GitBross Home Explore Help
Register Sign In
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 1f5982b5e3
Branches Tags
openzeppelin-co...
/
certora
/
specs
/
AccessControl.spec

AccessControl.spec 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. import "helpers.spec"
    2. 

  2. 

  3. methods {
    4. 

  4.     hasRole(bytes32, address) returns(bool) envfree
    5. 

  5.     getRoleAdmin(bytes32) returns(bytes32) envfree
    6. 

  6.     grantRole(bytes32, address)
    7. 

  7.     revokeRole(bytes32, address)
    8. 

  8.     renounceRole(bytes32, address)
    9. 

  9. }
    10. 

  10. 

  11. /*
    12. 

  12. โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    13. 

  13. โ”‚ Identify entrypoints: only grantRole, revokeRole and renounceRole can alter permissions                             โ”‚
    14. 

  14. โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
    15. 

  15. */
    16. 

  16. rule onlyGrantCanGrant(env e, bytes32 role, address account) {
    17. 

  17.     method f; calldataarg args;
    18. 

  18. 

  19.     bool hasRoleBefore = hasRole(role, account);
    20. 

  20.     f(e, args);
    21. 

  21.     bool hasRoleAfter = hasRole(role, account);
    22. 

  22. 

  23.     assert (
    24. 

  24.         !hasRoleBefore &&
    25. 

  25.         hasRoleAfter
    26. 

  26.     ) => (
    27. 

  27.         f.selector == grantRole(bytes32, address).selector
    28. 

  28.     );
    29. 

  29. 

  30.     assert (
    31. 

  31.         hasRoleBefore &&
    32. 

  32.         !hasRoleAfter
    33. 

  33.     ) => (
    34. 

  34.         f.selector == revokeRole(bytes32, address).selector ||
    35. 

  35.         f.selector == renounceRole(bytes32, address).selector
    36. 

  36.     );
    37. 

  37. }
    38. 

  38. 

  39. /*
    40. 

  40. โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    41. 

  41. โ”‚ Function correctness: grantRole only affects the specified user/role combo                                          โ”‚
    42. 

  42. โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
    43. 

  43. */
    44. 

  44. rule grantRoleEffect(env e) {
    45. 

  45.     require nonpayable(e);
    46. 

  46. 

  47.     bytes32 role;
    48. 

  48.     bytes32 otherRole;
    49. 

  49.     address account;
    50. 

  50.     address otherAccount;
    51. 

  51. 

  52.     bool isCallerAdmin = hasRole(getRoleAdmin(role), e.msg.sender);
    53. 

  53.     bool hasOtherRoleBefore = hasRole(otherRole, otherAccount);
    54. 

  54. 

  55.     grantRole@withrevert(e, role, account);
    56. 

  56.     bool success = !lastReverted;
    57. 

  57. 

  58.     bool hasOtherRoleAfter = hasRole(otherRole, otherAccount);
    59. 

  59. 

  60.     // liveness
    61. 

  61.     assert success <=> isCallerAdmin;
    62. 

  62. 

  63.     // effect
    64. 

  64.     assert success => hasRole(role, account);
    65. 

  65. 

  66.     // no side effect
    67. 

  67.     assert hasOtherRoleBefore != hasOtherRoleAfter => (role == otherRole && account == otherAccount);
    68. 

  68. }
    69. 

  69. 

  70. /*
    71. 

  71. โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    72. 

  72. โ”‚ Function correctness: revokeRole only affects the specified user/role combo                                         โ”‚
    73. 

  73. โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
    74. 

  74. */
    75. 

  75. rule revokeRoleEffect(env e) {
    76. 

  76.     require nonpayable(e);
    77. 

  77. 

  78.     bytes32 role;
    79. 

  79.     bytes32 otherRole;
    80. 

  80.     address account;
    81. 

  81.     address otherAccount;
    82. 

  82. 

  83.     bool isCallerAdmin = hasRole(getRoleAdmin(role), e.msg.sender);
    84. 

  84.     bool hasOtherRoleBefore = hasRole(otherRole, otherAccount);
    85. 

  85. 

  86.     revokeRole@withrevert(e, role, account);
    87. 

  87.     bool success = !lastReverted;
    88. 

  88. 

  89.     bool hasOtherRoleAfter = hasRole(otherRole, otherAccount);
    90. 

  90. 

  91.     // liveness
    92. 

  92.     assert success <=> isCallerAdmin;
    93. 

  93. 

  94.     // effect
    95. 

  95.     assert success => !hasRole(role, account);
    96. 

  96. 

  97.     // no side effect
    98. 

  98.     assert hasOtherRoleBefore != hasOtherRoleAfter => (role == otherRole && account == otherAccount);
    99. 

  99. }
    100. 

  100. 

  101. /*
    102. 

  102. โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    103. 

  103. โ”‚ Function correctness: renounceRole only affects the specified user/role combo                                       โ”‚
    104. 

  104. โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
    105. 

  105. */
    106. 

  106. rule renounceRoleEffect(env e) {
    107. 

  107.     require nonpayable(e);
    108. 

  108. 

  109.     bytes32 role;
    110. 

  110.     bytes32 otherRole;
    111. 

  111.     address account;
    112. 

  112.     address otherAccount;
    113. 

  113. 

  114.     bool hasOtherRoleBefore = hasRole(otherRole, otherAccount);
    115. 

  115. 

  116.     renounceRole@withrevert(e, role, account);
    117. 

  117.     bool success = !lastReverted;
    118. 

  118. 

  119.     bool hasOtherRoleAfter = hasRole(otherRole, otherAccount);
    120. 

  120. 

  121.     // liveness
    122. 

  122.     assert success <=> account == e.msg.sender;
    123. 

  123. 

  124.     // effect
    125. 

  125.     assert success => !hasRole(role, account);
    126. 

  126. 

  127.     // no side effect
    128. 

  128.     assert hasOtherRoleBefore != hasOtherRoleAfter => (role == otherRole && account == otherAccount);
    129. 

  129. }
    130.