// SPDX-License-Identifier: MIT pragma solidity ^0.8.20; import {IAccessManager} from "./IAccessManager.sol"; import {IManaged} from "./IManaged.sol"; import {IAuthority} from "./IAuthority.sol"; import {AccessManagedAdapter} from "./utils/AccessManagedAdapter.sol"; import {Address} from "../../utils/Address.sol"; import {Context} from "../../utils/Context.sol"; import {Multicall} from "../../utils/Multicall.sol"; import {Time} from "../../utils/types/Time.sol"; /** * @dev AccessManager is a central contract to store the permissions of a system. * * The smart contracts under the control of an AccessManager instance will have a set of "restricted" functions, and the * exact details of how access is restricted for each of those functions is configurable by the admins of the instance. * These restrictions are expressed in terms of "groups". * * An AccessManager instance will define a set of groups. Accounts can be added into any number of these groups. Each of * them defines a role, and may confer access to some of the restricted functions in the system, as configured by admins * through the use of {setFunctionAllowedGroup}. * * Note that a function in a target contract may become permissioned in this way only when: 1) said contract is * {AccessManaged} and is connected to this contract as its manager, and 2) said function is decorated with the * `restricted` modifier. * * There is a special group defined by default named "public" which all accounts automatically have. * * Contracts where functions are mapped to groups are said to be in a "custom" mode, but contracts can also be * configured in two special modes: 1) the "open" mode, where all functions are allowed to the "public" group, and 2) * the "closed" mode, where no function is allowed to any group. * * Since all the permissions of the managed system can be modified by the admins of this instance, it is expected that * they will be highly secured (e.g., a multisig or a well-configured DAO). * * NOTE: This contract implements a form of the {IAuthority} interface, but {canCall} has additional return data so it * doesn't inherit `IAuthority`. It is however compatible with the `IAuthority` interface since the first 32 bytes of * the return data are a boolean as expected by that interface. */ contract AccessManager is Context, Multicall, IAccessManager { using Time for *; uint256 public constant ADMIN_GROUP = type(uint256).min; // 0 uint256 public constant PUBLIC_GROUP = type(uint256).max; // 2**256-1 mapping(address target => AccessMode mode) private _contractMode; mapping(address target => mapping(bytes4 selector => uint256 groupId)) private _allowedGroups; mapping(uint256 groupId => Group) private _groups; mapping(bytes32 operationId => uint48 schedule) private _schedules; // This should be transcient storage when supported by the EVM. bytes32 private _relayIdentifier; /** * @dev Check that the caller has a given permission level (`groupId`). Note that this does NOT consider execution * delays that may be associated to that group. */ modifier onlyGroup(uint256 groupId) { address msgsender = _msgSender(); if (!hasGroup(groupId, msgsender)) { revert AccessControlUnauthorizedAccount(msgsender, groupId); } _; } constructor(address initialAdmin) { // admin is active immediately and without any execution delay. _grantGroup(ADMIN_GROUP, initialAdmin, 0, 0); } // =================================================== GETTERS ==================================================== /** * @dev Check if an address (`caller`) is authorised to call a given function on a given contract directly (with * no restriction). Additionally, it returns the delay needed to perform the call indirectly through the {schedule} * & {relay} workflow. * * This function is usually called by the targeted contract to control immediate execution of restricted functions. * Therefore we only return true is the call can be performed without any delay. If the call is subject to a delay, * then the function should return false, and the caller should schedule the operation for future execution. * * We may be able to hash the operation, and check if the call was scheduled, but we would not be able to cleanup * the schedule, leaving the possibility of multiple executions. Maybe this function should not be view? * * NOTE: The IAuthority interface does not include the `uint32` delay. This is an extension of that interface that * is backward compatible. Some contract may thus ignore the second return argument. In that case they will fail * to identify the indirect workflow, and will consider call that require a delay to be forbidden. */ function canCall(address caller, address target, bytes4 selector) public view virtual returns (bool, uint32) { AccessMode mode = getContractMode(target); if (mode == AccessMode.Open) { return (true, 0); } else if (mode == AccessMode.Closed) { return (false, 0); } else if (caller == address(this)) { // Caller is AccessManager => call was relayed. In that case the relay already checked permissions. We // verify that the call "identifier", which is set during the relay call, is correct. return (_relayIdentifier == keccak256(abi.encodePacked(target, selector)), 0); } else { uint256 groupId = getFunctionAllowedGroup(target, selector); bool inGroup = hasGroup(groupId, caller); uint32 executeDelay = inGroup ? getAccess(groupId, caller).delay.get() : 0; return (inGroup && executeDelay == 0, executeDelay); } } /** * @dev Get the mode under which a contract is operating. */ function getContractMode(address target) public view virtual returns (AccessMode) { return _contractMode[target]; } /** * @dev Get the permission level (group) required to call a function. This only applies for contract that are * operating under the `Custom` mode. */ function getFunctionAllowedGroup(address target, bytes4 selector) public view virtual returns (uint256) { return _allowedGroups[target][selector]; } /** * @dev Get the id of the group that acts as an admin for given group. * * The admin permission is required to grant the group, revoke the group and update the execution delay to execute * an operation that is restricted to this group. */ function getGroupAdmin(uint256 groupId) public view virtual returns (uint256) { return _groups[groupId].admin; } /** * @dev Get the group that acts as a guardian for a given group. * * The guardian permission allows canceling operations that have been scheduled under the group. */ function getGroupGuardian(uint256 groupId) public view virtual returns (uint256) { return _groups[groupId].guardian; } /** * @dev Get the group current grant delay, that value may change at any point, without an event emitted, following * a call to {setGrantDelay}. Changes to this value, including effect timepoint are notified by the * {GroupGrantDelayChanged} event. */ function getGroupGrantDelay(uint256 groupId) public view virtual returns (uint32) { return _groups[groupId].delay.get(); } /** * @dev Get the access details for a given account in a given group. These details include the timepoint at which * membership becomes active, and the delay applied to all operation by this user that require this permission * level. */ function getAccess(uint256 groupId, address account) public view virtual returns (Access memory) { return _groups[groupId].members[account]; } /** * @dev Check if a given account currently had the permission level corresponding to a given group. Note that this * permission might be associated with a delay. {getAccess} can provide more details. */ function hasGroup(uint256 groupId, address account) public view virtual returns (bool) { return groupId == PUBLIC_GROUP || getAccess(groupId, account).since.isSetAndPast(Time.timestamp()); } // =============================================== GROUP MANAGEMENT =============================================== /** * @dev Give a label to a group, for improved group discoverabily by UIs. * * Emits a {GroupLabel} event. */ function labelGroup(uint256 groupId, string calldata label) public virtual onlyGroup(ADMIN_GROUP) { emit GroupLabel(groupId, label); } /** * @dev Give permission to an account to execute function restricted to a group. Optionally, a delay can be * enforced for any function call, byt this user, that require this level of permission. This call is only * effective after a grant delay that is specific to the group being granted. * * Requirements: * * - the caller must be in the group's admins * * Emits a {GroupGranted} event */ function grantGroup( uint256 groupId, address account, uint32 executionDelay ) public virtual onlyGroup(getGroupAdmin(groupId)) { _grantGroup(groupId, account, getGroupGrantDelay(groupId), executionDelay); } /** * @dev Remove an account for a group, with immediate effect. * * Requirements: * * - the caller must be in the group's admins * * Emits a {GroupRevoked} event */ function revokeGroup(uint256 groupId, address account) public virtual onlyGroup(getGroupAdmin(groupId)) { _revokeGroup(groupId, account); } /** * @dev Renounce group permissions for the calling account, with immediate effect. * * Requirements: * * - the caller must be `callerConfirmation`. * * Emits a {GroupRevoked} event */ function renounceGroup(uint256 groupId, address callerConfirmation) public virtual { if (callerConfirmation != _msgSender()) { revert AccessManagerBadConfirmation(); } _revokeGroup(groupId, callerConfirmation); } /** * @dev Set the execution delay for a given account in a given group. This update is not immediate and follows the * delay rules. For example, If a user currently has a delay of 3 hours, and this is called to reduce that delay to * 1 hour, the new delay will take some time to take effect, enforcing that any operation executed in the 3 hours * that follows this update was indeed scheduled before this update. * * Requirements: * * - the caller must be in the group's admins * * Emits a {GroupExecutionDelayUpdate} event */ function setExecuteDelay( uint256 groupId, address account, uint32 newDelay ) public virtual onlyGroup(getGroupAdmin(groupId)) { _setExecuteDelay(groupId, account, newDelay); } /** * @dev Change admin group for a given group. * * Requirements: * * - the caller must be a global admin * * Emits a {GroupAdminChanged} event */ function setGroupAdmin(uint256 groupId, uint256 admin) public virtual onlyGroup(ADMIN_GROUP) { _setGroupAdmin(groupId, admin); } /** * @dev Change guardian group for a given group. * * Requirements: * * - the caller must be a global admin * * Emits a {GroupGuardianChanged} event */ function setGroupGuardian(uint256 