// SPDX-License-Identifier: MIT pragma solidity ^0.8.20; import {IAccessManager} from "./IAccessManager.sol"; import {IAccessManaged} from "./IAccessManaged.sol"; import {Address} from "../../utils/Address.sol"; import {Context} from "../../utils/Context.sol"; import {Multicall} from "../../utils/Multicall.sol"; import {Math} from "../../utils/math/Math.sol"; import {Time} from "../../utils/types/Time.sol"; /** * @dev AccessManager is a central contract to store the permissions of a system. * * A smart contract under the control of an AccessManager instance is known as a target, and will inherit from the * {AccessManaged} contract, be connected to this contract as its manager and implement the {AccessManaged-restricted} * modifier on a set of functions selected to be permissioned. Note that any function without this setup won't be * effectively restricted. * * The restriction rules for such functions are defined in terms of "roles" identified by an `uint64` and scoped * by target (`address`) and function selectors (`bytes4`). These roles are stored in this contract and can be * configured by admins (`ADMIN_ROLE` members) after a delay (see {getTargetAdminDelay}). * * For each target contract, admins can configure the following without any delay: * * * The target's {AccessManaged-authority} via {updateAuthority}. * * Close or open a target via {setTargetClosed} keeping the permissions intact. * * The roles that are allowed (or disallowed) to call a given function (identified by its selector) through {setTargetFunctionRole}. * * By default every address is member of the `PUBLIC_ROLE` and every target function is restricted to the `ADMIN_ROLE` until configured otherwise. * Additionally, each role has the following configuration options restricted to this manager's admins: * * * A role's admin role via {setRoleAdmin} who can grant or revoke roles. * * A role's guardian role via {setRoleGuardian} who's allowed to cancel operations. * * A delay in which a role takes effect after being granted through {setGrantDelay}. * * A delay of any target's admin action via {setTargetAdminDelay}. * * A role label for discoverability purposes with {labelRole}. * * Any account can be added and removed into any number of these roles by using the {grantRole} and {revokeRole} functions * restricted to each role's admin (see {getRoleAdmin}). * * Since all the permissions of the managed system can be modified by the admins of this instance, it is expected that * they will be highly secured (e.g., a multisig or a well-configured DAO). * * NOTE: This contract implements a form of the {IAuthority} interface, but {canCall} has additional return data so it * doesn't inherit `IAuthority`. It is however compatible with the `IAuthority` interface since the first 32 bytes of * the return data are a boolean as expected by that interface. * * NOTE: Systems that implement other access control mechanisms (for example using {Ownable}) can be paired with an * {AccessManager} by transferring permissions (ownership in the case of {Ownable}) directly to the {AccessManager}. * Users will be able to interact with these contracts through the {execute} function, following the access rules * registered in the {AccessManager}. Keep in mind that in that context, the msg.sender seen by restricted functions * will be {AccessManager} itself. * * WARNING: When granting permissions over an {Ownable} or {AccessControl} contract to an {AccessManager}, be very * mindful of the danger associated with functions such as {{Ownable-renounceOwnership}} or * {{AccessControl-renounceRole}}. */ contract AccessManager is Context, Multicall, IAccessManager { using Time for *; // Structure that stores the details for a target contract. struct TargetConfig { mapping(bytes4 selector => uint64 roleId) allowedRoles; Time.Delay adminDelay; bool closed; } // Structure that stores the details for a role/account pair. This structures fit into a single slot. struct Access { // Timepoint at which the user gets the permission. // If this is either 0 or in the future, then the role permission is not available. uint48 since; // Delay for execution. Only applies to restricted() / execute() calls. Time.Delay