From 4374b53cb884d8c54c5a512d79eb64d91bd59d7d Mon Sep 17 00:00:00 2001 From: ernestognw Date: Tue, 4 Nov 2025 11:35:29 -0600 Subject: [PATCH 01/24] Add AccessManagerEnumerable --- .../extensions/AccessManagerEnumerable.sol | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 contracts/access/manager/extensions/AccessManagerEnumerable.sol diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol new file mode 100644 index 00000000000..4728bf56eb0 --- /dev/null +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: MIT + +pragma solidity ^0.8.20; + +import {AccessManager} from "../AccessManager.sol"; +import {EnumerableSet} from "../../../utils/structs/EnumerableSet.sol"; + +abstract contract AccessManagerEnumerable is AccessManager { + using EnumerableSet for EnumerableSet.AddressSet; + mapping(uint64 roleId => EnumerableSet.AddressSet) private _roleMembers; + + function _grantRole( + uint64 roleId, + address account, + uint32 grantDelay, + uint32 executionDelay + ) internal override returns (bool) { + bool granted = super._grantRole(roleId, account, grantDelay, executionDelay); + if (granted) { + _roleMembers[roleId].add(account); + } + return granted; + } + + function _revokeRole(uint64 roleId, address account) internal override returns (bool) { + bool revoked = super._revokeRole(roleId, account); + if (revoked) { + _roleMembers[roleId].remove(account); + } + return revoked; + } + + function getRoleMembers(uint64 roleId, uint256 start, uint256 end) public view returns (address[] memory) { + return _roleMembers[roleId].values(start, end); + } + + function getRoleMemberCount(uint64 roleId) public view returns (uint256) { + return _roleMembers[roleId].length(); + } +} From 841e6bb90547ca031fbcc04012fbae7329365931 Mon Sep 17 00:00:00 2001 From: ernestognw Date: Mon, 10 Nov 2025 11:56:27 -0300 Subject: [PATCH 02/24] Add interface, docs and tests --- .../extensions/AccessManagerEnumerable.sol | 105 ++++++++++- .../extensions/IAccessManagerEnumerable.sol | 78 +++++++++ contracts/mocks/AccessManagerMock.sol | 29 ++++ test/access/manager/AccessManager.behavior.js | 164 ++++++++++++++++++ .../AccessManagerEnumerable.test.js | 62 +++++++ 5 files changed, 429 insertions(+), 9 deletions(-) create mode 100644 contracts/access/manager/extensions/IAccessManagerEnumerable.sol create mode 100644 test/access/manager/extensions/AccessManagerEnumerable.test.js diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index 4728bf56eb0..256da227c48 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -2,19 +2,81 @@ pragma solidity ^0.8.20; +import {IAccessManagerEnumerable} from "./IAccessManagerEnumerable.sol"; import {AccessManager} from "../AccessManager.sol"; import {EnumerableSet} from "../../../utils/structs/EnumerableSet.sol"; -abstract contract AccessManagerEnumerable is AccessManager { +/** + * @dev Extension of {AccessManager} that allows enumerating the members of each role + * and the target functions each role is allowed to call. + * + * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, the + * {getRoleTargetFunctions} and {getRoleTargetFunctionCount} functions will return an empty array + * and 0 respectively. + */ +abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessManager { using EnumerableSet for EnumerableSet.AddressSet; + using EnumerableSet for EnumerableSet.Bytes32Set; + mapping(uint64 roleId => EnumerableSet.AddressSet) private _roleMembers; + mapping(uint64 roleId => EnumerableSet.Bytes32Set) private _roleTargetFunctions; + + /// @inheritdoc IAccessManagerEnumerable + function getRoleMember(uint64 roleId, uint256 index) public view virtual returns (address) { + return _roleMembers[roleId].at(index); + } + + /// @inheritdoc IAccessManagerEnumerable + function getRoleMembers(uint64 roleId, uint256 start, uint256 end) public view virtual returns (address[] memory) { + return _roleMembers[roleId].values(start, end); + } + /// @inheritdoc IAccessManagerEnumerable + function getRoleMemberCount(uint64 roleId) public view virtual returns (uint256) { + return _roleMembers[roleId].length(); + } + + /// @inheritdoc IAccessManagerEnumerable + function getRoleTargetFunction(uint64 roleId, uint256 index) public view virtual returns (bytes4) { + return bytes4(_roleTargetFunctions[roleId].at(index)); + } + + /* + * @dev See {IAccessManagerEnumerable-getRoleTargetFunctions} + * + * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will + * return an empty array. See {_setTargetFunctionRole} for more details. + */ + function getRoleTargetFunctions( + uint64 roleId, + uint256 start, + uint256 end + ) public view virtual returns (bytes4[] memory) { + bytes32[] memory targetFunctions = _roleTargetFunctions[roleId].values(start, end); + bytes4[] memory targetFunctionSelectors; + assembly ("memory-safe") { + targetFunctionSelectors := targetFunctions + } + return targetFunctionSelectors; + } + + /* + * @dev See {IAccessManagerEnumerable-getRoleTargetFunctionCount} + * + * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will + * return 0. See {_setTargetFunctionRole} for more details. + */ + function getRoleTargetFunctionCount(uint64 roleId) public view virtual returns (uint256) { + return _roleTargetFunctions[roleId].length(); + } + + /// @dev See {AccessManager-_grantRole}. Adds the account to the role members set. function _grantRole( uint64 roleId, address account, uint32 grantDelay, uint32 executionDelay - ) internal override returns (bool) { + ) internal virtual override returns (bool) { bool granted = super._grantRole(roleId, account, grantDelay, executionDelay); if (granted) { _roleMembers[roleId].add(account); @@ -22,7 +84,8 @@ abstract contract AccessManagerEnumerable is AccessManager { return granted; } - function _revokeRole(uint64 roleId, address account) internal override returns (bool) { + /// @dev See {AccessManager-_revokeRole}. Removes the account from the role members set. + function _revokeRole(uint64 roleId, address account) internal virtual override returns (bool) { bool revoked = super._revokeRole(roleId, account); if (revoked) { _roleMembers[roleId].remove(account); @@ -30,11 +93,35 @@ abstract contract AccessManagerEnumerable is AccessManager { return revoked; } - function getRoleMembers(uint64 roleId, uint256 start, uint256 end) public view returns (address[] memory) { - return _roleMembers[roleId].values(start, end); - } - - function getRoleMemberCount(uint64 roleId) public view returns (uint256) { - return _roleMembers[roleId].length(); + /** + * @dev See {AccessManager-_setTargetFunctionRole}. Adds the selector to the role target functions set. + * + * Since the target functions for the {ADMIN_ROLE} can't be tracked exhaustively (i.e. by default, all + * restricted functions), any function that is granted to the {ADMIN_ROLE} will not be tracked by this + * extension. Developers may opt in for tracking the functions for the {ADMIN_ROLE} by overriding, + * though, the tracking would not be exhaustive. + * + * ```solidity + * function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual override { + * uint64 oldRoleId = getTargetFunctionRole(target, selector); + * super._setTargetFunctionRole(target, selector, roleId); + * if (oldRoleId == ADMIN_ROLE) { + * _roleTargetFunctions[oldRoleId].remove(bytes32(selector)); + * } + * if (roleId == ADMIN_ROLE) { + * _roleTargetFunctions[roleId].add(bytes32(selector)); + * } + * } + * ``` + */ + function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual override { + uint64 oldRoleId = getTargetFunctionRole(target, selector); + super._setTargetFunctionRole(target, selector, roleId); + if (oldRoleId != ADMIN_ROLE) { + _roleTargetFunctions[oldRoleId].remove(bytes32(selector)); + } + if (roleId != ADMIN_ROLE) { + _roleTargetFunctions[roleId].add(bytes32(selector)); + } } } diff --git a/contracts/access/manager/extensions/IAccessManagerEnumerable.sol b/contracts/access/manager/extensions/IAccessManagerEnumerable.sol new file mode 100644 index 00000000000..6d94d41d1b1 --- /dev/null +++ b/contracts/access/manager/extensions/IAccessManagerEnumerable.sol @@ -0,0 +1,78 @@ +// SPDX-License-Identifier: MIT + +pragma solidity >=0.8.4; + +import {IAccessManager} from "../IAccessManager.sol"; + +/** + * @dev External interface of AccessManagerEnumerable. + */ +interface IAccessManagerEnumerable is IAccessManager { + /** + * @dev Returns one of the accounts that have `roleId`. `index` must be a + * value between 0 and {getRoleMemberCount}, non-inclusive. + * + * Role bearers are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure + * you perform all queries on the same block. See the following + * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] + * for more information. + */ + function getRoleMember(uint64 roleId, uint256 index) external view returns (address); + + /** + * @dev Returns a range of accounts that have `roleId`. `start` and `end` define the range bounds. + * `start` is inclusive and `end` is exclusive. + * + * Role bearers are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed + * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that + * this function has an unbounded cost, and using it as part of a state-changing function may render the function + * uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block. + */ + function getRoleMembers(uint64 roleId, uint256 start, uint256 end) external view returns (address[] memory); + + /** + * @dev Returns the number of accounts that have `roleId`. Can be used + * together with {getRoleMember} to enumerate all bearers of a role. + */ + function getRoleMemberCount(uint64 roleId) external view returns (uint256); + + /** + * @dev Returns one of the target function selectors that require `roleId`. `index` must be a + * value between 0 and {getRoleTargetFunctionCount}, non-inclusive. + * + * Target function selectors are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: When using {getRoleTargetFunction} and {getRoleTargetFunctionCount}, make sure + * you perform all queries on the same block. See the following + * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] + * for more information. + */ + function getRoleTargetFunction(uint64 roleId, uint256 index) external view returns (bytes4); + + /** + * @dev Returns a range of target function selectors that require `roleId`. `start` and `end` define the range bounds. + * `start` is inclusive and `end` is exclusive. + * + * Target function selectors are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed + * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that + * this function has an unbounded cost, and using it as part of a state-changing function may render the function + * uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block. + */ + function getRoleTargetFunctions(uint64 roleId, uint256 start, uint256 end) external view returns (bytes4[] memory); + + /** + * @dev Returns the number of target function selectors that require `roleId`. Can be used + * together with {getRoleTargetFunction} to enumerate all target functions for a role. + */ + function getRoleTargetFunctionCount(uint64 roleId) external view returns (uint256); +} diff --git a/contracts/mocks/AccessManagerMock.sol b/contracts/mocks/AccessManagerMock.sol index 4b5be350fc6..4d0623142bb 100644 --- a/contracts/mocks/AccessManagerMock.sol +++ b/contracts/mocks/AccessManagerMock.sol @@ -3,6 +3,7 @@ pragma solidity ^0.8.20; import {AccessManager} from "../access/manager/AccessManager.sol"; +import {AccessManagerEnumerable} from "../access/manager/extensions/AccessManagerEnumerable.sol"; contract AccessManagerMock is AccessManager { event CalledRestricted(address caller); @@ -18,3 +19,31 @@ contract AccessManagerMock is AccessManager { emit CalledUnrestricted(msg.sender); } } + +contract AccessManagerEnumerableMock is AccessManagerMock, AccessManagerEnumerable { + constructor(address initialAdmin) AccessManagerMock(initialAdmin) {} + + function _grantRole( + uint64 roleId, + address account, + uint32 grantDelay, + uint32 executionDelay + ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { + return super._grantRole(roleId, account, grantDelay, executionDelay); + } + + function _revokeRole( + uint64 roleId, + address account + ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { + return super._revokeRole(roleId, account); + } + + function _setTargetFunctionRole( + address target, + bytes4 selector, + uint64 roleId + ) internal override(AccessManager, AccessManagerEnumerable) { + super._setTargetFunctionRole(target, selector, roleId); + } +} diff --git a/test/access/manager/AccessManager.behavior.js b/test/access/manager/AccessManager.behavior.js index 830700e3762..5d63ca2a7a7 100644 --- a/test/access/manager/AccessManager.behavior.js +++ b/test/access/manager/AccessManager.behavior.js @@ -1,5 +1,6 @@ const { expect } = require('chai'); +const { selector } = require('../../helpers/methods'); const { LIKE_COMMON_IS_EXECUTING, LIKE_COMMON_GET_ACCESS, @@ -248,10 +249,173 @@ function shouldBehaveLikeASelfRestrictedOperation() { }); } +// ============ ENUMERABLE EXTENSION ============ + +/** + * @requires this.{manager,roles,admin,user,other} + */ +function shouldBehaveLikeAccessManagerEnumerable() { + describe('enumerating', function () { + const ANOTHER_ROLE = 0xdeadc0de2n; + + describe('role members', function () { + it('role bearers can be enumerated', async function () { + // Grant roles to multiple accounts + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); + + // Revoke one role + await this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.other); + + const expectedMembers = [this.user.address, this.admin.address]; + + // Test individual enumeration + const memberCount = await this.manager.getRoleMemberCount(ANOTHER_ROLE); + const members = []; + for (let i = 0; i < memberCount; ++i) { + members.push(await this.manager.getRoleMember(ANOTHER_ROLE, i)); + } + + expect(memberCount).to.equal(expectedMembers.length); + expect(members).to.deep.equal(expectedMembers); + + // Test batch enumeration + await expect(this.manager.getRoleMembers(ANOTHER_ROLE, 0, memberCount)).to.eventually.deep.equal( + expectedMembers, + ); + }); + + it('role enumeration should be in sync after renounceRole call', async function () { + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); + + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); // Only the initial member + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(2); + await this.manager.connect(this.admin).renounceRole(ANOTHER_ROLE, this.admin); + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); + }); + + it('returns empty for roles with no members', async function () { + const roleId = 999n; // Non-existent role + + await expect(this.manager.getRoleMemberCount(roleId)).to.eventually.equal(0); + await expect(this.manager.getRoleMembers(roleId, 0, 10)).to.eventually.deep.equal([]); + }); + + it('supports partial enumeration with start and end parameters', async function () { + // Grant roles to multiple accounts + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); + + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(3); + + const