openzeppelin-contracts/contracts/access/manager/AccessManager.sol

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

import {IAccessManager} from "./IAccessManager.sol";
import {IAccessManaged} from "./IAccessManaged.sol";
import {Address} from "../../utils/Address.sol";
import {Context} from "../../utils/Context.sol";
import {Multicall} from "../../utils/Multicall.sol";
import {Math} from "../../utils/math/Math.sol";
import {Time} from "../../utils/types/Time.sol";

/**
 * @dev AccessManager is a central contract to store the permissions of a system.
 *
 * The smart contracts under the control of an AccessManager instance will have a set of "restricted" functions, and the
 * exact details of how access is restricted for each of those functions is configurable by the admins of the instance.
 * These restrictions are expressed in terms of "groups".
 *
 * An AccessManager instance will define a set of groups. Accounts can be added into any number of these groups. Each of
 * them defines a role, and may confer access to some of the restricted functions in the system, as configured by admins
 * through the use of {setFunctionAllowedGroup}.
 *
 * Note that a function in a target contract may become permissioned in this way only when: 1) said contract is
 * {AccessManaged} and is connected to this contract as its manager, and 2) said function is decorated with the
 * `restricted` modifier.
 *
 * There is a special group defined by default named "public" which all accounts automatically have.
 *
 * Contracts where functions are mapped to groups are said to be in a "custom" mode, but contracts can also be
 * configured in two special modes: 1) the "open" mode, where all functions are allowed to the "public" group, and 2)
 * the "closed" mode, where no function is allowed to any group.
 *
 * Since all the permissions of the managed system can be modified by the admins of this instance, it is expected that
 * they will be highly secured (e.g., a multisig or a well-configured DAO).
 *
 * NOTE: This contract implements a form of the {IAuthority} interface, but {canCall} has additional return data so it
 * doesn't inherit `IAuthority`. It is however compatible with the `IAuthority` interface since the first 32 bytes of
 * the return data are a boolean as expected by that interface.
 *
 * NOTE: Systems that implement other access control mechanisms (for example using {Ownable}) can be paired with an
 * {AccessManager} by transferring permissions (ownership in the case of {Ownable}) directly to the {AccessManager}.
 * Users will be able to interact with these contracts through the {relay} function, following the access rules
 * registered in the {AccessManager}. Keep in mind that in that context, the msg.sender seen by restricted functions
 * will be {AccessManager} itself.
 *
 * WARNING: When granting permissions over an {Ownable} or {AccessControl} contract to an {AccessManager}, be very
 * mindful of the danger  associated with functions such as {{Ownable-renounceOwnership}} or
 * {{AccessControl-renounceRole}}.
 */
contract AccessManager is Context, Multicall, IAccessManager {
    using Time for *;

    struct AccessMode {
        uint64 classId;
        bool closed;
    }

    // Structure that stores the details for a group/account pair. This structures fit into a single slot.
    struct Access {
        // Timepoint at which the user gets the permission. If this is either 0, or in the future, the group permission
        // are not available. Should be checked using {Time-isSetAndPast}
        uint48 since;
        // delay for execution. Only applies to restricted() / relay() calls. This does not restrict access to
        // functions that use the `onlyGroup` modifier.
        Time.Delay delay;
    }

    // Structure that stores the details of a group, including:
    // - the members of the group
    // - the admin group (that can grant or revoke permissions)
    // - the guardian group (that can cancel operations targeting functions that need this group
    // - the grand delay
    struct Group {
        mapping(address user => Access access) members;
        uint64 admin;
        uint64 guardian;
        Time.Delay delay; // delay for granting
    }

    struct Class {
        mapping(bytes4 selector => uint64 groupId) allowedGroups;
        Time.Delay adminDelay;
    }

    uint64 public constant ADMIN_GROUP = type(uint64).min; // 0
    uint64 public constant PUBLIC_GROUP = type(uint64).max; // 2**64-1

    mapping(address target => AccessMode mode) private _contractMode;
    mapping(uint64 classId => Class) private _classes;
    mapping(uint64 groupId => Group) private _groups;

    struct Schedule {
        uint48 timepoint;
        uint32 nonce;
    }

    mapping(bytes32 operationId => Schedule) private _schedules;

    // This should be transcient storage when supported by the EVM.
    bytes32 private _relayIdentifier;

