// SPDX-License-Identifier: MIT pragma solidity ^0.8.20; import {IAccessManager} from "./IAccessManager.sol"; import {IAccessManaged} from "./IAccessManaged.sol"; import {Address} from "../../utils/Address.sol"; import {Context} from "../../utils/Context.sol"; import {Multicall} from "../../utils/Multicall.sol"; import {Math} from "../../utils/math/Math.sol"; import {Time} from "../../utils/types/Time.sol"; /** * @dev AccessManager is a central contract to store the permissions of a system. * * The smart contracts under the control of an AccessManager instance will have a set of "restricted" functions, and the * exact details of how access is restricted for each of those functions is configurable by the admins of the instance. * These restrictions are expressed in terms of "groups". * * An AccessManager instance will define a set of groups. Accounts can be added into any number of these groups. Each of * them defines a role, and may confer access to some of the restricted functions in the system, as configured by admins * through the use of {setFunctionAllowedGroup}. * * Note that a function in a target contract may become permissioned in this way only when: 1) said contract is * {AccessManaged} and is connected to this contract as its manager, and 2) said function is decorated with the * `restricted` modifier. * * There is a special group defined by default named "public" which all accounts automatically have. * * Contracts where functions are mapped to groups are said to be in a "custom" mode, but contracts can also be * configured in two special modes: 1) the "open" mode, where all functions are allowed to the "public" group, and 2) * the "closed" mode, where no function is allowed to any group. * * Since all the permissions of the managed system can be modified by the admins of this instance, it is expected that * they will be highly secured (e.g., a multisig or a well-configured DAO). * * NOTE: This contract implements a form of the {IAuthority} interface, but {canCall} has additional return data so it * doesn't inherit `IAuthority`. It is however compatible with the `IAuthority` interface since the first 32 bytes of * the return data are a boolean as expected by that interface. * * NOTE: Systems that implement other access control mechanisms (for example using {Ownable}) can be paired with an * {AccessManager} by transferring permissions (ownership in the case of {Ownable}) directly to the {AccessManager}. * Users will be able to interact with these contracts through the {relay} function, following the access rules * registered in the {AccessManager}. Keep in mind that in that context, the msg.sender seen by restricted functions * will be {AccessManager} itself. * * WARNING: When granting permissions over an {Ownable} or {AccessControl} contract to an {AccessManager}, be very * mindful of the danger associated with functions such as {{Ownable-renounceOwnership}} or * {{AccessControl-renounceRole}}. */ contract AccessManager is Context, Multicall, IAccessManager { using Time for *; struct AccessMode { uint64 classId; bool closed; } // Structure that stores the details for a group/account pair. This structures fit into a single slot. struct Access { // Timepoint at which the user gets the permission. If this is either 0, or in the future, the group permission // are not available. Should be checked using {Time-isSetAndPast} uint48 since; // delay for execution. Only applies to restricted() / relay() calls. This does not restrict access to // functions that use the `onlyGroup` modifier. Time.Delay delay; } // Structure that stores the details of a group, including: // - the members of the group // - the admin group (that can grant or revoke permissions) // - the guardian group (that can cancel operations targeting functions that need this group // - the grand delay struct Group { mapping(address user => Access access) members; uint64 admin; uint64 guardian; Time.Delay delay; // delay for granting } struct Class { mapping(bytes4 selector => uint64 groupId) allowedGroups; Time.Delay adminDelay; } uint64 public constant ADMIN_GROUP = type(uint64).min; // 0 uint64 public constant PUBLIC_GROUP = type(uint64).max; // 2**64-1 mapping(address target => AccessMode mode) private _contractMode; mapping(uint64 classId => Class) private _classes; mapping(uint64 groupId => Group) private _groups; mapping(bytes32 operationId => uint48 schedule) private _schedules; mapping(bytes4 selector => Time.Delay delay) private _adminDelays; // This should be transcient storage when supported by the EVM. bytes32 private _relayIdentifier; /** * @dev Check that the caller is authorized to perform the operation, following the restrictions encoded in * {_getAdminRestrictions}. */ modifier onlyAuthorized() { _checkAuthorized(); _; } constructor(address initialAdmin) { // admin is