users = [this.user.address, this.other.address, this.admin.address]; + + // Test partial enumeration + const firstTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 0, 2); + expect(firstTwo).to.have.lengthOf(2); + expect(users).to.include.members(firstTwo); + + const lastTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 1, 3); + expect(lastTwo).to.have.lengthOf(2); + expect(users).to.include.members(lastTwo); + }); + }); + + describe('target functions', function () { + it('target functions can be enumerated', async function () { + const roleId = this.roles.SOME.id; + const selectors = [ + selector('someFunction()'), + selector('anotherFunction(uint256)'), + selector('thirdFunction(address,bool)'), + ]; + + await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, selectors, roleId); + + const functionCount = await this.manager.getRoleTargetFunctionCount(roleId); + expect(functionCount).to.equal(selectors.length); + + // Test individual enumeration + const functions = []; + for (let i = 0; i < functionCount; ++i) { + functions.push(this.manager.getRoleTargetFunction(roleId, i)); + } + await expect(Promise.all(functions)).to.eventually.have.members(selectors); + + // Test batch enumeration + const batchFunctions = await this.manager.getRoleTargetFunctions(roleId, 0, functionCount); + expect([...batchFunctions]).to.have.members(selectors); + }); + + it('target function enumeration updates when roles change', async function () { + const roleId1 = this.roles.SOME.id; + const roleId2 = this.roles.SOME_ADMIN.id; + const sel = selector('testFunction()'); + + // Initially assign to roleId1 + await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, [sel], roleId1); + + await expect(this.manager.getRoleTargetFunctionCount(roleId1)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunctionCount(roleId2)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunction(roleId1, 0)).to.eventually.equal(sel); + + // Reassign to roleId2 + await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, [sel], roleId2); + + await expect(this.manager.getRoleTargetFunctionCount(roleId1)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunctionCount(roleId2)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunction(roleId2, 0)).to.eventually.equal(sel); + }); + + it('returns empty for ADMIN_ROLE target functions', async function () { + const sel = selector('adminFunction()'); + + // Set function to ADMIN_ROLE (default behavior) + await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, [sel], this.roles.ADMIN.id); + + // ADMIN_ROLE functions are not tracked + await expect(this.manager.getRoleTargetFunctionCount(this.roles.ADMIN.id)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, 0, 10)).to.eventually.deep.equal([]); + }); + + it('returns empty for roles with no target functions', async function () { + const roleId = 888n; // Role with no functions + + await expect(this.manager.getRoleTargetFunctionCount(roleId)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunctions(roleId, 0, 10)).to.eventually.deep.equal([]); + }); + + it('supports partial enumeration of target functions', async function () { + const roleId = this.roles.SOME.id; + const selectors = [selector('func1()'), selector('func2()'), selector('func3()'), selector('func4()')]; + + await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, selectors, roleId); + + await expect(this.manager.getRoleTargetFunctionCount(roleId)).to.eventually.equal(4); + + // Test partial enumeration + const firstTwo = await this.manager.getRoleTargetFunctions(roleId, 0, 2); + expect(firstTwo).to.have.lengthOf(2); + + const lastTwo = await this.manager.getRoleTargetFunctions(roleId, 2, 4); + expect(lastTwo).to.have.lengthOf(2); + + // Verify no overlap and complete coverage + const allFunctions = [...firstTwo, ...lastTwo]; + expect(allFunctions).to.have.members(selectors); + }); + }); + }); +} + module.exports = { shouldBehaveLikeDelayedAdminOperation, shouldBehaveLikeNotDelayedAdminOperation, shouldBehaveLikeRoleAdminOperation, shouldBehaveLikeAManagedRestrictedOperation, shouldBehaveLikeASelfRestrictedOperation, + shouldBehaveLikeAccessManagerEnumerable, }; diff --git a/test/access/manager/extensions/AccessManagerEnumerable.test.js b/test/access/manager/extensions/AccessManagerEnumerable.test.js new file mode 100644 index 00000000000..db7621d7ff4 --- /dev/null +++ b/test/access/manager/extensions/AccessManagerEnumerable.test.js @@ -0,0 +1,62 @@ +const { ethers } = require('hardhat'); +const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); + +const { buildBaseRoles } = require('../../../helpers/access-manager'); +const { shouldBehaveLikeAccessManagerEnumerable } = require('../AccessManager.behavior'); + +async function fixture() { + const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); + + // Build roles + const roles = buildBaseRoles(); + + // Add members + roles.ADMIN.members = [admin]; + roles.SOME_ADMIN.members = [roleAdmin]; + roles.SOME_GUARDIAN.members = [roleGuardian]; + roles.SOME.members = [member]; + roles.PUBLIC.members = [admin, roleAdmin, roleGuardian, member, user, other]; + + const manager = await ethers.deployContract('$AccessManagerEnumerableMock', [admin]); + const target = await ethers.deployContract('$AccessManagedTarget', [manager]); + + for (const { id: roleId, admin, guardian, members } of Object.values(roles)) { + if (roleId === roles.PUBLIC.id) continue; // Every address belong to public and is locked + if (roleId === roles.ADMIN.id) continue; // Admin set during construction and is locked + + // Set admin role avoiding default + if (admin.id !== roles.ADMIN.id) { + await manager.$_setRoleAdmin(roleId, admin.id); + } + + // Set guardian role avoiding default + if (guardian.id !== roles.ADMIN.id) { + await manager.$_setRoleGuardian(roleId, guardian.id); + } + + // Grant role to members + for (const member of members) { + await manager.$_grantRole(roleId, member, 0, 0); + } + } + + return { + admin, + roleAdmin, + roleGuardian, + member, + user, + other, + roles, + manager, + target, + }; +} + +describe('AccessManagerEnumerable', function () { + beforeEach(async function () { + Object.assign(this, await loadFixture(fixture)); + }); + + shouldBehaveLikeAccessManagerEnumerable(); +}); From b4af192a2c683990c6abc2d656a06f0845c100ea Mon Sep 17 00:00:00 2001 From: ernestognw Date: Mon, 10 Nov 2025 11:59:08 -0300 Subject: [PATCH 03/24] Add changeset --- .changeset/crazy-bears-flash.