    /**
     * @dev Check that the caller is authorized to perform the operation, following the restrictions encoded in
     * {_getAdminRestrictions}.
     */
    modifier onlyAuthorized() {
        _checkAuthorized();
        _;
    }

    constructor(address initialAdmin) {
        // admin is active immediately and without any execution delay.
        _grantGroup(ADMIN_GROUP, initialAdmin, 0, 0);
    }

    // =================================================== GETTERS ====================================================
    /**
     * @dev Check if an address (`caller`) is authorised to call a given function on a given contract directly (with
     * no restriction). Additionally, it returns the delay needed to perform the call indirectly through the {schedule}
     * & {relay} workflow.
     *
     * This function is usually called by the targeted contract to control immediate execution of restricted functions.
     * Therefore we only return true is the call can be performed without any delay. If the call is subject to a delay,
     * then the function should return false, and the caller should schedule the operation for future execution.
     *
     * We may be able to hash the operation, and check if the call was scheduled, but we would not be able to cleanup
     * the schedule, leaving the possibility of multiple executions. Maybe this function should not be view?
     *
     * NOTE: The IAuthority interface does not include the `uint32` delay. This is an extension of that interface that
     * is backward compatible. Some contract may thus ignore the second return argument. In that case they will fail
     * to identify the indirect workflow, and will consider call that require a delay to be forbidden.
     */
    function canCall(address caller, address target, bytes4 selector) public view virtual returns (bool, uint32) {
        (uint64 classId, bool closed) = getContractClass(target);
        if (closed) {
            return (false, 0);
        } else if (caller == address(this)) {
            // Caller is AccessManager => call was relayed. In that case the relay already checked permissions. We
            // verify that the call "identifier", which is set during the relay call, is correct.
            return (_relayIdentifier == _hashRelayIdentifier(target, selector), 0);
        } else {
            uint64 groupId = getClassFunctionGroup(classId, selector);
            (bool inGroup, uint32 currentDelay) = hasGroup(groupId, caller);
            return inGroup ? (currentDelay == 0, currentDelay) : (false, 0);
        }
    }

    /**
     * @dev Expiration delay for scheduled proposals. Defaults to 1 week.
     */
    function expiration() public view virtual returns (uint32) {
        return 1 weeks;
    }

    /**
     * @dev Minimum setback for delay updates. Defaults to 1 day.
     */
    function minSetback() public view virtual returns (uint32) {
        return 0; // TODO: set to 1 day
    }

    /**
     * @dev Get the mode under which a contract is operating.
     */
    function getContractClass(address target) public view virtual returns (uint64, bool) {
        AccessMode storage mode = _contractMode[target];
        return (mode.classId, mode.closed);
    }

    /**
     * @dev Get the permission level (group) required to call a function. This only applies for contract that are
     * operating under the `Custom` mode.
     */
    function getClassFunctionGroup(uint64 classId, bytes4 selector) public view virtual returns (uint64) {
        return _classes[classId].allowedGroups[selector];
    }

    function getClassAdminDelay(uint64 classId) public view virtual returns (uint32) {
        return _classes[classId].adminDelay.get();
    }

    /**
     * @dev Get the id of the group that acts as an admin for given group.
     *
     * The admin permission is required to grant the group, revoke the group and update the execution delay to execute
     * an operation that is restricted to this group.
     */
    function getGroupAdmin(uint64 groupId) public view virtual returns (uint64) {
        return _groups[groupId].admin;
    }

    /**
     * @dev Get the group that acts as a guardian for a given group.
     *
     * The guardian permission allows canceling operations that have been scheduled under the group.
     */
    function getGroupGuardian(uint64 groupId) public view virtual returns (uint64) {
        return _groups[groupId].guardian;
    }

    /**
     * @dev Get the group current grant delay, that value may change at any point, without an event emitted, following
     * a call to {setGrantDelay}. Changes to this value, including effect timepoint are notified by the
     * {GroupGrantDelayChanged} event.
     */
    function getGroupGrantDelay(uint64 groupId) public view virtual returns (uint32) {
        return _groups[groupId].delay.get();
    }