active immediately and without any execution delay. _grantGroup(ADMIN_GROUP, initialAdmin, 0, 0); } // =================================================== GETTERS ==================================================== /** * @dev Check if an address (`caller`) is authorised to call a given function on a given contract directly (with * no restriction). Additionally, it returns the delay needed to perform the call indirectly through the {schedule} * & {relay} workflow. * * This function is usually called by the targeted contract to control immediate execution of restricted functions. * Therefore we only return true is the call can be performed without any delay. If the call is subject to a delay, * then the function should return false, and the caller should schedule the operation for future execution. * * We may be able to hash the operation, and check if the call was scheduled, but we would not be able to cleanup * the schedule, leaving the possibility of multiple executions. Maybe this function should not be view? * * NOTE: The IAuthority interface does not include the `uint32` delay. This is an extension of that interface that * is backward compatible. Some contract may thus ignore the second return argument. In that case they will fail * to identify the indirect workflow, and will consider call that require a delay to be forbidden. */ function canCall(address caller, address target, bytes4 selector) public view virtual returns (bool, uint32) { (uint64 classId, bool closed) = getContractClass(target); if (closed) { return (false, 0); } else if (caller == address(this)) { // Caller is AccessManager => call was relayed. In that case the relay already checked permissions. We // verify that the call "identifier", which is set during the relay call, is correct. return (_relayIdentifier == _hashRelayIdentifier(target, selector), 0); } else { uint64 groupId = getClassFunctionGroup(classId, selector); (bool inGroup, uint32 currentDelay) = hasGroup(groupId, caller); return inGroup ? (currentDelay == 0, currentDelay) : (false, 0); } } /** * @dev Expiration delay for scheduled proposals. Defaults to 1 week. */ function expiration() public view virtual returns (uint32) { return 1 weeks; } /** * @dev Minimum setback for delay updates. Defaults to 1 day. */ function minSetback() public view virtual returns (uint32) { return 0; // TODO: set to 1 day } /** * @dev Get the mode under which a contract is operating. */ function getContractClass(address target) public view virtual returns (uint64, bool) { AccessMode storage mode = _contractMode[target]; return (mode.classId, mode.closed); } /** * @dev Get the permission level (group) required to call a function. This only applies for contract that are * operating under the `Custom` mode. */ function getClassFunctionGroup(uint64 classId, bytes4 selector) public view virtual returns (uint64) { return _classes[classId].allowedGroups[selector]; } function getClassAdminDelay(uint64 classId) public view virtual returns (uint32) { return _classes[classId].adminDelay.get(); } /** * @dev Get the id of the group that acts as an admin for given group. * * The admin permission is required to grant the group, revoke the group and update the execution delay to execute * an operation that is restricted to this group. */ function getGroupAdmin(uint64 groupId) public view virtual returns (uint64) { return _groups[groupId].admin; } /** * @dev Get the group that acts as a guardian for a given group. * * The guardian permission allows canceling operations that have been scheduled under the group. */ function getGroupGuardian(uint64 groupId) public view virtual returns (uint64) { return _groups[groupId].guardian; } /** * @dev Get the group current grant delay, that value may change at any point, without an event emitted, following * a call to {setGrantDelay}. Changes to this value, including effect timepoint are notified by the * {GroupGrantDelayChanged} event. */ function getGroupGrantDelay(uint64 groupId) public view virtual returns (uint32) { return _groups[groupId].delay.get(); } /** * @dev Get the access details for a given account in a given group. These details include the timepoint at which * membership becomes active, and the delay applied to all operation by this user that require this permission * level. * * Returns: * [0] Timestamp at which the account membership becomes valid. 0 means role is not granted. * [1] Current execution delay for the account. * [2] Pending execution delay for the account. * [3] Timestamp at which the pending execution delay will become active. 