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/crazy-bears-flash.md diff --git a/.changeset/crazy-bears-flash.md b/.changeset/crazy-bears-flash.md new file mode 100644 index 00000000000..b668edb0cc2 --- /dev/null +++ b/.changeset/crazy-bears-flash.md @@ -0,0 +1,5 @@ +--- +'openzeppelin-solidity': minor +--- + +Add `AccessManagerEnumerable`, an extension of `AccessManager` that allows enumerating the members of each role and the target functions each role is allowed to call. From b9e7965f03399a44f37fb67aec2dd60a6a23fde9 Mon Sep 17 00:00:00 2001 From: ernestognw Date: Mon, 10 Nov 2025 12:12:42 -0300 Subject: [PATCH 04/24] up --- .../access/manager/extensions/AccessManagerEnumerable.sol | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index 256da227c48..9a05f320f0c 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -1,6 +1,6 @@ // SPDX-License-Identifier: MIT -pragma solidity ^0.8.20; +pragma solidity ^0.8.24; import {IAccessManagerEnumerable} from "./IAccessManagerEnumerable.sol"; import {AccessManager} from "../AccessManager.sol"; @@ -99,7 +99,8 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan * Since the target functions for the {ADMIN_ROLE} can't be tracked exhaustively (i.e. by default, all * restricted functions), any function that is granted to the {ADMIN_ROLE} will not be tracked by this * extension. Developers may opt in for tracking the functions for the {ADMIN_ROLE} by overriding, - * though, the tracking would not be exhaustive. + * though, the tracking would not be exhaustive unless {setTargetFunctionRole} is explicitly called + * for the {ADMIN_ROLE} for each function: * * ```solidity * function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual override { From 2a0e9001c319f328e7ed5dffe18bdfcaf1978929 Mon Sep 17 00:00:00 2001 From: ernestognw Date: Mon, 10 Nov 2025 12:22:53 -0300 Subject: [PATCH 05/24] Update list of functions by targets --- .../extensions/AccessManagerEnumerable.sol | 21 +++--- .../extensions/IAccessManagerEnumerable.sol | 23 +++--- test/access/manager/AccessManager.behavior.js | 75 +++++++++++++------ .../AccessManagerEnumerable.test.js | 2 + 4 files changed, 81 insertions(+), 40 deletions(-) diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index 9a05f320f0c..b8f5d926afb 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -19,7 +19,7 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan using EnumerableSet for EnumerableSet.Bytes32Set; mapping(uint64 roleId => EnumerableSet.AddressSet) private _roleMembers; - mapping(uint64 roleId => EnumerableSet.Bytes32Set) private _roleTargetFunctions; + mapping(uint64 roleId => mapping(address target => EnumerableSet.Bytes32Set)) private _roleTargetFunctions; /// @inheritdoc IAccessManagerEnumerable function getRoleMember(uint64 roleId, uint256 index) public view virtual returns (address) { @@ -37,8 +37,8 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan } /// @inheritdoc IAccessManagerEnumerable - function getRoleTargetFunction(uint64 roleId, uint256 index) public view virtual returns (bytes4) { - return bytes4(_roleTargetFunctions[roleId].at(index)); + function getRoleTargetFunction(uint64 roleId, address target, uint256 index) public view virtual returns (bytes4) { + return bytes4(_roleTargetFunctions[roleId][target].at(index)); } /* @@ -49,10 +49,11 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan */ function getRoleTargetFunctions( uint64 roleId, + address target, uint256 start, uint256 end ) public view virtual returns (bytes4[] memory) { - bytes32[] memory targetFunctions = _roleTargetFunctions[roleId].values(start, end); + bytes32[] memory targetFunctions = _roleTargetFunctions[roleId][target].values(start, end); bytes4[] memory targetFunctionSelectors; assembly ("memory-safe") { targetFunctionSelectors := targetFunctions @@ -66,8 +67,8 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will * return 0. See {_setTargetFunctionRole} for more details. */ - function getRoleTargetFunctionCount(uint64 roleId) public view virtual returns (uint256) { - return _roleTargetFunctions[roleId].length(); + function getRoleTargetFunctionCount(uint64 roleId, address target) public view virtual returns (uint256) { + return _roleTargetFunctions[roleId][target].length(); } /// @dev See {AccessManager-_grantRole}. Adds the account to the role members set. @@ -107,10 +108,10 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan * uint64 oldRoleId = getTargetFunctionRole(target, selector); * super._setTargetFunctionRole(target, selector, roleId); * if (oldRoleId == ADMIN_ROLE) { - * _roleTargetFunctions[oldRoleId].remove(bytes32(selector)); + * _roleTargetFunctions[oldRoleId][target].remove(bytes32(selector)); * } * if (roleId == ADMIN_ROLE) { - * _roleTargetFunctions[roleId].add(bytes32(selector)); + * _roleTargetFunctions[roleId][target].add(bytes32(selector)); * } * } * ``` @@ -119,10 +120,10 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan uint64 oldRoleId = getTargetFunctionRole(target, selector); super._setTargetFunctionRole(target, selector, roleId); if (oldRoleId != ADMIN_ROLE) { - _roleTargetFunctions[oldRoleId].remove(bytes32(selector)); + _roleTargetFunctions[oldRoleId][target].remove(bytes32(selector)); } if (roleId != ADMIN_ROLE) { - _roleTargetFunctions[roleId].add(bytes32(selector)); + _roleTargetFunctions[roleId][target].add(bytes32(selector)); } } } diff --git a/contracts/access/manager/extensions/IAccessManagerEnumerable.sol b/contracts/access/manager/extensions/IAccessManagerEnumerable.sol index 6d94d41d1b1..d5561f2c4d7 100644 --- a/contracts/access/manager/extensions/IAccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/IAccessManagerEnumerable.sol @@ -43,8 +43,8 @@ interface IAccessManagerEnumerable is IAccessManager { function getRoleMemberCount(uint64 roleId) external view returns (uint256); /** - * @dev Returns one of the target function selectors that require `roleId`. `index` must be a - * value between 0 and {getRoleTargetFunctionCount}, non-inclusive. + * @dev Returns one of the target function selectors that require `roleId` for the given `target`. + * `index` must be a value between 0 and {getRoleTargetFunctionCount}, non-inclusive. * * Target function selectors are not sorted in any particular way, and their ordering may * change at any point. @@ -54,11 +54,11 @@ interface IAccessManagerEnumerable is IAccessManager { * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] * for more information. */ - function getRoleTargetFunction(uint64 roleId, uint256 index) external view returns (bytes4); + function getRoleTargetFunction(uint64 roleId, address target, uint256 index) external view returns (bytes4); /** - * @dev Returns a range of target function selectors that require `roleId`. `start` and `end` define the range bounds. - * `start` is inclusive and `end` is exclusive. + * @dev Returns a range of target function selectors that require `roleId` for the given `target`. + * `start` and `end` define the range bounds. `start` is inclusive and `end` is exclusive. * * Target function selectors are not sorted in any particular way, and their ordering may * change at any point. @@ -68,11 +68,16 @@ interface IAccessManagerEnumerable is IAccessManager { * this function has an unbounded cost, and using it as part of a state-changing function may render the function * uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block. */ - function getRoleTargetFunctions(uint64 roleId, uint256 start, uint256 end) external view returns (bytes4[] memory); + function getRoleTargetFunctions( + uint64 roleId, + address target, + uint256 start, + uint256 end + ) external view returns (bytes4[] memory); /** - * @dev Returns the number of target function selectors that require `roleId`. Can be used - * together with {getRoleTargetFunction} to enumerate all target functions for a role. + * @dev Returns the number of target function selectors that require `roleId` for the given `target`. + * Can be used together with {getRoleTargetFunction} to enumerate all target functions for a role on a specific target. */ - function getRoleTargetFunctionCount(uint64 roleId) external view returns (uint256); + function getRoleTargetFunctionCount(uint64 roleId, address target) external view returns (uint256); } diff --git a/test/access/manager/AccessManager.behavior.js b/test/access/manager/AccessManager.behavior.js index 5d63ca2a7a7..f3e68301713 100644 --- a/test/access/manager/AccessManager.behavior.js +++ b/test/access/manager/AccessManager.behavior.js @@ -327,86 +327,119 @@ function shouldBehaveLikeAccessManagerEnumerable() { describe('target