delay; } // Structure that stores the details of a role. struct Role { // Members of the role. mapping(address user => Access access) members; // Admin who can grant or revoke permissions. uint64 admin; // Guardian who can cancel operations targeting functions that need this role. uint64 guardian; // Delay in which the role takes effect after being granted. Time.Delay grantDelay; } // Structure that stores the details for a scheduled operation. This structure fits into a single slot. struct Schedule { // Moment at which the operation can be executed. uint48 timepoint; // Operation nonce to allow third-party contracts to identify the operation. uint32 nonce; } uint64 public constant ADMIN_ROLE = type(uint64).min; // 0 uint64 public constant PUBLIC_ROLE = type(uint64).max; // 2**64-1 mapping(address target => TargetConfig mode) private _targets; mapping(uint64 roleId => Role) private _roles; mapping(bytes32 operationId => Schedule) private _schedules; // Used to identify operations that are currently being executed via {execute}. // This should be transient storage when supported by the EVM. bytes32 private _executionId; /** * @dev Check that the caller is authorized to perform the operation, following the restrictions encoded in * {_getAdminRestrictions}. */ modifier onlyAuthorized() { _checkAuthorized(); _; } constructor(address initialAdmin) { if (initialAdmin == address(0)) { revert AccessManagerInvalidInitialAdmin(address(0)); } // admin is active immediately and without any execution delay. _grantRole(ADMIN_ROLE, initialAdmin, 0, 0); } // =================================================== GETTERS ==================================================== /// @inheritdoc IAccessManager function canCall( address caller, address target, bytes4 selector ) public view virtual returns (bool immediate, uint32 delay) { if (isTargetClosed(target)) { return (false, 0); } else if (caller == address(this)) { // Caller is AccessManager, this means the call was sent through {execute} and it already checked // permissions. We verify that the call "identifier", which is set during {execute}, is correct. return (_isExecuting(target, selector), 0); } else { uint64 roleId = getTargetFunctionRole(target, selector); (bool isMember, uint32 currentDelay) = hasRole(roleId, caller); return isMember ? (currentDelay == 0, currentDelay) : (false, 0); } } /// @inheritdoc IAccessManager function expiration() public view virtual returns (uint32) { return 1 weeks; } /// @inheritdoc IAccessManager function minSetback() public view virtual returns (uint32) { return 5 days; } /// @inheritdoc IAccessManager function isTargetClosed(address target) public view virtual returns (bool) { return _targets[target].closed; } /// @inheritdoc IAccessManager function getTargetFunctionRole(address target, bytes4 selector) public view virtual returns (uint64) { return _targets[target].allowedRoles[selector]; } /// @inheritdoc IAccessManager function getTargetAdminDelay(address target) public view virtual returns (uint32) { return _targets[target].adminDelay.get(); } /// @inheritdoc IAccessManager function getRoleAdmin(uint64 roleId) public view virtual returns (uint64) { return _roles[roleId].admin; } /// @inheritdoc IAccessManager function getRoleGuardian(uint64 roleId) public view virtual returns (uint64) { return _roles[roleId].guardian; } /// @inheritdoc IAccessManager function getRoleGrantDelay(uint64 roleId) public view virtual returns (uint32) { return _roles[roleId].grantDelay.get(); } /// @inheritdoc IAccessManager function getAccess( uint64 roleId, address account ) public view virtual returns (uint48 since, uint32 currentDelay, uint32 pendingDelay, uint48 effect) { Access storage access = _roles[roleId].members[account]; since = access.since; (currentDelay, pendingDelay, effect) = access.delay.getFull(); return (since, currentDelay, pendingDelay, effect); } /// @inheritdoc IAccessManager function hasRole( uint64 roleId, address account ) public view virtual returns (bool isMember, uint32 executionDelay) { if (roleId == PUBLIC_ROLE) { return (true, 0); } else { (uint48 hasRoleSince, uint32 currentDelay, , ) = getAccess(roleId, account); return (hasRoleSince != 0 && hasRoleSince <= Time.timestamp(), currentDelay); } } // =============================================== ROLE MANAGEMENT =============================================== /// @inheritdoc IAccessManager function labelRole(uint64 roleId, string calldata label) public virtual onlyAuthorized { if (roleId == ADMIN_ROLE || roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } emit RoleLabel(roleId, label); } /// @inheritdoc IAccessManager function grantRole(uint64 roleId, address account, uint32 executionDelay) public virtual onlyAuthorized { _grantRole(roleId, account, getRoleGrantDelay(roleId), executionDelay); } /// @inheritdoc IAccessManager function revokeRole(uint64 roleId, address account) public virtual onlyAuthorized { _revokeRole(roleId, account); } /// @inheritdoc IAccessManager function renounceRole(uint64 roleId, address callerConfirmation) public virtual { if (callerConfirmation != _msgSender()) { revert AccessManagerBadConfirmation(); } _revokeRole(roleId, callerConfirmation); } /// @inheritdoc IAccessManager function setRoleAdmin(uint64 roleId, uint64 admin) public virtual onlyAuthorized { _setRoleAdmin(roleId, admin); } /// @inheritdoc IAccessManager function setRoleGuardian(uint64 roleId, uint64 guardian) public virtual onlyAuthorized { _setRoleGuardian(roleId, guardian); } /// @inheritdoc IAccessManager function setGrantDelay(uint64 roleId, uint32 newDelay) public virtual onlyAuthorized { _setGrantDelay(roleId, newDelay); } /** * @dev Internal version of {grantRole} without access control. Returns true if the role was newly granted. * * Emits a {RoleGranted} event. */ function _grantRole( uint64 roleId, address account, uint32 grantDelay, uint32 executionDelay ) internal virtual returns (bool) { if (roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } bool newMember = _roles[roleId].members[account].since == 0; uint48 since; if (newMember) { since = Time.timestamp() + grantDelay; _roles[roleId].members[account] = Access({since: since, delay: executionDelay.toDelay()}); } else { // No setback here. Value can be reset by doing revoke + grant, effectively allowing the admin to perform // any change to the execution delay within the duration of the role admin delay. (_roles[roleId].members[account].delay, since) = _roles[roleId].members[account].delay.withUpdate( executionDelay, 0 ); } emit RoleGranted(roleId, account, executionDelay, since, newMember); return newMember; } /** * @dev Internal version of {revokeRole} without access control. This logic is also used by {renounceRole}. * Returns true if the role was previously granted. * * Emits a {RoleRevoked} event if the account had the role. */ function _revokeRole(uint64 roleId, address account) internal virtual returns (bool) { if (roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } if (_roles[roleId].members[account].since == 0) { return false; } delete _roles[roleId].members[account]; emit RoleRevoked(roleId, account); return true; } /** * @dev Internal version of {setRoleAdmin} without access control. * * Emits a {RoleAdminChanged} event. * * NOTE: Setting the admin role as the `PUBLIC_ROLE` is allowed, but it will effectively allow * anyone to set grant or revoke such role. */ function _setRoleAdmin(uint64 roleId, uint64 admin) internal virtual { if (roleId == ADMIN_ROLE || roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } _roles[roleId].admin = admin; emit RoleAdminChanged(roleId, admin); } /** * @dev Internal version of {setRoleGuardian} without access control. * * Emits a {RoleGuardianChanged} event. * * NOTE: Setting the guardian role as the `PUBLIC_ROLE` is allowed, but it will effectively allow * anyone to cancel any scheduled operation for such role. */ function _setRoleGuardian(uint64 roleId, uint64 guardian) internal virtual { if (roleId == ADMIN_ROLE || roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } _roles[roleId].guardian = guardian; emit RoleGuardianChanged(roleId, guardian); } /** * @dev Internal version of {setGrantDelay} without access control. * * Emits a {RoleGrantDelayChanged} event. */ function _setGrantDelay(uint64 roleId, uint32 newDelay) internal virtual { if (roleId == PUBLIC_ROLE) { revert