groupId, uint256 guardian) public virtual onlyGroup(ADMIN_GROUP) { _setGroupGuardian(groupId, guardian); } /** * @dev Update the . * * Requirements: * * - the caller must be a global admin * * Emits a {GroupGrantDelayChanged} event */ function setGrantDelay(uint256 groupId, uint32 newDelay) public virtual onlyGroup(ADMIN_GROUP) { _setGrantDelay(groupId, newDelay); } /** * @dev Internal version of {grantGroup} without access control. * * Emits a {GroupGranted} event */ function _grantGroup(uint256 groupId, address account, uint32 grantDelay, uint32 executionDelay) internal virtual { if (groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } else if (_groups[groupId].members[account].since != 0) { revert AccessManagerAcountAlreadyInGroup(groupId, account); } uint48 since = Time.timestamp() + grantDelay; _groups[groupId].members[account] = Access({since: since, delay: executionDelay.toDelay()}); emit GroupGranted(groupId, account, since, executionDelay); } /** * @dev Internal version of {revokeGroup} without access control. This logic is also used by {renounceGroup}. * * Emits a {GroupRevoked} event */ function _revokeGroup(uint256 groupId, address account) internal virtual { if (groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } else if (_groups[groupId].members[account].since == 0) { revert AccessManagerAcountNotInGroup(groupId, account); } delete _groups[groupId].members[account]; emit GroupRevoked(groupId, account); } /** * @dev Internal version of {setExecuteDelay} without access control. * * Emits a {GroupExecutionDelayUpdate} event */ function _setExecuteDelay(uint256 groupId, address account, uint32 newDuration) internal virtual { if (groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } else if (_groups[groupId].members[account].since == 0) { revert AccessManagerAcountNotInGroup(groupId, account); } Time.Delay newDelay = _groups[groupId].members[account].delay.update(newDuration, 0); // TODO: minsetback ? _groups[groupId].members[account].delay = newDelay; (, , uint48 effectPoint) = newDelay.split(); emit GroupExecutionDelayUpdate(groupId, account, newDuration, effectPoint); } /** * @dev Internal version of {setGroupAdmin} without access control. * * Emits a {GroupAdminChanged} event */ function _setGroupAdmin(uint256 groupId, uint256 admin) internal virtual { if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } _groups[groupId].admin = admin; emit GroupAdminChanged(groupId, admin); } /** * @dev Internal version of {setGroupGuardian} without access control. * * Emits a {GroupGuardianChanged} event */ function _setGroupGuardian(uint256 groupId, uint256 guardian) internal virtual { if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } _groups[groupId].guardian = guardian; emit GroupGuardianChanged(groupId, guardian); } /** * @dev Internal version of {setGrantDelay} without access control. * * Emits a {GroupGrantDelayChanged} event */ function _setGrantDelay(uint256 groupId, uint32 newDelay) internal virtual { if (groupId == PUBLIC_GROUP) { revert AccessManagerLockedGroup(groupId); } Time.Delay updated = _groups[groupId].delay.update(newDelay, 0); // TODO: minsetback ? _groups[groupId].delay = updated; (, , uint48 effect) = updated.split(); emit GroupGrantDelayChanged(groupId, newDelay, effect); } // ============================================= FUNCTION MANAGEMENT ============================================== /** * @dev Set the level of permission (`group`) required to call functions identified by the `selectors` in the * `target` contract. * * Requirements: * * - the caller must be a global admin * * Emits a {FunctionAllowedGroupUpdated} event per selector */ function setFunctionAllowedGroup( address target, bytes4[] calldata selectors, uint256 groupId ) public virtual onlyGroup(ADMIN_GROUP) { // todo set delay or document risks for (uint256 i = 0; i < selectors.length; ++i) { _setFunctionAllowedGroup(target, selectors[i], groupId); } } /** * @dev Internal version of {setFunctionAllowedGroup} without access control. * * Emits a {FunctionAllowedGroupUpdated} event */ function _setFunctionAllowedGroup(address target, bytes4 selector, uint256 groupId) internal virtual { _allowedGroups[target][selector] = groupId; emit FunctionAllowedGroupUpdated(target, selector, groupId); } // =============================================== MODE MANAGEMENT ================================================ /** * @dev Set the operating mode of a contract to Custom. This enables the group mechanism for per-function access * restriction and delay enforcement. * * Requirements: * * - the caller must be a global admin * * Emits a {AccessModeUpdated} event. */ function setContractModeCustom(address target) public virtual onlyGroup(ADMIN_GROUP) { // todo set delay or document risks _setContractMode(target, AccessMode.Custom); } /** * @dev Set the operating mode of a contract to Open. This allows anyone to call any `restricted()` function with * no delay. * * Requirements: * * - the caller must be a global admin * * Emits a {AccessModeUpdated} event. */ function setContractModeOpen(address target) public virtual onlyGroup(ADMIN_GROUP) { // todo set delay or document risks _setContractMode(target, AccessMode.Open); } /** * @dev Set the operating mode of a contract to Close. This prevents anyone