functions', function () { it('target functions can be enumerated', async function () { const roleId = this.roles.SOME.id; + const target = this.target; const selectors = [ selector('someFunction()'), selector('anotherFunction(uint256)'), selector('thirdFunction(address,bool)'), ]; - await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, selectors, roleId); + await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); - const functionCount = await this.manager.getRoleTargetFunctionCount(roleId); + const functionCount = await this.manager.getRoleTargetFunctionCount(roleId, target); expect(functionCount).to.equal(selectors.length); // Test individual enumeration const functions = []; for (let i = 0; i < functionCount; ++i) { - functions.push(this.manager.getRoleTargetFunction(roleId, i)); + functions.push(this.manager.getRoleTargetFunction(roleId, target, i)); } await expect(Promise.all(functions)).to.eventually.have.members(selectors); // Test batch enumeration - const batchFunctions = await this.manager.getRoleTargetFunctions(roleId, 0, functionCount); + const batchFunctions = await this.manager.getRoleTargetFunctions(roleId, target, 0, functionCount); expect([...batchFunctions]).to.have.members(selectors); }); it('target function enumeration updates when roles change', async function () { const roleId1 = this.roles.SOME.id; const roleId2 = this.roles.SOME_ADMIN.id; + const target = this.target; const sel = selector('testFunction()'); // Initially assign to roleId1 - await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, [sel], roleId1); + await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId1); - await expect(this.manager.getRoleTargetFunctionCount(roleId1)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunctionCount(roleId2)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunction(roleId1, 0)).to.eventually.equal(sel); + await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunction(roleId1, target, 0)).to.eventually.equal(sel); // Reassign to roleId2 - await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, [sel], roleId2); + await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId2); - await expect(this.manager.getRoleTargetFunctionCount(roleId1)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunctionCount(roleId2)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunction(roleId2, 0)).to.eventually.equal(sel); + await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunction(roleId2, target, 0)).to.eventually.equal(sel); }); it('returns empty for ADMIN_ROLE target functions', async function () { + const target = this.target; const sel = selector('adminFunction()'); // Set function to ADMIN_ROLE (default behavior) - await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, [sel], this.roles.ADMIN.id); + await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], this.roles.ADMIN.id); // ADMIN_ROLE functions are not tracked - await expect(this.manager.getRoleTargetFunctionCount(this.roles.ADMIN.id)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, 0, 10)).to.eventually.deep.equal([]); + await expect(this.manager.getRoleTargetFunctionCount(this.roles.ADMIN.id, target)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, target, 0, 10)).to.eventually.deep.equal( + [], + ); }); it('returns empty for roles with no target functions', async function () { const roleId = 888n; // Role with no functions + const target = this.target; - await expect(this.manager.getRoleTargetFunctionCount(roleId)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunctions(roleId, 0, 10)).to.eventually.deep.equal([]); + await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunctions(roleId, target, 0, 10)).to.eventually.deep.equal([]); }); it('supports partial enumeration of target functions', async function () { const roleId = this.roles.SOME.id; + const target = this.target; const selectors = [selector('func1()'), selector('func2()'), selector('func3()'), selector('func4()')]; - await this.manager.connect(this.admin).setTargetFunctionRole(this.manager, selectors, roleId); + await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); - await expect(this.manager.getRoleTargetFunctionCount(roleId)).to.eventually.equal(4); + await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(4); // Test partial enumeration - const firstTwo = await this.manager.getRoleTargetFunctions(roleId, 0, 2); + const firstTwo = await this.manager.getRoleTargetFunctions(roleId, target, 0, 2); expect(firstTwo).to.have.lengthOf(2); - const lastTwo = await this.manager.getRoleTargetFunctions(roleId, 2, 4); + const lastTwo = await this.manager.getRoleTargetFunctions(roleId, target, 2, 4); expect(lastTwo).to.have.lengthOf(2); // Verify no overlap and complete coverage const allFunctions = [...firstTwo, ...lastTwo]; expect(allFunctions).to.have.members(selectors); }); + + it('distinguishes between different targets', async function () { + const roleId = this.roles.SOME.id; + const target1 = this.target; + const target2 = this.target2; + const sel1 = selector('target1Function()'); + const sel2 = selector('target2Function()'); + + // Set different functions for the same role on different targets + await this.manager.connect(this.admin).setTargetFunctionRole(target1, [sel1], roleId); + await this.manager.connect(this.admin).setTargetFunctionRole(target2, [sel2], roleId); + + // Each target should have its own function tracked + await expect(this.manager.getRoleTargetFunctionCount(roleId, target1)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunctionCount(roleId, target2)).to.eventually.equal(1); + + await expect(this.manager.getRoleTargetFunction(roleId, target1, 0)).to.eventually.equal(sel1); + await expect(this.manager.getRoleTargetFunction(roleId, target2, 0)).to.eventually.equal(sel2); + + // Functions should be isolated per target + const target1Functions = await this.manager.getRoleTargetFunctions(roleId, target1, 0, 1); + const target2Functions = await this.manager.getRoleTargetFunctions(roleId, target2, 0, 1); + + expect(target1Functions).to.deep.equal([sel1]); + expect(target2Functions).to.deep.equal([sel2]); + }); }); }); } diff --git a/test/access/manager/extensions/AccessManagerEnumerable.test.js b/test/access/manager/extensions/AccessManagerEnumerable.test.js index db7621d7ff4..d0f3250331d 100644 --- a/test/access/manager/extensions/AccessManagerEnumerable.test.js +++ b/test/access/manager/extensions/AccessManagerEnumerable.test.js @@ -19,6 +19,7 @@ async function fixture() { const manager = await ethers.deployContract('$AccessManagerEnumerableMock', [admin]); const target = await ethers.deployContract('$AccessManagedTarget', [manager]); + const target2 = await ethers.deployContract('$AccessManagedTarget', [manager]); for (const { id: roleId, admin, guardian, members } of Object.values(roles)) { if (roleId === roles.PUBLIC.id) continue; // Every address belong to public and is locked @@ -50,6 +51,7 @@ async function fixture() { roles, manager, target, + target2, }; } From ab194a70dde09cfa34f7de4ebd39d0bca88d916f Mon Sep 17 00:00:00 2001 From: ernestognw Date: Mon, 10 Nov 2025 12:39:33 -0300 Subject: [PATCH 06/24] Add docs --- contracts/access/README.adoc | 5 +++ docs/modules/ROOT/pages/access-control.adoc | 47 +++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/contracts/access/README.adoc b/contracts/access/README.adoc index b89865b2c17..ac5c08994f4 100644 --- a/contracts/access/README.adoc +++ b/contracts/access/README.adoc @@ -6,6 +6,7 @@ NOTE: This document is