0 means no delay update is scheduled. */ function getAccess(uint64 groupId, address account) public view virtual returns (uint48, uint32, uint32, uint48) { Access storage access = _groups[groupId].members[account]; uint48 since = access.since; (uint32 currentDelay, uint32 pendingDelay, uint48 effect) = access.delay.getFull(); return (since, currentDelay, pendingDelay, effect); } /** * @dev Check if a given account currently had the permission level corresponding to a given group. Note that this * permission might be associated with a delay. {getAccess} can provide more details. */ function hasGroup(uint64 groupId, address account) public view virtual returns (bool, uint32) { if (groupId == PUBLIC_GROUP) { return (true, 0); } else { (uint48 inGroupSince, uint32 currentDelay, , ) = getAccess(groupId, account); return (inGroupSince.isSetAndPast(Time.timestamp()), currentDelay); } } // =============================================== GROUP MANAGEMENT =============================================== /** * @dev Give a label to a group, for improved group discoverabily by UIs. * * Emits a {GroupLabel} event. */ function labelGroup(uint64 groupId, string calldata label) public virtual onlyAuthorized { if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } emit GroupLabel(groupId, label); } /** * @dev Add `account` to `groupId`, or change its execution delay. * * This gives the account the authorization to call any function that is restricted to this group. An optional * execution delay (in seconds) can be set. If that delay is non 0, the user is required to schedule any operation * that is restricted to members this group. The user will only be able to execute the operation after the delay has * passed, before it has expired. During this period, admin and guardians can cancel the operation (see {cancel}). * * If the account has already been granted this group, the execution delay will be updated. This update is not * immediate and follows the delay rules. For example, If a user currently has a delay of 3 hours, and this is * called to reduce that delay to 1 hour, the new delay will take some time to take effect, enforcing that any * operation executed in the 3 hours that follows this update was indeed scheduled before this update. * * Requirements: * * - the caller must be in the group's admins * * Emits a {GroupGranted} event */ function grantGroup(uint64 groupId, address account, uint32 executionDelay) public virtual onlyAuthorized { _grantGroup(groupId, account, getGroupGrantDelay(groupId), executionDelay); } /** * @dev Remove an account for a group, with immediate effect. If the sender is not in the group, this call has no * effect. * * Requirements: * * - the caller must be in the group's admins * * Emits a {GroupRevoked} event */ function revokeGroup(uint64 groupId, address account) public virtual onlyAuthorized { _revokeGroup(groupId, account); } /** * @dev Renounce group permissions for the calling account, with immediate effect. If the sender is not in * the group, this call has no effect. * * Requirements: * * - the caller must be `callerConfirmation`. * * Emits a {GroupRevoked} event */ function renounceGroup(uint64 groupId, address callerConfirmation) public virtual { if (callerConfirmation != _msgSender()) { revert AccessManagerBadConfirmation(); } _revokeGroup(groupId, callerConfirmation); } /** * @dev Change admin group for a given group. * * Requirements: * * - the caller must be a global admin * * Emits a {GroupAdminChanged} event */ function setGroupAdmin(uint64 groupId, uint64 admin) public virtual onlyAuthorized { _setGroupAdmin(groupId, admin); } /** * @dev Change guardian group for a given group. * * Requirements: * * - the caller must be a global admin * * Emits a {GroupGuardianChanged} event */ function setGroupGuardian(uint64 groupId, uint64 guardian) public virtual onlyAuthorized { _setGroupGuardian(groupId, guardian); } /** * @dev Update the delay for granting a `groupId`. * * Requirements: * * - the caller must be a global admin * * Emits a {GroupGrantDelayChanged} event */ function setGrantDelay(uint64 groupId, uint32 newDelay) public virtual onlyAuthorized { _setGrantDelay(groupId, newDelay); } /** * @dev Internal version of {grantGroup} without access control. Returns true if the group was newly granted. * * Emits a {GroupGranted} event */ function _grantGroup( uint64 groupId, address account, uint32 grantDelay, uint32 executionDelay ) internal virtual returns (bool) { if (groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } bool inGroup = _groups[groupId].members[account].since != 0; uint48 since; if (inGroup) { (_groups[groupId].members[account].delay, since) = _groups[groupId].members[account].delay.withUpdate( executionDelay, minSetback() ); } else { since = Time.timestamp() + grantDelay; _groups[groupId].members[account] = Access({since: since, delay: executionDelay.toDelay()}); } emit GroupGranted(groupId, account, executionDelay, since); return !inGroup; } /** * @dev Internal version of {revokeGroup} without access control. This logic is also used by {renounceGroup}. * Returns true if the