {AccessManager}. * Users will be able to interact with these contracts through the {execute} function, following the access rules * registered in the {AccessManager}. Keep in mind that in that context, the msg.sender seen by restricted functions * will be {AccessManager} itself. * * WARNING: When granting permissions over an {Ownable} or {AccessControl} contract to an {AccessManager}, be very * mindful of the danger associated with functions such as {{Ownable-renounceOwnership}} or * {{AccessControl-renounceRole}}. */ contract AccessManager is Context, Multicall, IAccessManager { using Time for *; // Structure that stores the details for a target contract. struct TargetConfig { mapping(bytes4 selector => uint64 roleId) allowedRoles; Time.Delay adminDelay; bool closed; } // Structure that stores the details for a role/account pair. This structures fit into a single slot. struct Access { // Timepoint at which the user gets the permission. If this is either 0, or in the future, the role // permission is not available. uint48 since; // Delay for execution. Only applies to restricted() / execute() calls. Time.Delay delay; } // Structure that stores the details of a role, including: // - the members of the role // - the admin role (that can grant or revoke permissions) // - the guardian role (that can cancel operations targeting functions that need this role) // - the grand delay struct Role { mapping(address user => Access access) members; uint64 admin; uint64 guardian; Time.Delay grantDelay; } // Structure that stores the details for a scheduled operation. This structure fits into a single slot. struct Schedule { uint48 timepoint; uint32 nonce; } uint64 public constant ADMIN_ROLE = type(uint64).min; // 0 uint64 public constant PUBLIC_ROLE = type(uint64).max; // 2**64-1 mapping(address target => TargetConfig mode) private _targets; mapping(uint64 roleId => Role) private _roles; mapping(bytes32 operationId => Schedule) private _schedules; // This should be transient storage when supported by the EVM. bytes32 private _executionId; /** * @dev Check that the caller is authorized to perform the operation, following the restrictions encoded in * {_getAdminRestrictions}. */ modifier onlyAuthorized() { _checkAuthorized(); _; } constructor(address initialAdmin) { if (initialAdmin == address(0)) { revert AccessManagerInvalidInitialAdmin(address(0)); } // admin is active immediately and without any execution delay. _grantRole(ADMIN_ROLE, initialAdmin, 0, 0); } // =================================================== GETTERS ==================================================== /** * @dev Check if an address (`caller`) is authorised to call a given function on a given contract directly (with * no restriction). Additionally, it returns the delay needed to perform the call indirectly through the {schedule} * & {execute} workflow. * * This function is usually called by the targeted contract to control immediate execution of restricted functions. * Therefore we only return true is the call can be performed without any delay. If the call is subject to a delay, * then the function should return false, and the caller should schedule the operation for future execution. * * We may be able to hash the operation, and check if the call was scheduled, but we would not be able to cleanup * the schedule, leaving the possibility of multiple executions. Maybe this function should not be view? * * NOTE: The IAuthority interface does not include the `uint32` delay. This is an extension of that interface that * is backward compatible. Some contracts may thus ignore the second return argument. In that case they will fail * to identify the indirect workflow, and will consider calls that require a delay to be forbidden. */ function canCall(address caller, address target, bytes4 selector) public view virtual returns (bool, uint32) { if (isTargetClosed(target)) { return (false, 0); } else if (caller == address(this)) { // Caller is AccessManager, this means the call was sent through {execute} and it already checked // permissions. We verify that the call "identifier", which is set during {execute}, is correct. return (_isExecuting(target, selector), 0); } else { uint64 roleId = getTargetFunctionRole(target, selector); (bool isMember, uint32 currentDelay) = hasRole(roleId, caller); return isMember ? (currentDelay == 0, currentDelay) : (false, 0); } } /** * @dev Expiration delay for scheduled proposals. Defaults to 1 week. */ function expiration() public view virtual returns (uint32) { return 1 weeks; } /** * @dev Minimum setback for all delay updates, with the exception of execution delays, which * can be increased without setback (and in the event of an accidental increase can be reset * via {revokeRole}). Defaults to 5 days. */ function minSetback() public view virtual