    /**
     * @dev Get the access details for a given account in a given group. These details include the timepoint at which
     * membership becomes active, and the delay applied to all operation by this user that require this permission
     * level.
     *
     * Returns:
     * [0] Timestamp at which the account membership becomes valid. 0 means role is not granted.
     * [1] Current execution delay for the account.
     * [2] Pending execution delay for the account.
     * [3] Timestamp at which the pending execution delay will become active. 0 means no delay update is scheduled.
     */
    function getAccess(uint64 groupId, address account) public view virtual returns (uint48, uint32, uint32, uint48) {
        Access storage access = _groups[groupId].members[account];

        uint48 since = access.since;
        (uint32 currentDelay, uint32 pendingDelay, uint48 effect) = access.delay.getFull();

        return (since, currentDelay, pendingDelay, effect);
    }

    /**
     * @dev Check if a given account currently had the permission level corresponding to a given group. Note that this
     * permission might be associated with a delay. {getAccess} can provide more details.
     */
    function hasGroup(uint64 groupId, address account) public view virtual returns (bool, uint32) {
        if (groupId == PUBLIC_GROUP) {
            return (true, 0);
        } else {
            (uint48 inGroupSince, uint32 currentDelay, , ) = getAccess(groupId, account);
            return (inGroupSince.isSetAndPast(Time.timestamp()), currentDelay);
        }
    }

    // =============================================== GROUP MANAGEMENT ===============================================
    /**
     * @dev Give a label to a group, for improved group discoverabily by UIs.
     *
     * Emits a {GroupLabel} event.
     */
    function labelGroup(uint64 groupId, string calldata label) public virtual onlyAuthorized {
        if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) {
            revert AccessManagerLockedGroup(groupId);
        }
        emit GroupLabel(groupId, label);
    }

    /**
     * @dev Add `account` to `groupId`, or change its execution delay.
     *
     * This gives the account the authorization to call any function that is restricted to this group. An optional
     * execution delay (in seconds) can be set. If that delay is non 0, the user is required to schedule any operation
     * that is restricted to members this group. The user will only be able to execute the operation after the delay has
     * passed, before it has expired. During this period, admin and guardians can cancel the operation (see {cancel}).
     *
     * If the account has already been granted this group, the execution delay will be updated. This update is not
     * immediate and follows the delay rules. For example, If a user currently has a delay of 3 hours, and this is
     * called to reduce that delay to 1 hour, the new delay will take some time to take effect, enforcing that any
     * operation executed in the 3 hours that follows this update was indeed scheduled before this update.
     *
     * Requirements:
     *
     * - the caller must be in the group's admins
     *
     * Emits a {GroupGranted} event
     */
    function grantGroup(uint64 groupId, address account, uint32 executionDelay) public virtual onlyAuthorized {
        _grantGroup(groupId, account, getGroupGrantDelay(groupId), executionDelay);
    }

    /**
     * @dev Remove an account for a group, with immediate effect. If the sender is not in the group, this call has no
     * effect.
     *
     * Requirements:
     *
     * - the caller must be in the group's admins
     *
     * Emits a {GroupRevoked} event
     */
    function revokeGroup(uint64 groupId, address account) public virtual onlyAuthorized {
        _revokeGroup(groupId, account);
    }

    /**
     * @dev Renounce group permissions for the calling account, with immediate effect. If the sender is not in
     * the group, this call has no effect.
     *
     * Requirements:
     *
     * - the caller must be `callerConfirmation`.
     *
     * Emits a {GroupRevoked} event
     */
    function renounceGroup(uint64 groupId, address callerConfirmation) public virtual {
        if (callerConfirmation != _msgSender()) {
            revert AccessManagerBadConfirmation();
        }
        _revokeGroup(groupId, callerConfirmation);
    }

    /**
     * @dev Change admin group for a given group.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     *
     * Emits a {GroupAdminChanged} event
     */
    function setGroupAdmin(uint64 groupId, uint64 admin) public virtual onlyAuthorized {
        _setGroupAdmin(groupId, admin);
    }

    /**
     * @dev Change guardian group for a given group.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     *
     * Emits a {GroupGuardianChanged} event
     */
    function setGroupGuardian(uint64 groupId, uint64 guardian) public virtual onlyAuthorized {
        _setGroupGuardian(groupId, guardian);
    }

    /**
     * @dev Update the delay for granting a `groupId`.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     *
     * Emits a {GroupGrantDelayChanged} event
     */
    function setGrantDelay(uint64 groupId, uint32 newDelay) public virtual onlyAuthorized {
        _setGrantDelay(groupId, newDelay);
    }