group was previously granted. * * Emits a {GroupRevoked} event */ function _revokeGroup(uint64 groupId, address account) internal virtual returns (bool) { if (groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } if (_groups[groupId].members[account].since == 0) { return false; } delete _groups[groupId].members[account]; emit GroupRevoked(groupId, account); return true; } /** * @dev Internal version of {setGroupAdmin} without access control. * * Emits a {GroupAdminChanged} event */ function _setGroupAdmin(uint64 groupId, uint64 admin) internal virtual { if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } _groups[groupId].admin = admin; emit GroupAdminChanged(groupId, admin); } /** * @dev Internal version of {setGroupGuardian} without access control. * * Emits a {GroupGuardianChanged} event */ function _setGroupGuardian(uint64 groupId, uint64 guardian) internal virtual { if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } _groups[groupId].guardian = guardian; emit GroupGuardianChanged(groupId, guardian); } /** * @dev Internal version of {setGrantDelay} without access control. * * Emits a {GroupGrantDelayChanged} event */ function _setGrantDelay(uint64 groupId, uint32 newDelay) internal virtual { if (groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } (Time.Delay updated, uint48 effect) = _groups[groupId].delay.withUpdate(newDelay, minSetback()); _groups[groupId].delay = updated; emit GroupGrantDelayChanged(groupId, newDelay, effect); } // ============================================= FUNCTION MANAGEMENT ============================================== /** * @dev Set the level of permission (`group`) required to call functions identified by the `selectors` in the * `target` contract. * * Requirements: * * - the caller must be a global admin * * Emits a {FunctionAllowedGroupUpdated} event per selector */ function setClassFunctionGroup( uint64 classId, bytes4[] calldata selectors, uint64 groupId ) public virtual onlyAuthorized { for (uint256 i = 0; i < selectors.length; ++i) { _setClassFunctionGroup(classId, selectors[i], groupId); } } /** * @dev Internal version of {setFunctionAllowedGroup} without access control. * * Emits a {FunctionAllowedGroupUpdated} event */ function _setClassFunctionGroup(uint64 classId, bytes4 selector, uint64 groupId) internal virtual { _checkValidClassId(classId); _classes[classId].allowedGroups[selector] = groupId; emit ClassFunctionGroupUpdated(classId, selector, groupId); } /** * @dev Set the delay for management operations on a given class of contract. * * Requirements: * * - the caller must be a global admin * * Emits a {FunctionAllowedGroupUpdated} event per selector */ function setClassAdminDelay(uint64 classId, uint32 newDelay) public virtual onlyAuthorized { _setClassAdminDelay(classId, newDelay); } /** * @dev Internal version of {setClassAdminDelay} without access control. * * Emits a {ClassAdminDelayUpdated} event */ function _setClassAdminDelay(uint64 classId, uint32 newDelay) internal virtual { _checkValidClassId(classId); (Time.Delay updated, uint48 effect) = _classes[classId].adminDelay.withUpdate(newDelay, minSetback()); _classes[classId].adminDelay = updated; emit ClassAdminDelayUpdated(classId, newDelay, effect); } /** * @dev Reverts if `classId` is 0. This is the default class id given to contracts and it should not have any * configurations. */ function _checkValidClassId(uint64 classId) private pure { if (classId == 0) { revert AccessManagerInvalidClass(classId); } } // =============================================== MODE MANAGEMENT ================================================ /** * @dev Set the class of a contract. * * Requirements: * * - the caller must be a global admin * * Emits a {ContractClassUpdated} event. */ function setContractClass(address target, uint64 classId) public virtual onlyAuthorized { _setContractClass(target, classId); } /** * @dev Set the class of a contract. This is an internal setter with no access restrictions. * * Emits a {ContractClassUpdated} event. */ function _setContractClass(address target, uint64 classId) internal virtual { if (target == address(this)) { revert AccessManagerLockedAccount(target); } _contractMode[target].classId = classId; emit ContractClassUpdated(target, classId); } /** * @dev Set the closed flag for a contract. * * Requirements: * * - the caller must be a global admin * * Emits a {ContractClosed} event. */ function setContractClosed(address target, bool closed) public virtual onlyAuthorized { _setContractClosed(target, closed); } /** * @dev Set the closed flag for a contract. This is an internal setter with no access restrictions. * * Emits a {ContractClosed} event. */ function _setContractClosed(address target, bool closed) internal virtual { if (target == address(this)) { revert AccessManagerLockedAccount(target); } _contractMode[target].closed = closed; emit ContractClosed(target, closed); } // ============================================== DELAYED OPERATIONS ============================================== /** * @dev Return the timepoint at which a scheduled operation will be ready for execution. This returns 0 if the * operation is not yet scheduled, has expired, was executed, or was canceled. */ function getSchedule(bytes32 id) public view virtual returns (uint48) { uint48 timepoint = _schedules[id]; return _isExpired(timepoint) ? 