returns (uint32) { return 5 days; } /** * @dev Get the mode under which a contract is operating. */ function isTargetClosed(address target) public view virtual returns (bool) { return _targets[target].closed; } /** * @dev Get the role required to call a function. */ function getTargetFunctionRole(address target, bytes4 selector) public view virtual returns (uint64) { return _targets[target].allowedRoles[selector]; } /** * @dev Get the admin delay for a target contract. Changes to contract configuration are subject to this delay. */ function getTargetAdminDelay(address target) public view virtual returns (uint32) { return _targets[target].adminDelay.get(); } /** * @dev Get the id of the role that acts as an admin for given role. * * The admin permission is required to grant the role, revoke the role and update the execution delay to execute * an operation that is restricted to this role. */ function getRoleAdmin(uint64 roleId) public view virtual returns (uint64) { return _roles[roleId].admin; } /** * @dev Get the role that acts as a guardian for a given role. * * The guardian permission allows canceling operations that have been scheduled under the role. */ function getRoleGuardian(uint64 roleId) public view virtual returns (uint64) { return _roles[roleId].guardian; } /** * @dev Get the role current grant delay, that value may change at any point, without an event emitted, following * a call to {setGrantDelay}. Changes to this value, including effect timepoint are notified by the * {RoleGrantDelayChanged} event. */ function getRoleGrantDelay(uint64 roleId) public view virtual returns (uint32) { return _roles[roleId].grantDelay.get(); } /** * @dev Get the access details for a given account for a given role. These details include the timepoint at which * membership becomes active, and the delay applied to all operation by this user that requires this permission * level. * * Returns: * [0] Timestamp at which the account membership becomes valid. 0 means role is not granted. * [1] Current execution delay for the account. * [2] Pending execution delay for the account. * [3] Timestamp at which the pending execution delay will become active. 0 means no delay update is scheduled. */ function getAccess(uint64 roleId, address account) public view virtual returns (uint48, uint32, uint32, uint48) { Access storage access = _roles[roleId].members[account]; uint48 since = access.since; (uint32 currentDelay, uint32 pendingDelay, uint48 effect) = access.delay.getFull(); return (since, currentDelay, pendingDelay, effect); } /** * @dev Check if a given account currently had the permission level corresponding to a given role. Note that this * permission might be associated with a delay. {getAccess} can provide more details. */ function hasRole(uint64 roleId, address account) public view virtual returns (bool, uint32) { if (roleId == PUBLIC_ROLE) { return (true, 0); } else { (uint48 hasRoleSince, uint32 currentDelay, , ) = getAccess(roleId, account); return (hasRoleSince != 0 && hasRoleSince <= Time.timestamp(), currentDelay); } } // =============================================== ROLE MANAGEMENT =============================================== /** * @dev Give a label to a role, for improved role discoverabily by UIs. * * Emits a {RoleLabel} event. */ function labelRole(uint64 roleId, string calldata label) public virtual onlyAuthorized { if (roleId == ADMIN_ROLE || roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } emit RoleLabel(roleId, label); } /** * @dev Add `account` to `roleId`, or change its execution delay. * * This gives the account the authorization to call any function that is restricted to this role. An optional * execution delay (in seconds) can be set. If that delay is non 0, the user is required to schedule any operation * that is restricted to members this role. The user will only be able to execute the operation after the delay has * passed, before it has expired. During this period, admin and guardians can cancel the operation (see {cancel}). * * If the account has already been granted this role, the execution delay will be updated. This update is not * immediate and follows the delay rules. For example, If a user currently has a delay of 3 hours, and this is * called to reduce that delay to 1 hour, the new delay will take some time to take effect, enforcing that any * operation executed in the 3 hours that follows this update was indeed scheduled before this update. * * Requirements: * * - the caller must be an admin for the role (see {getRoleAdmin}) * * Emits a {RoleGranted} event */ function grantRole(uint64 roleId, address account, uint32 executionDelay) public virtual onlyAuthorized { _grantRole(roleId, account, getRoleGrantDelay(roleId), executionDelay); } /** * @dev Remove an account from a role, with immediate