AccessManagerLockedRole(roleId); } uint48 effect; (_roles[roleId].grantDelay, effect) = _roles[roleId].grantDelay.withUpdate(newDelay, minSetback()); emit RoleGrantDelayChanged(roleId, newDelay, effect); } // ============================================= FUNCTION MANAGEMENT ============================================== /// @inheritdoc IAccessManager function setTargetFunctionRole( address target, bytes4[] calldata selectors, uint64 roleId ) public virtual onlyAuthorized { for (uint256 i = 0; i < selectors.length; ++i) { _setTargetFunctionRole(target, selectors[i], roleId); } } /** * @dev Internal version of {setTargetFunctionRole} without access control. * * Emits a {TargetFunctionRoleUpdated} event. */ function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual { _targets[target].allowedRoles[selector] = roleId; emit TargetFunctionRoleUpdated(target, selector, roleId); } /// @inheritdoc IAccessManager function setTargetAdminDelay(address target, uint32 newDelay) public virtual onlyAuthorized { _setTargetAdminDelay(target, newDelay); } /** * @dev Internal version of {setTargetAdminDelay} without access control. * * Emits a {TargetAdminDelayUpdated} event. */ function _setTargetAdminDelay(address target, uint32 newDelay) internal virtual { uint48 effect; (_targets[target].adminDelay, effect) = _targets[target].adminDelay.withUpdate(newDelay, minSetback()); emit TargetAdminDelayUpdated(target, newDelay, effect); } // =============================================== MODE MANAGEMENT ================================================ /// @inheritdoc IAccessManager function setTargetClosed(address target, bool closed) public virtual onlyAuthorized { _setTargetClosed(target, closed); } /** * @dev Set the closed flag for a contract. This is an internal setter with no access restrictions. * * Emits a {TargetClosed} event. */ function _setTargetClosed(address target, bool closed) internal virtual { if (target == address(this)) { revert AccessManagerLockedAccount(target); } _targets[target].closed = closed; emit TargetClosed(target, closed); } // ============================================== DELAYED OPERATIONS ============================================== /// @inheritdoc IAccessManager function getSchedule(bytes32 id) public view virtual returns (uint48) { uint48 timepoint = _schedules[id].timepoint; return _isExpired(timepoint) ? 0 : timepoint; } /// @inheritdoc IAccessManager function getNonce(bytes32 id) public view virtual returns (uint32) { return _schedules[id].nonce; } /// @inheritdoc IAccessManager function schedule( address target, bytes calldata data, uint48 when ) public virtual returns (bytes32 operationId, uint32 nonce) { address caller = _msgSender(); // Fetch restrictions that apply to the caller on the targeted function (, uint32 setback) = _canCallExtended(caller, target, data); uint48 minWhen = Time.timestamp() + setback; // If call with delay is not authorized, or if requested timing is too soon, revert if (setback == 0 || (when > 0 && when < minWhen)) { revert AccessManagerUnauthorizedCall(caller, target, _checkSelector(data)); } // Reuse variable due to stack too deep when = uint48(Math.max(when, minWhen)); // cast is safe: both inputs are uint48 // If caller is authorised, schedule operation operationId = hashOperation(caller, target, data); _checkNotScheduled(operationId); unchecked { // It's not feasible to overflow the nonce in less than 1000 years nonce = _schedules[operationId].nonce + 1; } _schedules[operationId].timepoint = when; _schedules[operationId].nonce = nonce; emit OperationScheduled(operationId, nonce, when, caller, target, data); // Using named return values because otherwise we get stack too deep } /** * @dev Reverts if the operation is currently scheduled and has not expired. * (Note: This function was introduced due to stack too deep errors in schedule.) */ function _checkNotScheduled(bytes32 operationId) private view { uint48 prevTimepoint = _schedules[operationId].timepoint; if (prevTimepoint != 0 && !