better viewed at https://docs.openzeppelin.com/contracts/ This directory provides ways to restrict who can access the functions of a contract or when they can do it. - {AccessManager} is a full-fledged access control solution for smart contract systems. Allows creating and assigning multiple hierarchical roles with execution delays for each account across various contracts. +- {AccessManagerEnumerable} is an extension to {AccessManager} that enumerates role members and target functions each role can call. - {AccessManaged} delegates its access control to an authority that dictates the permissions of the managed contract. It's compatible with an AccessManager as an authority. - {AccessControl} provides a per-contract role based access control mechanism. Multiple hierarchical roles can be created and assigned each to multiple accounts within the same instance. - {Ownable} is a simpler mechanism with a single owner "role" that can be assigned to a single account. This simpler mechanism can be useful for quick tests but projects with production concerns are likely to outgrow it. @@ -38,6 +39,10 @@ This directory provides ways to restrict who can access the functions of a contr {{AccessManager}} +{{IAccessManagerEnumerable}} + +{{AccessManagerEnumerable}} + {{IAccessManaged}} {{AccessManaged}} diff --git a/docs/modules/ROOT/pages/access-control.adoc b/docs/modules/ROOT/pages/access-control.adoc index d8b8cdb78c1..e4ed72a019e 100644 --- a/docs/modules/ROOT/pages/access-control.adoc +++ b/docs/modules/ROOT/pages/access-control.adoc @@ -272,6 +272,53 @@ The delayed admin actions are: * Closing or opening a target via xref:api:access.adoc#AccessManager-setTargetClosed-address-bool-[`setTargetClosed`]. * Changing permissions of whether a role can call a target function with xref:api:access.adoc#AccessManager-setTargetFunctionRole-address-bytes4---uint64-[`setTargetFunctionRole`]. +=== Querying Privileged Accounts + +Similar to `AccessControl`, accounts might be granted and revoked roles dynamically in an `AccessManager`, making it challenging to determine which accounts hold a particular role at any given time. This capability is essential for proving certain properties about a system, such as verifying that an administrative role is held by a multisig or DAO, or that a certain role has been completely removed to disable associated functionality. + +The base `AccessManager` contract provides comprehensive role-based access control but does not support on-chain enumeration of role members or target function permissions by default. To track which accounts hold roles and which functions are assigned to roles, you should rely on the xref:api:access.adoc#AccessManager-RoleGranted-uint64-address-uint32-uint48-bool-[RoleGranted], xref:api:access.adoc#AccessManager-RoleRevoked-uint64-address-[RoleRevoked], and xref:api:access.adoc#AccessManager-TargetFunctionRoleUpdated-address-bytes4-uint64-[TargetFunctionRoleUpdated] events, which can be processed off-chain. + +If on-chain enumeration is required, you can use the xref:api:access.adoc#AccessManagerEnumerable[`AccessManagerEnumerable`] extension. This extension uses `EnumerableSet` internally and provides the following functions for role members: + +* {AccessManagerEnumerable-getRoleMemberCount} +* {AccessManagerEnumerable-getRoleMember} +* {AccessManagerEnumerable-getRoleMembers} + +And these functions for target function permissions: + +* {AccessManagerEnumerable-getRoleTargetFunctionCount} +* {AccessManagerEnumerable-getRoleTargetFunction} +* {AccessManagerEnumerable-getRoleTargetFunctions} + +These can be used to iterate over the accounts that have been granted a role and the functions that a role is allowed to call on specific targets: + +```javascript +// Enumerate role members +const minterCount = await accessManager.getRoleMemberCount(MINTER_ROLE); + +const members = []; +for (let i = 0; i < minterCount; ++i) { + members.push(await accessManager.getRoleMember(MINTER_ROLE, i)); +} + +// Or get all members at once +const allMembers = await accessManager.getRoleMembers(MINTER_ROLE, 0, minterCount); + +// Enumerate target functions for a role +const target = await myToken.getAddress(); +const functionCount = await accessManager.getRoleTargetFunctionCount(MINTER_ROLE, target); + +const functions = []; +for (let i = 0; i < functionCount; ++i) { + functions.push(await accessManager.getRoleTargetFunction(MINTER_ROLE, target, i)); +} + +// Or get all functions at once +const allFunctions = await accessManager.getRoleTargetFunctions(MINTER_ROLE, target, 0, functionCount); +``` + +Note that target function enumeration is organized per target contract, allowing you to query which functions a role can access on each specific target separately. This provides fine-grained visibility into the permission structure across your entire system of managed contracts. + === Using with Ownable Contracts already inheriting from xref:api:access.adoc#Ownable[`Ownable`] can migrate to AccessManager by transferring ownership to the manager. After that, all calls to functions with the `onlyOwner` modifier should be called through the manager's xref:api:access.adoc#AccessManager-execute-address-bytes-[`execute`] function, even if the caller doesn't require a delay. From dad105cec2e65a484a40f33a316aeb657f58cba7 Mon Sep 17 00:00:00 2001 From: ernestognw Date: Mon, 10 Nov 2025 15:53:16 -0300 Subject: [PATCH 07/24] Update doc references --- docs/modules/ROOT/pages/access-control.adoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/modules/ROOT/pages/access-control.adoc b/docs/modules/ROOT/pages/access-control.adoc index e4ed72a019e..37dd6024c75 100644 --- a/docs/modules/ROOT/pages/access-control.adoc +++ b/docs/modules/ROOT/pages/access-control.adoc @@ -96,8 +96,8 @@ The base `AccessControl` contract provides role-based access control, but it doe This contract uses `EnumerableSet` internally and provides the following functions: -* {AccessControlEnumerable-getRoleMemberCount} -* {AccessControlEnumerable-getRoleMember} +* xref:api:access.adoc#AccessControl-getRoleMemberCount[`getRoleMemberCount`] +* xref:api:access.adoc#AccessControl-getRoleMember[`getRoleMember`] These can be used to iterate over the accounts that have been granted a role: @@ -280,15 +280,15 @@ The base `AccessManager` contract provides comprehensive role-based access contr If on-chain enumeration is required, you can use the xref:api:access.adoc#AccessManagerEnumerable[`AccessManagerEnumerable`] extension. This extension uses `EnumerableSet` internally and provides the following functions for role members: -* {AccessManagerEnumerable-getRoleMemberCount} -* {AccessManagerEnumerable-getRoleMember} -* {AccessManagerEnumerable-getRoleMembers} +* xref:api:access.adoc#AccessManager-getRoleMemberCount[`getRoleMemberCount`] +* xref:api:access.adoc#AccessManager-getRoleMember[`getRoleMember`] +* xref:api:access.adoc#AccessManager-getRoleMembers[`getRoleMembers`] And these functions for target function permissions: -* {AccessManagerEnumerable-getRoleTargetFunctionCount} -* {AccessManagerEnumerable-getRoleTargetFunction} -* {AccessManagerEnumerable-getRoleTargetFunctions} +* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctionCount[`getRoleTargetFunctionCount`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunction[`getRoleTargetFunction`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctions[`getRoleTargetFunctions`] These can be used to iterate over the accounts that have been granted a role and the functions that a role is