effect. If the account does not have the role, this call has * no effect. * * Requirements: * * - the caller must be an admin for the role (see {getRoleAdmin}) * * Emits a {RoleRevoked} event if the account had the role. */ function revokeRole(uint64 roleId, address account) public virtual onlyAuthorized { _revokeRole(roleId, account); } /** * @dev Renounce role permissions for the calling account, with immediate effect. If the sender is not in * the role, this call has no effect. * * Requirements: * * - the caller must be `callerConfirmation`. * * Emits a {RoleRevoked} event if the account had the role. */ function renounceRole(uint64 roleId, address callerConfirmation) public virtual { if (callerConfirmation != _msgSender()) { revert AccessManagerBadConfirmation(); } _revokeRole(roleId, callerConfirmation); } /** * @dev Change admin role for a given role. * * Requirements: * * - the caller must be a global admin * * Emits a {RoleAdminChanged} event */ function setRoleAdmin(uint64 roleId, uint64 admin) public virtual onlyAuthorized { _setRoleAdmin(roleId, admin); } /** * @dev Change guardian role for a given role. * * Requirements: * * - the caller must be a global admin * * Emits a {RoleGuardianChanged} event */ function setRoleGuardian(uint64 roleId, uint64 guardian) public virtual onlyAuthorized { _setRoleGuardian(roleId, guardian); } /** * @dev Update the delay for granting a `roleId`. * * Requirements: * * - the caller must be a global admin * * Emits a {RoleGrantDelayChanged} event. */ function setGrantDelay(uint64 roleId, uint32 newDelay) public virtual onlyAuthorized { _setGrantDelay(roleId, newDelay); } /** * @dev Internal version of {grantRole} without access control. Returns true if the role was newly granted. * * Emits a {RoleGranted} event. */ function _grantRole( uint64 roleId, address account, uint32 grantDelay, uint32 executionDelay ) internal virtual returns (bool) { if (roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } bool newMember = _roles[roleId].members[account].since == 0; uint48 since; if (newMember) { since = Time.timestamp() + grantDelay; _roles[roleId].members[account] = Access({since: since, delay: executionDelay.toDelay()}); } else { // No setback here. Value can be reset by doing revoke + grant, effectively allowing the admin to perform // any change to the execution delay within the duration of the role admin delay. (_roles[roleId].members[account].delay, since) = _roles[roleId].members[account].delay.withUpdate( executionDelay, 0 ); } emit RoleGranted(roleId, account, executionDelay, since, newMember); return newMember; } /** * @dev Internal version of {revokeRole} without access control. This logic is also used by {renounceRole}. * Returns true if the role was previously granted. * * Emits a {RoleRevoked} event if the account had the role. */ function _revokeRole(uint64 roleId, address account) internal virtual returns (bool) { if (roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } if (_roles[roleId].members[account].since == 0) { return false; } delete _roles[roleId].members[account]; emit RoleRevoked(roleId, account); return true; } /** * @dev Internal version of {setRoleAdmin} without access control. * * Emits a {RoleAdminChanged} event */ function _setRoleAdmin(uint64 roleId, uint64 admin) internal virtual { if (roleId == ADMIN_ROLE || roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } _roles[roleId].admin = admin; emit RoleAdminChanged(roleId, admin); } /** * @dev Internal version of {setRoleGuardian} without access control. * * Emits a {RoleGuardianChanged} event */ function _setRoleGuardian(uint64 roleId, uint64 guardian) internal virtual { if (roleId == ADMIN_ROLE || roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } _roles[roleId].guardian = guardian; emit RoleGuardianChanged(roleId, guardian); } /** * @dev Internal version of {setGrantDelay} without access control. * * Emits a {RoleGrantDelayChanged} event */ function _setGrantDelay(uint64 roleId, uint32 newDelay) internal virtual { if (roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } uint48 effect; (_roles[roleId].grantDelay, effect) = _roles[roleId].grantDelay.withUpdate(newDelay, minSetback()); emit RoleGrantDelayChanged(roleId, newDelay, effect); } // ============================================= FUNCTION MANAGEMENT ============================================== /** * @dev Set the role required to call functions identified by the `selectors` in the `target` contract. * * Requirements: * * - the caller must be a global admin * * Emits a {TargetFunctionRoleUpdated} event per selector. */ function setTargetFunctionRole( address target, bytes4[] calldata selectors, uint64 roleId ) public virtual onlyAuthorized { for (uint256 i = 0; i < selectors.length; ++i) { _setTargetFunctionRole(target, selectors[i], roleId); } } /** * @dev