    /**
     * @dev Internal version of {grantGroup} without access control. Returns true if the group was newly granted.
     *
     * Emits a {GroupGranted} event
     */
    function _grantGroup(
        uint64 groupId,
        address account,
        uint32 grantDelay,
        uint32 executionDelay
    ) internal virtual returns (bool) {
        if (groupId == PUBLIC_GROUP) {
            revert AccessManagerLockedGroup(groupId);
        }

        bool inGroup = _groups[groupId].members[account].since != 0;

        uint48 since;

        if (inGroup) {
            (_groups[groupId].members[account].delay, since) = _groups[groupId].members[account].delay.withUpdate(
                executionDelay,
                minSetback()
            );
        } else {
            since = Time.timestamp() + grantDelay;
            _groups[groupId].members[account] = Access({since: since, delay: executionDelay.toDelay()});
        }

        emit GroupGranted(groupId, account, executionDelay, since);
        return !inGroup;
    }

    /**
     * @dev Internal version of {revokeGroup} without access control. This logic is also used by {renounceGroup}.
     * Returns true if the group was previously granted.
     *
     * Emits a {GroupRevoked} event
     */
    function _revokeGroup(uint64 groupId, address account) internal virtual returns (bool) {
        if (groupId == PUBLIC_GROUP) {
            revert AccessManagerLockedGroup(groupId);
        }

        if (_groups[groupId].members[account].since == 0) {
            return false;
        }

        delete _groups[groupId].members[account];

        emit GroupRevoked(groupId, account);
        return true;
    }

    /**
     * @dev Internal version of {setGroupAdmin} without access control.
     *
     * Emits a {GroupAdminChanged} event
     */
    function _setGroupAdmin(uint64 groupId, uint64 admin) internal virtual {
        if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) {
            revert AccessManagerLockedGroup(groupId);
        }

        _groups[groupId].admin = admin;

        emit GroupAdminChanged(groupId, admin);
    }

    /**
     * @dev Internal version of {setGroupGuardian} without access control.
     *
     * Emits a {GroupGuardianChanged} event
     */
    function _setGroupGuardian(uint64 groupId, uint64 guardian) internal virtual {
        if (groupId == ADMIN_GROUP || groupId == PUBLIC_GROUP) {
            revert AccessManagerLockedGroup(groupId);
        }

        _groups[groupId].guardian = guardian;

        emit GroupGuardianChanged(groupId, guardian);
    }

    /**
     * @dev Internal version of {setGrantDelay} without access control.
     *
     * Emits a {GroupGrantDelayChanged} event
     */
    function _setGrantDelay(uint64 groupId, uint32 newDelay) internal virtual {
        if (groupId == PUBLIC_GROUP) {
            revert AccessManagerLockedGroup(groupId);
        }

        (Time.Delay updated, uint48 effect) = _groups[groupId].delay.withUpdate(newDelay, minSetback());
        _groups[groupId].delay = updated;

        emit GroupGrantDelayChanged(groupId, newDelay, effect);
    }

    // ============================================= FUNCTION MANAGEMENT ==============================================
    /**
     * @dev Set the level of permission (`group`) required to call functions identified by the `selectors` in the
     * `target` contract.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     *
     * Emits a {FunctionAllowedGroupUpdated} event per selector
     */
    function setClassFunctionGroup(
        uint64 classId,
        bytes4[] calldata selectors,
        uint64 groupId
    ) public virtual onlyAuthorized {
        for (uint256 i = 0; i < selectors.length; ++i) {
            _setClassFunctionGroup(classId, selectors[i], groupId);
        }
    }

    /**
     * @dev Internal version of {setFunctionAllowedGroup} without access control.
     *
     * Emits a {FunctionAllowedGroupUpdated} event
     */
    function _setClassFunctionGroup(uint64 classId, bytes4 selector, uint64 groupId) internal virtual {
        _checkValidClassId(classId);
        _classes[classId].allowedGroups[selector] = groupId;
        emit ClassFunctionGroupUpdated(classId, selector, groupId);
    }

    /**
     * @dev Set the delay for management operations on a given class of contract.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     *
     * Emits a {FunctionAllowedGroupUpdated} event per selector
     */
    function setClassAdminDelay(uint64 classId, uint32 newDelay) public virtual onlyAuthorized {
        _setClassAdminDelay(classId, newDelay);
    }

    /**
     * @dev Internal version of {setClassAdminDelay} without access control.
     *
     * Emits a {ClassAdminDelayUpdated} event
     */
    function _setClassAdminDelay(uint64 classId, uint32 newDelay) internal virtual {
        _checkValidClassId(classId);
        (Time.Delay updated, uint48 effect) = _classes[classId].adminDelay.withUpdate(newDelay, minSetback());
        _classes[classId].adminDelay = updated;
        emit ClassAdminDelayUpdated(classId, newDelay, effect);
    }