0 : timepoint; } /** * @dev Schedule a delayed operation for future execution, and return the operation identifier. It is possible to * choose the timestamp at which the operation becomes executable as long as it satisfies the execution delays * required for the caller. The special value zero will automatically set the earliest possible time. * * Emits a {OperationScheduled} event. */ function schedule(address target, bytes calldata data, uint48 when) public virtual returns (bytes32) { address caller = _msgSender(); // Fetch restriction to that apply to the caller on the targeted function (bool allowed, uint32 setback) = _canCallExtended(caller, target, data); uint48 minWhen = Time.timestamp() + setback; // If caller is not authorised, revert if (!allowed && (setback == 0 || when.isSetAndPast(minWhen - 1))) { revert AccessManagerUnauthorizedCall(caller, target, bytes4(data[0:4])); } // If caller is authorised, schedule operation bytes32 operationId = _hashOperation(caller, target, data); // Cannot reschedule unless the operation has expired uint48 prevTimepoint = _schedules[operationId]; if (prevTimepoint != 0 && !_isExpired(prevTimepoint)) { revert AccessManagerAlreadyScheduled(operationId); } uint48 timepoint = when == 0 ? minWhen : when; _schedules[operationId] = timepoint; emit OperationScheduled(operationId, timepoint, caller, target, data); return operationId; } /** * @dev Execute a function that is delay restricted, provided it was properly scheduled beforehand, or the * execution delay is 0. * * Emits an {OperationExecuted} event only if the call was scheduled and delayed. */ // Reentrancy is not an issue because permissions are checked on msg.sender. Additionally, // _consumeScheduledOp guarantees a scheduled operation is only executed once. // slither-disable-next-line reentrancy-no-eth function relay(address target, bytes calldata data) public payable virtual { address caller = _msgSender(); // Fetch restriction to that apply to the caller on the targeted function (bool allowed, uint32 setback) = _canCallExtended(caller, target, data); // If caller is not authorised, revert if (!allowed && setback == 0) { revert AccessManagerUnauthorizedCall(caller, target, bytes4(data)); } // If caller is authorised, check operation was scheduled early enough bytes32 operationId = _hashOperation(caller, target, data); if (setback != 0) { _consumeScheduledOp(operationId); } // Mark the target and selector as authorised bytes32 relayIdentifierBefore = _relayIdentifier; _relayIdentifier = _hashRelayIdentifier(target, bytes4(data)); // Perform call Address.functionCallWithValue(target, data, msg.value); // Reset relay identifier _relayIdentifier = relayIdentifierBefore; } /** * @dev Consume a scheduled operation targeting the caller. If such an operation exists, mark it as consumed * (emit an {OperationExecuted} event and clean the state). Otherwise, throw an error. * * This is useful for contract that want to enforce that calls targeting them were scheduled on the manager, * with all the verifications that it implies. * * Emit a {OperationExecuted} event */ function consumeScheduledOp(address caller, bytes calldata data) public virtual { address target = _msgSender(); require(IAccessManaged(target).isConsumingScheduledOp()); _consumeScheduledOp(_hashOperation(caller, target, data)); } /** * @dev Internal variant of {consumeScheduledOp} that operates on bytes32 operationId. */ function _consumeScheduledOp(bytes32 operationId) internal virtual { uint48 timepoint = _schedules[operationId]; if (timepoint == 0) { revert AccessManagerNotScheduled(operationId); } else if (timepoint > Time.timestamp()) { revert AccessManagerNotReady(operationId); } else if (_isExpired(timepoint)) { revert AccessManagerExpired(operationId); } delete _schedules[operationId]; emit OperationExecuted(operationId, timepoint); } /** * @dev Cancel a scheduled (delayed) operation. * * Requirements: * * - the caller must be the proposer, or a guardian of the targeted function * * Emits a {OperationCanceled} event. */ function cancel(address caller, address target, bytes calldata data) public virtual { address msgsender = _msgSender(); bytes4 selector = bytes4(data[0:4]); bytes32 operationId = _hashOperation(caller, target, data); if (_schedules[operationId] == 0) { revert AccessManagerNotScheduled(operationId); } else