Internal version of {setFunctionAllowedRole} without access control. * * Emits a {TargetFunctionRoleUpdated} event */ function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual { _targets[target].allowedRoles[selector] = roleId; emit TargetFunctionRoleUpdated(target, selector, roleId); } /** * @dev Set the delay for changing the configuration of a given target contract. * * Requirements: * * - the caller must be a global admin * * Emits a {TargetAdminDelayUpdated} event per selector */ function setTargetAdminDelay(address target, uint32 newDelay) public virtual onlyAuthorized { _setTargetAdminDelay(target, newDelay); } /** * @dev Internal version of {setTargetAdminDelay} without access control. * * Emits a {TargetAdminDelayUpdated} event */ function _setTargetAdminDelay(address target, uint32 newDelay) internal virtual { uint48 effect; (_targets[target].adminDelay, effect) = _targets[target].adminDelay.withUpdate(newDelay, minSetback()); emit TargetAdminDelayUpdated(target, newDelay, effect); } // =============================================== MODE MANAGEMENT ================================================ /** * @dev Set the closed flag for a contract. * * Requirements: * * - the caller must be a global admin * * Emits a {TargetClosed} event. */ function setTargetClosed(address target, bool closed) public virtual onlyAuthorized { _setTargetClosed(target, closed); } /** * @dev Set the closed flag for a contract. This is an internal setter with no access restrictions. * * Emits a {TargetClosed} event. */ function _setTargetClosed(address target, bool closed) internal virtual { if (target == address(this)) { revert AccessManagerLockedAccount(target); } _targets[target].closed = closed; emit TargetClosed(target, closed); } // ============================================== DELAYED OPERATIONS ============================================== /** * @dev Return the timepoint at which a scheduled operation will be ready for execution. This returns 0 if the * operation is not yet scheduled, has expired, was executed, or was canceled. */ function getSchedule(bytes32 id) public view virtual returns (uint48) { uint48 timepoint = _schedules[id].timepoint; return _isExpired(timepoint) ? 0 : timepoint; } /** * @dev Return the nonce for the latest scheduled operation with a given id. Returns 0 if the operation has never * been scheduled. */ function getNonce(bytes32 id) public view virtual returns (uint32) { return _schedules[id].nonce; } /** * @dev Schedule a delayed operation for future execution, and return the operation identifier. It is possible to * choose the timestamp at which the operation becomes executable as long as it satisfies the execution delays * required for the caller. The special value zero will automatically set the earliest possible time. * * Returns the `operationId` that was scheduled. Since this value is a hash of the parameters, it can reoccur when * the same parameters are used; if this is relevant, the returned `nonce` can be used to uniquely identify this * scheduled operation from other occurrences of the same `operationId` in invocations of {execute} and {cancel}. * * Emits a {OperationScheduled} event. * * NOTE: It is not possible to concurrently schedule more than one operation with the same `target` and `data`. If * this is necessary, a random byte can be appended to `data` to act as a salt that will be ignored by the target * contract if it is using standard Solidity ABI encoding. */ function schedule( address target, bytes calldata data, uint48 when ) public virtual returns (bytes32 operationId, uint32 nonce) { address caller = _msgSender(); // Fetch restrictions that apply to the caller on the targeted function (bool immediate, uint32 setback) = _canCallExtended(caller, target, data); uint48 minWhen = Time.timestamp() + setback; // if call is not authorized, or if requested timing is too soon if ((!immediate && setback == 0) || (when > 0 && when < minWhen)) { revert AccessManagerUnauthorizedCall(caller, target, bytes4(data[0:4])); } // Reuse variable due to stack too deep when = uint48(Math.max(when, minWhen)); // cast is safe: both inputs are uint48 // If caller is authorised, schedule operation operationId = hashOperation(caller, target, data); _checkNotScheduled(operationId); unchecked { // It's not feasible to overflow the nonce in less than 1000 years nonce = _schedules[operationId].nonce + 1; } _schedules[operationId].timepoint = when; _schedules[operationId].nonce = nonce; emit OperationScheduled(operationId, nonce, when, caller, target, data); // Using named return values because otherwise we get stack too deep } /** * @dev Reverts if the operation is currently scheduled and has not expired. * (Note: This function was introduced due to stack too deep errors in schedule.) */ function _checkNotScheduled(bytes32 operationId) private view { uint48 prevTimepoint = _schedules[operationId].timepoint; if (prevTimepoint != 0 && !