_isExpired(prevTimepoint)) { revert AccessManagerAlreadyScheduled(operationId); } } /// @inheritdoc IAccessManager // Reentrancy is not an issue because permissions are checked on msg.sender. Additionally, // _consumeScheduledOp guarantees a scheduled operation is only executed once. // slither-disable-next-line reentrancy-no-eth function execute(address target, bytes calldata data) public payable virtual returns (uint32) { address caller = _msgSender(); // Fetch restrictions that apply to the caller on the targeted function (bool immediate, uint32 setback) = _canCallExtended(caller, target, data); // If call is not authorized, revert if (!immediate && setback == 0) { revert AccessManagerUnauthorizedCall(caller, target, _checkSelector(data)); } bytes32 operationId = hashOperation(caller, target, data); uint32 nonce; // If caller is authorised, check operation was scheduled early enough // Consume an available schedule even if there is no currently enforced delay if (setback != 0 || getSchedule(operationId) != 0) { nonce = _consumeScheduledOp(operationId); } // Mark the target and selector as authorised bytes32 executionIdBefore = _executionId; _executionId = _hashExecutionId(target, _checkSelector(data)); // Perform call Address.functionCallWithValue(target, data, msg.value); // Reset execute identifier _executionId = executionIdBefore; return nonce; } /// @inheritdoc IAccessManager function cancel(address caller, address target, bytes calldata data) public virtual returns (uint32) { address msgsender = _msgSender(); bytes4 selector = _checkSelector(data); bytes32 operationId = hashOperation(caller, target, data); if (_schedules[operationId].timepoint == 0) { revert AccessManagerNotScheduled(operationId); } else if (caller != msgsender) { // calls can only be canceled by the account that scheduled them, a global admin, or by a guardian of the required role. (bool isAdmin, ) = hasRole(ADMIN_ROLE, msgsender); (bool isGuardian, ) = hasRole(getRoleGuardian(getTargetFunctionRole(target, selector)), msgsender); if (!isAdmin && !isGuardian) { revert AccessManagerUnauthorizedCancel(msgsender, caller, target, selector); } } delete _schedules[operationId].timepoint; // reset the timepoint, keep the nonce uint32 nonce = _schedules[operationId].nonce; emit OperationCanceled(operationId, nonce); return nonce; } /// @inheritdoc IAccessManager function consumeScheduledOp(address caller, bytes calldata data) public virtual { address target = _msgSender(); if (IAccessManaged(target).isConsumingScheduledOp() != IAccessManaged.isConsumingScheduledOp.selector) { revert AccessManagerUnauthorizedConsume(target); } _consumeScheduledOp(hashOperation(caller, target, data)); } /** * @dev Internal variant of {consumeScheduledOp} that operates on bytes32 operationId. * * Returns the nonce of the scheduled operation that is consumed. */ function _consumeScheduledOp(bytes32 operationId) internal virtual returns (uint32) { uint48 timepoint = _schedules[operationId].timepoint; uint32 nonce = _schedules[operationId].nonce; if (timepoint == 0) { revert AccessManagerNotScheduled(operationId); } else if (timepoint > Time.timestamp()) { revert AccessManagerNotReady(operationId); } else if (_isExpired(timepoint)) { revert AccessManagerExpired(operationId); } delete _schedules[operationId].timepoint; // reset the timepoint, keep the nonce emit OperationExecuted(operationId, nonce); return nonce; } /// @inheritdoc IAccessManager function hashOperation(address caller, address target, bytes calldata data) public view virtual returns (bytes32) { return keccak256(abi.encode(caller, target, data)); } // ==================================================== OTHERS ==================================================== /// @inheritdoc IAccessManager function updateAuthority(address target, address newAuthority) public virtual onlyAuthorized { IAccessManaged(target).setAuthority(newAuthority); } // ================================================= ADMIN LOGIC ================================================== /** * @dev Check if the current call is authorized according to admin logic. */ function _checkAuthorized() private { address caller = _msgSender(); (bool immediate, uint32 delay) = _canCallSelf(caller, _msgData()); if (!immediate) { if (delay == 0) { (, uint64 requiredRole, ) = _getAdminRestrictions(_msgData()); revert