    /**
     * @dev Reverts if `classId` is 0. This is the default class id given to contracts and it should not have any
     * configurations.
     */
    function _checkValidClassId(uint64 classId) private pure {
        if (classId == 0) {
            revert AccessManagerInvalidClass(classId);
        }
    }

    // =============================================== MODE MANAGEMENT ================================================
    /**
     * @dev Set the class of a contract.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     *
     * Emits a {ContractClassUpdated} event.
     */
    function setContractClass(address target, uint64 classId) public virtual onlyAuthorized {
        _setContractClass(target, classId);
    }

    /**
     * @dev Set the class of a contract. This is an internal setter with no access restrictions.
     *
     * Emits a {ContractClassUpdated} event.
     */
    function _setContractClass(address target, uint64 classId) internal virtual {
        if (target == address(this)) {
            revert AccessManagerLockedAccount(target);
        }
        _contractMode[target].classId = classId;
        emit ContractClassUpdated(target, classId);
    }

    /**
     * @dev Set the closed flag for a contract.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     *
     * Emits a {ContractClosed} event.
     */
    function setContractClosed(address target, bool closed) public virtual onlyAuthorized {
        _setContractClosed(target, closed);
    }

    /**
     * @dev Set the closed flag for a contract. This is an internal setter with no access restrictions.
     *
     * Emits a {ContractClosed} event.
     */
    function _setContractClosed(address target, bool closed) internal virtual {
        if (target == address(this)) {
            revert AccessManagerLockedAccount(target);
        }
        _contractMode[target].closed = closed;
        emit ContractClosed(target, closed);
    }

    // ============================================== DELAYED OPERATIONS ==============================================
    /**
     * @dev Return the timepoint at which a scheduled operation will be ready for execution. This returns 0 if the
     * operation is not yet scheduled, has expired, was executed, or was canceled.
     */
    function getSchedule(bytes32 id) public view virtual returns (uint48) {
        uint48 timepoint = _schedules[id].timepoint;
        return _isExpired(timepoint) ? 0 : timepoint;
    }

    /**
     * @dev Return the nonce for the latest scheduled operation with a given id. Returns 0 if the operation has never
     * been scheduled.
     */
    function getNonce(bytes32 id) public view virtual returns (uint32) {
        return _schedules[id].nonce;
    }

    /**
     * @dev Schedule a delayed operation for future execution, and return the operation identifier. It is possible to
     * choose the timestamp at which the operation becomes executable as long as it satisfies the execution delays
     * required for the caller. The special value zero will automatically set the earliest possible time.
     *
     * Returns the `operationId` that was scheduled. Since this value is a hash of the parameters, it can reoccur when
     * the same parameters are used; if this is relevant, the returned `nonce` can be used to uniquely identify this
     * scheduled operation from other occurrences of the same `operationId` in invocations of {relay} and {cancel}.
     *
     * Emits a {OperationScheduled} event.
     */
    function schedule(
        address target,
        bytes calldata data,
        uint48 when
    ) public virtual returns (bytes32 operationId, uint32 nonce) {
        address caller = _msgSender();

        // Fetch restriction to that apply to the caller on the targeted function
        (bool allowed, uint32 setback) = _canCallExtended(caller, target, data);

        uint48 minWhen = Time.timestamp() + setback;

        if (when == 0) {
            when = minWhen;
        }

        // If caller is not authorised, revert
        if (!allowed && (setback == 0 || when < minWhen)) {
            revert AccessManagerUnauthorizedCall(caller, target, bytes4(data[0:4]));
        }

        // If caller is authorised, schedule operation
        operationId = _hashOperation(caller, target, data);

        // Cannot reschedule unless the operation has expired
        uint48 prevTimepoint = _schedules[operationId].timepoint;
        if (prevTimepoint != 0 && !_isExpired(prevTimepoint)) {
            revert AccessManagerAlreadyScheduled(operationId);
        }

        unchecked {
            // It's not feasible to overflow the nonce in less than 1000 years
            nonce = _schedules[operationId].nonce + 1;
        }
        _schedules[operationId].timepoint = when;
        _schedules[operationId].nonce = nonce;
        emit OperationScheduled(operationId, nonce, when, caller, target, data);