if (caller != msgsender) { // calls can only be canceled by the account that scheduled them, a global admin, or by a guardian of the required group. (uint64 classId, ) = getContractClass(target); (bool isAdmin, ) = hasGroup(ADMIN_GROUP, msgsender); (bool isGuardian, ) = hasGroup(getGroupGuardian(getClassFunctionGroup(classId, selector)), msgsender); if (!isAdmin && !isGuardian) { revert AccessManagerCannotCancel(msgsender, caller, target, selector); } } uint48 timepoint = _schedules[operationId]; delete _schedules[operationId]; emit OperationCanceled(operationId, timepoint); } /** * @dev Hashing function for delayed operations */ function _hashOperation(address caller, address target, bytes calldata data) private pure returns (bytes32) { return keccak256(abi.encode(caller, target, data)); } /** * @dev Hashing function for relay protection */ function _hashRelayIdentifier(address target, bytes4 selector) private pure returns (bytes32) { return keccak256(abi.encode(target, selector)); } // ==================================================== OTHERS ==================================================== /** * @dev Change the AccessManager instance used by a contract that correctly uses this instance. * * Requirements: * * - the caller must be a global admin */ function updateAuthority(address target, address newAuthority) public virtual onlyAuthorized { IAccessManaged(target).setAuthority(newAuthority); } // ================================================= ADMIN LOGIC ================================================== /** * @dev Check if the current call is authorized according to admin logic. */ function _checkAuthorized() private { address caller = _msgSender(); (bool allowed, uint32 delay) = _canCallExtended(caller, address(this), _msgData()); if (!allowed) { if (delay == 0) { (, uint64 requiredGroup, ) = _getAdminRestrictions(_msgData()); revert AccessManagerUnauthorizedAccount(caller, requiredGroup); } else { _consumeScheduledOp(_hashOperation(caller, address(this), _msgData())); } } } /** * @dev Get the admin restrictions of a given function call based on the function and arguments involved. */ function _getAdminRestrictions(bytes calldata data) private view returns (bool, uint64, uint32) { bytes4 selector = bytes4(data); if (data.length < 4) { return (false, 0, 0); } else if (selector == this.updateAuthority.selector || selector == this.setContractClass.selector) { // First argument is a target. Restricted to ADMIN with the class delay corresponding to the target's class address target = abi.decode(data[0x04:0x24], (address)); (uint64 classId, ) = getContractClass(target); uint32 delay = getClassAdminDelay(classId); return (true, ADMIN_GROUP, delay); } else if (selector == this.setClassFunctionGroup.selector) { // First argument is a class. Restricted to ADMIN with the class delay corresponding to the class uint64 classId = abi.decode(data[0x04:0x24], (uint64)); uint32 delay = getClassAdminDelay(classId); return (true, ADMIN_GROUP, delay); } else if ( selector == this.labelGroup.selector || selector == this.setGroupAdmin.selector || selector == this.setGroupGuardian.selector || selector == this.setGrantDelay.selector || selector == this.setClassAdminDelay.selector || selector == this.setContractClosed.selector ) { // Restricted to ADMIN with no delay beside any execution delay the caller may have return (true, ADMIN_GROUP, 0); } else if (selector == this.grantGroup.selector || selector == this.revokeGroup.selector) { // First argument is a groupId. Restricted to that group's admin with no delay beside any execution delay the caller may have. uint64 groupId = abi.decode(data[0x04:0x24], (uint64)); uint64 groupAdminId = getGroupAdmin(groupId); return (true, groupAdminId, 0); } else { return (false, 0, 0); } } // =================================================== HELPERS ==================================================== /** * @dev An extended version of {canCall} for internal use that considers restrictions for admin functions. */ function _canCallExtended(address caller, address target, bytes calldata data) private view returns (bool, uint32) { if (target == address(this)) { (bool enabled, uint64 groupId, uint32 operationDelay) = _getAdminRestrictions(data); if (!enabled) { return (false, 0); } (bool inGroup, uint32 executionDelay) = hasGroup(groupId, caller); if (!inGroup) { return (false, 0); } // downcast is safe because both options are uint32 uint32 delay = uint32(Math.max(operationDelay, executionDelay)); return (delay == 0, delay); } else { bytes4 selector = bytes4(data); return canCall(caller, target, selector); } } /** * @dev Returns true if a schedule timepoint is past its expiration deadline. */ function _isExpired(uint48 timepoint) private view returns (bool) { return timepoint + expiration() <= Time.timestamp(); } }