from calling any `restricted()` * function. * * Requirements: * * - the caller must be a global admin * * Emits a {AccessModeUpdated} event. */ function setContractModeClosed(address target) public virtual onlyGroup(ADMIN_GROUP) { // todo set delay or document risks _setContractMode(target, AccessMode.Closed); } /** * @dev Set the operating mode of a contract. This is an internal setter with no access restrictions. * * Emits a {AccessModeUpdated} event. */ function _setContractMode(address target, AccessMode mode) internal virtual { _contractMode[target] = mode; emit AccessModeUpdated(target, mode); } // ============================================== DELAYED OPERATIONS ============================================== /** * @dev Return the timepoint at which a scheduled operation will be ready for execution. This returns 0 if the * operation is not yet scheduled, was executed or was canceled. */ function getSchedule(bytes32 id) public view virtual returns (uint48) { return _schedules[id]; } /** * @dev Schedule a delayed operation, and return the operation identifier. * * Emits a {Scheduled} event. */ function schedule(address target, bytes calldata data) public virtual returns (bytes32) { address caller = _msgSender(); bytes4 selector = bytes4(data[0:4]); // Fetch restriction to that apply to the caller on the targeted function (bool allowed, uint32 setback) = canCall(caller, target, selector); // If caller is not authorised, revert if (!allowed && setback == 0) { revert AccessManagerUnauthorizedCall(caller, target, selector); } // If caller is authorised, schedule operation bytes32 operationId = _hashOperation(caller, target, data); if (_schedules[operationId] != 0) { revert AccessManagerAlreadyScheduled(operationId); } _schedules[operationId] = Time.timestamp() + setback; emit Scheduled(operationId, caller, target, data); return operationId; } /** * @dev Execute a function that is delay restricted, provided it was properly scheduled beforehand, or the * execution delay is 0. * * Emits a {Executed} event if the call was scheduled. Unscheduled call (with no delay) do not emit that event. */ function relay(address target, bytes calldata data) public payable virtual { relayViaAdapter(target, data, address(0)); } /** * @dev Execute a function that is delay restricted in the same way as {relay} but through an * {AccessManagedAdapter}. */ function relayViaAdapter(address target, bytes calldata data, address adapter) public payable virtual { address caller = _msgSender(); bytes4 selector = bytes4(data[0:4]); // Fetch restriction to that apply to the caller on the targeted function (bool allowed, uint32 setback) = canCall(caller, target, selector); // If caller is not authorised, revert if (!allowed && setback == 0) { revert AccessManagerUnauthorizedCall(caller, target, selector); } // If caller is authorised, check operation was scheduled early enough bytes32 operationId = _hashOperation(caller, target, data); uint48 timepoint = _schedules[operationId]; if (setback != 0) { if (timepoint == 0) { revert AccessManagerNotScheduled(operationId); } else if (timepoint > Time.timestamp()) { revert AccessManagerNotReady(operationId); } } if (timepoint != 0) { delete _schedules[operationId]; emit Executed(operationId); } // Mark the target and selector as authorised bytes32 relayIdentifierBefore = _relayIdentifier; _relayIdentifier = keccak256(abi.encodePacked(target, selector)); if (adapter != address(0)) { // Perform call through adapter AccessManagedAdapter(adapter).relay{value: msg.value}(target, data); } else { // Perform call directly Address.functionCallWithValue(target, data, msg.value); } // Reset relay identifier _relayIdentifier = relayIdentifierBefore; } /** * @dev Cancel a scheduled (delayed) operation. * * Requirements: * * - the caller must be the proposer, or a guardian of the targeted function * * Emits a {Canceled} event. */ function cancel(address caller, address target, bytes calldata data) public virtual { address msgsender = _msgSender(); bytes4 selector = bytes4(data[0:4]); bytes32 operationId = _hashOperation(caller, target, data); if (_schedules[operationId] == 0) { revert AccessManagerNotScheduled(operationId); } else if ( caller != msgsender && !hasGroup(ADMIN_GROUP, msgsender) && !hasGroup(getGroupGuardian(getFunctionAllowedGroup(target, selector)), msgsender) ) { // calls can only be canceled by the account that scheduled them, a global admin, or by a guardian of the required group. revert AccessManagerCannotCancel(msgsender, caller, target, selector); } delete _schedules[operationId]; emit Canceled(operationId); } /** * @dev Hashing function for delayed operations */ function _hashOperation(address caller, address target, bytes calldata data) private pure returns (bytes32) { return keccak256(abi.encode(caller, target, data)); } // ==================================================== OTHERS ==================================================== /** * @dev Change the AccessManager instance used by a contract that correctly uses this instance. * * Requirements: * * - the caller must be a global admin */ function updateAuthority(IManaged target, address newAuthority) public virtual onlyGroup(ADMIN_GROUP) { // todo set delay or document risks target.setAuthority(newAuthority); } }