        // Using named return values because otherwise we get stack too deep
    }

    /**
     * @dev Execute a function that is delay restricted, provided it was properly scheduled beforehand, or the
     * execution delay is 0.
     *
     * Returns the nonce that identifies the previously scheduled operation that is relayed, or 0 if the
     * operation wasn't previously scheduled (if the caller doesn't have an execution delay).
     *
     * Emits an {OperationExecuted} event only if the call was scheduled and delayed.
     */
    // Reentrancy is not an issue because permissions are checked on msg.sender. Additionally,
    // _consumeScheduledOp guarantees a scheduled operation is only executed once.
    // slither-disable-next-line reentrancy-no-eth
    function relay(address target, bytes calldata data) public payable virtual returns (uint32) {
        address caller = _msgSender();

        // Fetch restriction to that apply to the caller on the targeted function
        (bool allowed, uint32 setback) = _canCallExtended(caller, target, data);

        // If caller is not authorised, revert
        if (!allowed && setback == 0) {
            revert AccessManagerUnauthorizedCall(caller, target, bytes4(data));
        }

        // If caller is authorised, check operation was scheduled early enough
        bytes32 operationId = _hashOperation(caller, target, data);
        uint32 nonce;

        if (setback != 0) {
            nonce = _consumeScheduledOp(operationId);
        }

        // Mark the target and selector as authorised
        bytes32 relayIdentifierBefore = _relayIdentifier;
        _relayIdentifier = _hashRelayIdentifier(target, bytes4(data));

        // Perform call
        Address.functionCallWithValue(target, data, msg.value);

        // Reset relay identifier
        _relayIdentifier = relayIdentifierBefore;

        return nonce;
    }

    /**
     * @dev Consume a scheduled operation targeting the caller. If such an operation exists, mark it as consumed
     * (emit an {OperationExecuted} event and clean the state). Otherwise, throw an error.
     *
     * This is useful for contract that want to enforce that calls targeting them were scheduled on the manager,
     * with all the verifications that it implies.
     *
     * Emit a {OperationExecuted} event
     */
    function consumeScheduledOp(address caller, bytes calldata data) public virtual {
        address target = _msgSender();
        require(IAccessManaged(target).isConsumingScheduledOp());
        _consumeScheduledOp(_hashOperation(caller, target, data));
    }

    /**
     * @dev Internal variant of {consumeScheduledOp} that operates on bytes32 operationId.
     *
     * Returns the nonce of the scheduled operation that is consumed.
     */
    function _consumeScheduledOp(bytes32 operationId) internal virtual returns (uint32) {
        uint48 timepoint = _schedules[operationId].timepoint;
        uint32 nonce = _schedules[operationId].nonce;

        if (timepoint == 0) {
            revert AccessManagerNotScheduled(operationId);
        } else if (timepoint > Time.timestamp()) {
            revert AccessManagerNotReady(operationId);
        } else if (_isExpired(timepoint)) {
            revert AccessManagerExpired(operationId);
        }

        delete _schedules[operationId];
        emit OperationExecuted(operationId, nonce);

        return nonce;
    }

    /**
     * @dev Cancel a scheduled (delayed) operation. Returns the nonce that identifies the previously scheduled
     * operation that is cancelled.
     *
     * Requirements:
     *
     * - the caller must be the proposer, or a guardian of the targeted function
     *
     * Emits a {OperationCanceled} event.
     */
    function cancel(address caller, address target, bytes calldata data) public virtual returns (uint32) {
        address msgsender = _msgSender();
        bytes4 selector = bytes4(data[0:4]);

        bytes32 operationId = _hashOperation(caller, target, data);
        if (_schedules[operationId].timepoint == 0) {
            revert AccessManagerNotScheduled(operationId);
        } else if (caller != msgsender) {
            // calls can only be canceled by the account that scheduled them, a global admin, or by a guardian of the required group.
            (uint64 classId, ) = getContractClass(target);
            (bool isAdmin, ) = hasGroup(ADMIN_GROUP, msgsender);
            (bool isGuardian, ) = hasGroup(getGroupGuardian(getClassFunctionGroup(classId, selector)), msgsender);
            if (!isAdmin && !isGuardian) {
                revert AccessManagerCannotCancel(msgsender, caller, target, selector);
            }
        }

        delete _schedules[operationId].timepoint;
        uint32 nonce = _schedules[operationId].nonce;
        emit OperationCanceled(operationId, nonce);

        return nonce;
    }

    /**
     * @dev Hashing function for delayed operations
     */
    function _hashOperation(address caller, address target, bytes calldata data) private pure returns (bytes32) {
        return keccak256(abi.encode(caller, target, data));
    }