AccessManagerUnauthorizedAccount(caller, requiredRole); } else { _consumeScheduledOp(hashOperation(caller, address(this), _msgData())); } } } /** * @dev Get the admin restrictions of a given function call based on the function and arguments involved. * * Returns: * - bool restricted: does this data match a restricted operation * - uint64: which role is this operation restricted to * - uint32: minimum delay to enforce for that operation (max between operation's delay and admin's execution delay) */ function _getAdminRestrictions( bytes calldata data ) private view returns (bool restricted, uint64 roleAdminId, uint32 executionDelay) { if (data.length < 4) { return (false, 0, 0); } bytes4 selector = _checkSelector(data); // Restricted to ADMIN with no delay beside any execution delay the caller may have if ( selector == this.labelRole.selector || selector == this.setRoleAdmin.selector || selector == this.setRoleGuardian.selector || selector == this.setGrantDelay.selector || selector == this.setTargetAdminDelay.selector ) { return (true, ADMIN_ROLE, 0); } // Restricted to ADMIN with the admin delay corresponding to the target if ( selector == this.updateAuthority.selector || selector == this.setTargetClosed.selector || selector == this.setTargetFunctionRole.selector ) { // First argument is a target. address target = abi.decode(data[0x04:0x24], (address)); uint32 delay = getTargetAdminDelay(target); return (true, ADMIN_ROLE, delay); } // Restricted to that role's admin with no delay beside any execution delay the caller may have. if (selector == this.grantRole.selector || selector == this.revokeRole.selector) { // First argument is a roleId. uint64 roleId = abi.decode(data[0x04:0x24], (uint64)); return (true, getRoleAdmin(roleId), 0); } return (false, 0, 0); } // =================================================== HELPERS ==================================================== /** * @dev An extended version of {canCall} for internal usage that checks {_canCallSelf} * when the target is this contract. * * Returns: * - bool immediate: whether the operation can be executed immediately (with no delay) * - uint32 delay: the execution delay */ function _canCallExtended( address caller, address target, bytes calldata data ) private view returns (bool immediate, uint32 delay) { if (target == address(this)) { return _canCallSelf(caller, data); } else { return data.length < 4 ? (false, 0) : canCall(caller, target, _checkSelector(data)); } } /** * @dev A version of {canCall} that checks for admin restrictions in this contract. */ function _canCallSelf(address caller, bytes calldata data) private view returns (bool immediate, uint32 delay) { if (data.length < 4) { return (false, 0); } if (caller == address(this)) { // Caller is AccessManager, this means the call was sent through {execute} and it already checked // permissions. We verify that the call "identifier", which is set during {execute}, is correct. return (_isExecuting(address(this), _checkSelector(data)), 0); } (bool enabled, uint64 roleId, uint32 operationDelay) = _getAdminRestrictions(data); if (!enabled) { return (false, 0); } (bool inRole, uint32 executionDelay) = hasRole(roleId, caller); if (!inRole) { return (false, 0); } // downcast is safe because both options are uint32 delay = uint32(Math.max(operationDelay, executionDelay)); return (delay == 0, delay); } /** * @dev Returns true if a call with `target` and `selector` is being executed via {executed}. */ function _isExecuting(address target, bytes4 selector) private view returns (bool) { return _executionId == _hashExecutionId(target, selector); } /** * @dev Returns true if a schedule timepoint is past its expiration deadline. */ function _isExpired(uint48 timepoint) private view returns (bool) { return timepoint + expiration() <= Time.timestamp(); } /** * @dev Extracts the selector from calldata. Panics if data is not at least 4 bytes */ function _checkSelector(bytes calldata data) private pure returns (bytes4) { return bytes4(data[0:4]); } /** * @dev Hashing function for execute protection */ function _hashExecutionId(address target, bytes4 selector) private pure returns (bytes32) { return keccak256(abi.encode(target, selector)); } }