_isExpired(prevTimepoint)) { revert AccessManagerAlreadyScheduled(operationId); } } /** * @dev Execute a function that is delay restricted, provided it was properly scheduled beforehand, or the * execution delay is 0. * * Returns the nonce that identifies the previously scheduled operation that is executed, or 0 if the * operation wasn't previously scheduled (if the caller doesn't have an execution delay). * * Emits an {OperationExecuted} event only if the call was scheduled and delayed. */ // Reentrancy is not an issue because permissions are checked on msg.sender. Additionally, // _consumeScheduledOp guarantees a scheduled operation is only executed once. // slither-disable-next-line reentrancy-no-eth function execute(address target, bytes calldata data) public payable virtual returns (uint32) { address caller = _msgSender(); // Fetch restrictions that apply to the caller on the targeted function (bool immediate, uint32 setback) = _canCallExtended(caller, target, data); // If caller is not authorised, revert if (!immediate && setback == 0) { revert AccessManagerUnauthorizedCall(caller, target, bytes4(data)); } // If caller is authorised, check operation was scheduled early enough bytes32 operationId = hashOperation(caller, target, data); uint32 nonce; if (setback != 0) { nonce = _consumeScheduledOp(operationId); } // Mark the target and selector as authorised bytes32 executionIdBefore = _executionId; _executionId = _hashExecutionId(target, bytes4(data)); // Perform call Address.functionCallWithValue(target, data, msg.value); // Reset execute identifier _executionId = executionIdBefore; return nonce; } /** * @dev Consume a scheduled operation targeting the caller. If such an operation exists, mark it as consumed * (emit an {OperationExecuted} event and clean the state). Otherwise, throw an error. * * This is useful for contract that want to enforce that calls targeting them were scheduled on the manager, * with all the verifications that it implies. * * Emit a {OperationExecuted} event */ function consumeScheduledOp(address caller, bytes calldata data) public virtual { address target = _msgSender(); if (IAccessManaged(target).isConsumingScheduledOp() != IAccessManaged.isConsumingScheduledOp.selector) { revert AccessManagerUnauthorizedConsume(target); } _consumeScheduledOp(hashOperation(caller, target, data)); } /** * @dev Internal variant of {consumeScheduledOp} that operates on bytes32 operationId. * * Returns the nonce of the scheduled operation that is consumed. */ function _consumeScheduledOp(bytes32 operationId) internal virtual returns (uint32) { uint48 timepoint = _schedules[operationId].timepoint; uint32 nonce = _schedules[operationId].nonce; if (timepoint == 0) { revert AccessManagerNotScheduled(operationId); } else if (timepoint > Time.timestamp()) { revert AccessManagerNotReady(operationId); } else if (_isExpired(timepoint)) { revert AccessManagerExpired(operationId); } delete _schedules[operationId].timepoint; // reset the timepoint, keep the nonce emit OperationExecuted(operationId, nonce); return nonce; } /** * @dev Cancel a scheduled (delayed) operation. Returns the nonce that identifies the previously scheduled * operation that is cancelled. * * Requirements: * * - the caller must be the proposer, a guardian of the targeted function, or a global admin * * Emits a {OperationCanceled} event. */ function cancel(address caller, address target, bytes calldata data) public virtual returns (uint32) { address msgsender = _msgSender(); bytes4 selector = bytes4(data[0:4]); bytes32 operationId = hashOperation(caller, target, data); if (_schedules[operationId].timepoint == 0) { revert AccessManagerNotScheduled(operationId); } else if (caller != msgsender) { // calls can only be canceled by the account that scheduled them, a global admin, or by a guardian of the required role. (bool isAdmin, ) = hasRole(ADMIN_ROLE, msgsender); (bool isGuardian, ) = hasRole(getRoleGuardian(getTargetFunctionRole(target, selector)), msgsender); if (!isAdmin && !isGuardian) { revert AccessManagerUnauthorizedCancel(msgsender, caller, target, selector); } } delete _schedules[operationId].timepoint; // reset the timepoint, keep the nonce uint32 nonce = _schedules[operationId].nonce; emit OperationCanceled(operationId, nonce); return nonce; } /** * @dev Hashing function for delayed operations */ function hashOperation(address caller, address target, bytes calldata data) public view virtual returns (bytes32) { return keccak256(abi.encode(caller, target, data)); } /** * @dev Hashing function for execute protection */ function _hashExecutionId(address target, bytes4 selector) private pure returns (bytes32) { return keccak256(abi.encode(target, selector)); } // ==================================================== OTHERS ==================================================== /** * @dev Change the AccessManager instance used by a contract that correctly uses this instance. * * Requirements: * * - the caller must be a global admin */ function updateAuthority(address target, address newAuthority) public virtual onlyAuthorized { IAccessManaged(target).setAuthority(newAuthority); } // ================================================= ADMIN LOGIC ================================================== /** * @dev Check if the current call is authorized according to admin logic. */ function _checkAuthorized() private { address caller = _msgSender(); (bool immediate, uint32 delay) = _canCallSelf(caller, _msgData()); if (!immediate) { if (delay == 0) { (, uint64 requiredRole, ) = _getAdminRestrictions(_msgData()); revert AccessManagerUnauthorizedAccount(caller, requiredRole); } else { _consumeScheduledOp(hashOperation(caller, address(this), _msgData())); } } } /** * @dev Get the admin restrictions of a given function call based on the function and arguments involved. * * Returns: * - bool restricted: does this data match a restricted operation * - uint64: which role is this operation restricted to * - uint32: minimum delay to enforce for that operation (on top of the admin's execution delay) */ function _getAdminRestrictions(bytes calldata data) private view returns (bool, uint64, uint32) { bytes4 selector = bytes4(data); if (data.length < 4) { return (false, 0, 0); } // Restricted to ADMIN with no delay beside any execution delay the caller may have if ( selector == this.labelRole.selector || selector == this.setRoleAdmin.selector || selector == this.setRoleGuardian.selector || selector == this.setGrantDelay.selector || selector == this.setTargetAdminDelay.selector ) { return (true, ADMIN_ROLE, 0); } // Restricted to ADMIN with the admin delay corresponding to the target if ( selector == this.updateAuthority.selector || selector == this.setTargetClosed.selector || selector == this.setTargetFunctionRole.selector ) { // First argument is a target. address target = abi.decode(data[0x04:0x24], (address)); uint32 delay = getTargetAdminDelay(target); return (true, ADMIN_ROLE, delay); } // Restricted to that role's admin with no delay beside any execution delay the caller may have. if (selector == this.grantRole.selector || selector == this.revokeRole.selector) { // First argument is a roleId. uint64 roleId = abi.decode(data[0x04:0x24], (uint64)); uint64 roleAdminId = getRoleAdmin(roleId); return (true, roleAdminId, 0); } return (false, 0, 0); } // =================================================== HELPERS ==================================================== /** * @dev An extended version of {canCall} for internal use that considers restrictions for admin functions. * * Returns: * - bool immediate: whether the operation can be executed immediately (with no delay) * - uint32 delay: the execution delay * * If immediate is true, the delay can be disregarded and the operation can be immediately executed. * If immediate is false, the operation can be executed if and only if delay is greater than 0. */ function _canCallExtended(address caller, address target, bytes calldata data) private view returns (bool, uint32) { if (target == address(this)) { return _canCallSelf(caller, data); } else { bytes4 selector = bytes4(data); return canCall(caller, target, selector); } } /** * @dev A version of {canCall} that checks for admin restrictions in this contract. */ function _canCallSelf(address caller, bytes calldata data) private view returns (bool immediate, uint32 delay) { if (caller == address(this)) { // Caller is AccessManager, this means the call was sent through {execute} and it already checked // permissions. We verify that the call "identifier", which is set during {execute}, is correct. return (_isExecuting(address(this), bytes4(data)), 0); } (bool enabled, uint64 roleId, uint32 operationDelay) = _getAdminRestrictions(data); if (!enabled) { return (false, 0); } (bool inRole, uint32 executionDelay) = hasRole(roleId, caller); if (!inRole) { return (false, 0); } // downcast is safe because both options are uint32 delay = uint32(Math.max(operationDelay, executionDelay)); return (delay == 0, delay); } /** * @dev Returns true if a call with `target` and `selector` is being executed via {executed}. */ function _isExecuting(address target, bytes4 selector) private view returns (bool) { return _executionId == _hashExecutionId(target, selector); } /** * @dev Returns true if a schedule timepoint is past its expiration deadline. */ function _isExpired(uint48 timepoint) private view returns (bool) { return timepoint + expiration() <= Time.timestamp(); } }