    /**
     * @dev Hashing function for relay protection
     */
    function _hashRelayIdentifier(address target, bytes4 selector) private pure returns (bytes32) {
        return keccak256(abi.encode(target, selector));
    }

    // ==================================================== OTHERS ====================================================
    /**
     * @dev Change the AccessManager instance used by a contract that correctly uses this instance.
     *
     * Requirements:
     *
     * - the caller must be a global admin
     */
    function updateAuthority(address target, address newAuthority) public virtual onlyAuthorized {
        IAccessManaged(target).setAuthority(newAuthority);
    }

    // ================================================= ADMIN LOGIC ==================================================
    /**
     * @dev Check if the current call is authorized according to admin logic.
     */
    function _checkAuthorized() private {
        address caller = _msgSender();
        (bool allowed, uint32 delay) = _canCallExtended(caller, address(this), _msgData());
        if (!allowed) {
            if (delay == 0) {
                (, uint64 requiredGroup, ) = _getAdminRestrictions(_msgData());
                revert AccessManagerUnauthorizedAccount(caller, requiredGroup);
            } else {
                _consumeScheduledOp(_hashOperation(caller, address(this), _msgData()));
            }
        }
    }

    /**
     * @dev Get the admin restrictions of a given function call based on the function and arguments involved.
     */
    function _getAdminRestrictions(bytes calldata data) private view returns (bool, uint64, uint32) {
        bytes4 selector = bytes4(data);

        if (data.length < 4) {
            return (false, 0, 0);
        } else if (selector == this.updateAuthority.selector || selector == this.setContractClass.selector) {
            // First argument is a target. Restricted to ADMIN with the class delay corresponding to the target's class
            address target = abi.decode(data[0x04:0x24], (address));
            (uint64 classId, ) = getContractClass(target);
            uint32 delay = getClassAdminDelay(classId);
            return (true, ADMIN_GROUP, delay);
        } else if (selector == this.setClassFunctionGroup.selector) {
            // First argument is a class. Restricted to ADMIN with the class delay corresponding to the class
            uint64 classId = abi.decode(data[0x04:0x24], (uint64));
            uint32 delay = getClassAdminDelay(classId);
            return (true, ADMIN_GROUP, delay);
        } else if (
            selector == this.labelGroup.selector ||
            selector == this.setGroupAdmin.selector ||
            selector == this.setGroupGuardian.selector ||
            selector == this.setGrantDelay.selector ||
            selector == this.setClassAdminDelay.selector ||
            selector == this.setContractClosed.selector
        ) {
            // Restricted to ADMIN with no delay beside any execution delay the caller may have
            return (true, ADMIN_GROUP, 0);
        } else if (selector == this.grantGroup.selector || selector == this.revokeGroup.selector) {
            // First argument is a groupId. Restricted to that group's admin with no delay beside any execution delay the caller may have.
            uint64 groupId = abi.decode(data[0x04:0x24], (uint64));
            uint64 groupAdminId = getGroupAdmin(groupId);
            return (true, groupAdminId, 0);
        } else {
            return (false, 0, 0);
        }
    }

    // =================================================== HELPERS ====================================================
    /**
     * @dev An extended version of {canCall} for internal use that considers restrictions for admin functions.
     */
    function _canCallExtended(address caller, address target, bytes calldata data) private view returns (bool, uint32) {
        if (target == address(this)) {
            (bool enabled, uint64 groupId, uint32 operationDelay) = _getAdminRestrictions(data);
            if (!enabled) {
                return (false, 0);
            }

            (bool inGroup, uint32 executionDelay) = hasGroup(groupId, caller);
            if (!inGroup) {
                return (false, 0);
            }

            // downcast is safe because both options are uint32
            uint32 delay = uint32(Math.max(operationDelay, executionDelay));
            return (delay == 0, delay);
        } else {
            bytes4 selector = bytes4(data);
            return canCall(caller, target, selector);
        }
    }

    /**
     * @dev Returns true if a schedule timepoint is past its expiration deadline.
     */
    function _isExpired(uint48 timepoint) private view returns (bool) {
        return timepoint + expiration() <= Time.timestamp();
    }
}