allowed to call on specific targets: From ece797a17570acd3affa654dbe5920dece98c2f2 Mon Sep 17 00:00:00 2001 From: ernestognw Date: Mon, 10 Nov 2025 16:02:06 -0300 Subject: [PATCH 08/24] up --- contracts/access/README.adoc | 10 ++++++---- docs/modules/ROOT/pages/access-control.adoc | 17 +++++++++-------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/contracts/access/README.adoc b/contracts/access/README.adoc index ac5c08994f4..ec837cdbd90 100644 --- a/contracts/access/README.adoc +++ b/contracts/access/README.adoc @@ -39,12 +39,14 @@ This directory provides ways to restrict who can access the functions of a contr {{AccessManager}} -{{IAccessManagerEnumerable}} - -{{AccessManagerEnumerable}} - {{IAccessManaged}} {{AccessManaged}} {{AuthorityUtils}} + +=== Extensions + +{{IAccessManagerEnumerable}} + +{{AccessManagerEnumerable}} diff --git a/docs/modules/ROOT/pages/access-control.adoc b/docs/modules/ROOT/pages/access-control.adoc index 37dd6024c75..4ac4e4e480f 100644 --- a/docs/modules/ROOT/pages/access-control.adoc +++ b/docs/modules/ROOT/pages/access-control.adoc @@ -96,8 +96,9 @@ The base `AccessControl` contract provides role-based access control, but it doe This contract uses `EnumerableSet` internally and provides the following functions: -* xref:api:access.adoc#AccessControl-getRoleMemberCount[`getRoleMemberCount`] -* xref:api:access.adoc#AccessControl-getRoleMember[`getRoleMember`] +* xref:api:access.adoc#AccessControlEnumerable-getRoleMemberCount-bytes32-[`getRoleMemberCount`] +* xref:api:access.adoc#AccessControlEnumerable-getRoleMember-bytes32-uint256-[`getRoleMember`] +* xref:api:access.adoc#AccessControlEnumerable-getRoleMembers-bytes32-[`getRoleMembers`] These can be used to iterate over the accounts that have been granted a role: @@ -280,15 +281,15 @@ The base `AccessManager` contract provides comprehensive role-based access contr If on-chain enumeration is required, you can use the xref:api:access.adoc#AccessManagerEnumerable[`AccessManagerEnumerable`] extension. This extension uses `EnumerableSet` internally and provides the following functions for role members: -* xref:api:access.adoc#AccessManager-getRoleMemberCount[`getRoleMemberCount`] -* xref:api:access.adoc#AccessManager-getRoleMember[`getRoleMember`] -* xref:api:access.adoc#AccessManager-getRoleMembers[`getRoleMembers`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctionCount-uint64-address-[`getRoleMemberCount`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleMember-uint64-uint256-[`getRoleMember`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleMembers-uint64-uint256-uint256-[`getRoleMembers`] And these functions for target function permissions: -* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctionCount[`getRoleTargetFunctionCount`] -* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunction[`getRoleTargetFunction`] -* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctions[`getRoleTargetFunctions`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctionCount-uint64-address-[`getRoleTargetFunctionCount`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunction-uint64-address-uint256-[`getRoleTargetFunction`] +* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctions-uint64-address-uint256-uint256-[`getRoleTargetFunctions`] These can be used to iterate over the accounts that have been granted a role and the functions that a role is allowed to call on specific targets: From 05379c1c46ed89e46090cc91cea390807fe63fd8 Mon Sep 17 00:00:00 2001 From: James Toussaint <33313130+james-toussaint@users.noreply.github.com> Date: Fri, 5 Dec 2025 11:37:35 +0100 Subject: [PATCH 09/24] Store target functions in `Bytes4Set` --- .../extensions/AccessManagerEnumerable.sol | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index b8f5d926afb..d4df2f3c2af 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -16,10 +16,10 @@ import {EnumerableSet} from "../../../utils/structs/EnumerableSet.sol"; */ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessManager { using EnumerableSet for EnumerableSet.AddressSet; - using EnumerableSet for EnumerableSet.Bytes32Set; + using EnumerableSet for EnumerableSet.Bytes4Set; mapping(uint64 roleId => EnumerableSet.AddressSet) private _roleMembers; - mapping(uint64 roleId => mapping(address target => EnumerableSet.Bytes32Set)) private _roleTargetFunctions; + mapping(uint64 roleId => mapping(address target => EnumerableSet.Bytes4Set)) private _roleTargetFunctions; /// @inheritdoc IAccessManagerEnumerable function getRoleMember(uint64 roleId, uint256 index) public view virtual returns (address) { @@ -38,7 +38,7 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan /// @inheritdoc IAccessManagerEnumerable function getRoleTargetFunction(uint64 roleId, address target, uint256 index) public view virtual returns (bytes4) { - return bytes4(_roleTargetFunctions[roleId][target].at(index)); + return _roleTargetFunctions[roleId][target].at(index); } /* @@ -53,12 +53,7 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan uint256 start, uint256 end ) public view virtual returns (bytes4[] memory) { - bytes32[] memory targetFunctions = _roleTargetFunctions[roleId][target].values(start, end); - bytes4[] memory targetFunctionSelectors; - assembly ("memory-safe") { - targetFunctionSelectors := targetFunctions - } - return targetFunctionSelectors; + return _roleTargetFunctions[roleId][target].values(start, end); } /* @@ -108,10 +103,10 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan * uint64 oldRoleId = getTargetFunctionRole(target, selector); * super._setTargetFunctionRole(target, selector, roleId); * if (oldRoleId == ADMIN_ROLE) { - * _roleTargetFunctions[oldRoleId][target].remove(bytes32(selector)); + * _roleTargetFunctions[oldRoleId][target].remove(selector); * } * if (roleId == ADMIN_ROLE) { - * _roleTargetFunctions[roleId][target].add(bytes32(selector)); + * _roleTargetFunctions[roleId][target].add(selector); * } * } * ``` @@ -120,10 +115,10 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan uint64 oldRoleId = getTargetFunctionRole(target, selector); super._setTargetFunctionRole(target, selector, roleId); if (oldRoleId != ADMIN_ROLE) { - _roleTargetFunctions[oldRoleId][target].remove(bytes32(selector)); + _roleTargetFunctions[oldRoleId][target].remove(selector); } if (roleId != ADMIN_ROLE) { - _roleTargetFunctions[roleId][target].add(bytes32(selector)); + _roleTargetFunctions[roleId][target].add(selector); } } } From b0ff8f29c4980bb71369f6ef9b89a6bb1e5b1bd0 Mon Sep 17 00:00:00 2001 From: ernestognw Date: Wed, 10 Dec 2025 10:22:54 -0600 Subject: [PATCH 10/24] Add _updateRoleTargetFunction --- .../extensions/AccessManagerEnumerable.sol | 44 ++++++++++++------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index d4df2f3c2af..21b69efea56 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -92,33 +92,45 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan /** * @dev See {AccessManager-_setTargetFunctionRole}. Adds the selector to the role target functions set. * - * Since the target functions for the {ADMIN_ROLE} can't be tracked exhaustively (i.e. by default, all - * restricted functions), any function that is granted to the {ADMIN_ROLE} will not be tracked by this - * extension. Developers may opt in for tracking the functions for the {ADMIN_ROLE} by overriding, - * though, the tracking would not be exhaustive unless {setTargetFunctionRole} is explicitly called - * for the {ADMIN_ROLE} for each function: + * NOTE: Does not track function selectors for the {ADMIN_ROLE}. See {_updateRoleTargetFunction}. + */ + function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual override { + uint64 oldRoleId = getTargetFunctionRole(target, selector); + super._setTargetFunctionRole(target, selector, roleId); + _updateRoleTargetFunction(target, selector, oldRoleId, roleId); + } + + /** + * @dev Updates the role target functions sets when a function's role is changed. + * + * This function does not track function selectors for the {ADMIN_ROLE}, since exhaustively tracking + * all restricted/admin functions is impractical (by default, all restricted functions are assigned to {ADMIN_ROLE}). + * Therefore, roles assigned as {ADMIN_ROLE} will not have their selectors included in this extension's tracking. + * + * Developers who wish to explicitly track {ADMIN_ROLE} can override this function. For example: * * ```solidity - * function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual override { - * uint64 oldRoleId = getTargetFunctionRole(target, selector); - * super._setTargetFunctionRole(target, selector, roleId); - * if (oldRoleId == ADMIN_ROLE) { + * function _updateRoleTargetFunction(address target, bytes4 selector, uint64 oldRoleId, uint64 newRoleId) internal virtual override { + * if (oldRoleId != 0) { * _roleTargetFunctions[oldRoleId][target].remove(selector); * } - * if (roleId == ADMIN_ROLE) { - * _roleTargetFunctions[roleId][target].add(selector); + * if (newRoleId != 0) { + * _roleTargetFunctions[newRoleId][target].add(selector); * } * } * ``` */ - function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual override { - uint64 oldRoleId = getTargetFunctionRole(target, selector); - super._setTargetFunctionRole(target, selector, roleId); + function _updateRoleTargetFunction( + address target, + bytes4 selector, + uint64 oldRoleId, + uint64 newRoleId + ) internal virtual { if (oldRoleId != ADMIN_ROLE) { _roleTargetFunctions[oldRoleId][target].remove(selector); } - if (roleId != ADMIN_ROLE) { - _roleTargetFunctions[roleId][target].add(selector); + if (newRoleId != ADMIN_ROLE) { + _roleTargetFunctions[newRoleId][target].add(selector); } } } From 6d547104f7ca102080bf2f2a59fd716430db9aff Mon Sep 17 00:00:00 2001 From: ernestognw Date: Wed, 10 Dec 2025 10:24:15 -0600 Subject: [PATCH 11/24] up --- .../access/manager/extensions/AccessManagerEnumerable.sol | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index 21b69efea56..2d8ec6272f5 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -45,7 +45,7 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan * @dev See {IAccessManagerEnumerable-getRoleTargetFunctions} * * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will - * return an empty array. See {_setTargetFunctionRole} for more details. + * return an empty array. See {_updateRoleTargetFunction} for more details. */ function getRoleTargetFunctions( uint64 roleId, @@ -60,7 +60,7 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan * @dev See {IAccessManagerEnumerable-getRoleTargetFunctionCount} * * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will - * return 0. See {_setTargetFunctionRole} for more details. + * return 0. See {_updateRoleTargetFunction} for more details. */ function getRoleTargetFunctionCount(uint64 roleId, address target) public view virtual returns (uint256) { return _roleTargetFunctions[roleId][target].length(); From c1e1c7e757e30445023d8f9536f16c533693bc69 Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 14:35:44 +0100 Subject: [PATCH 12/24] Update .changeset/crazy-bears-flash.md --- .changeset/crazy-bears-flash.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/crazy-bears-flash.md b/.changeset/crazy-bears-flash.md index b668edb0cc2..5d9f403dddd 100644 --- a/.changeset/crazy-bears-flash.md +++ b/.changeset/crazy-bears-flash.md @@ -2,4 +2,4 @@ 'openzeppelin-solidity': minor --- -Add `AccessManagerEnumerable`, an extension of `AccessManager` that allows enumerating the members of each role and the target functions each role is allowed to call. +`AccessManagerEnumerable`: Add an extension of `AccessManager` that supports onchain enumeration of the members of each role and the target functions each role is allowed to call. From 2da818249921aa1b555785edb6d941fb64d70f85 Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 15:35:12 +0100 Subject: [PATCH 13/24] update behavior --- test/access/manager/AccessManager.behavior.js | 61 +++++++++---------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/test/access/manager/AccessManager.behavior.js b/test/access/manager/AccessManager.behavior.js index f3e68301713..aab8ae0a420 100644 --- a/test/access/manager/AccessManager.behavior.js +++ b/test/access/manager/AccessManager.behavior.js @@ -11,6 +11,7 @@ const { testAsCanCall, testAsHasRole, } = require('./AccessManager.predicate'); +const { ethers } = require('hardhat'); // ============ ADMIN OPERATION ============ @@ -272,16 +273,15 @@ function shouldBehaveLikeAccessManagerEnumerable() { // Test individual enumeration const memberCount = await this.manager.getRoleMemberCount(ANOTHER_ROLE); - const members = []; - for (let i = 0; i < memberCount; ++i) { - members.push(await this.manager.getRoleMember(ANOTHER_ROLE, i)); - } + const members = Array.from({ length: Number(memberCount) }, (_, i) => + this.manager.getRoleMember(ANOTHER_ROLE, i), + ); expect(memberCount).to.equal(expectedMembers.length); - expect(members).to.deep.equal(expectedMembers); + await expect(Promise.all(members)).to.eventually.deep.equal(expectedMembers); // Test batch enumeration - await expect(this.manager.getRoleMembers(ANOTHER_ROLE, 0, memberCount)).to.eventually.deep.equal( + await expect(this.manager.getRoleMembers(ANOTHER_ROLE, 0, ethers.MaxUint256)).to.eventually.deep.equal( expectedMembers, ); }); @@ -328,27 +328,22 @@ function shouldBehaveLikeAccessManagerEnumerable() { it('target functions can be enumerated', async function () { const roleId = this.roles.SOME.id; const target = this.target; - const selectors = [ - selector('someFunction()'), - selector('anotherFunction(uint256)'), - selector('thirdFunction(address,bool)'), - ]; + const selectors = ['someFunction()', 'anotherFunction(uint256)', 'thirdFunction(address,bool)'].map(selector); await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); const functionCount = await this.manager.getRoleTargetFunctionCount(roleId, target); - expect(functionCount).to.equal(selectors.length); + const functions = Array.from({ length: Number(functionCount) }, (_, i) => + this.manager.getRoleTargetFunction(roleId, target, i), + ); - // Test individual enumeration - const functions = []; - for (let i = 0; i < functionCount; ++i) { - functions.push(this.manager.getRoleTargetFunction(roleId, target, i)); - } + expect(functionCount).to.equal(selectors.length); await expect(Promise.all(functions)).to.eventually.have.members(selectors); // Test batch enumeration - const batchFunctions = await this.manager.getRoleTargetFunctions(roleId, target, 0, functionCount); - expect([...batchFunctions]).to.have.members(selectors); + await expect( + this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), + ).to.eventually.deep.equal(selectors); }); it('target function enumeration updates when roles change', async function () { @@ -381,9 +376,9 @@ function shouldBehaveLikeAccessManagerEnumerable() { // ADMIN_ROLE functions are not tracked await expect(this.manager.getRoleTargetFunctionCount(this.roles.ADMIN.id, target)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, target, 0, 10)).to.eventually.deep.equal( - [], - ); + await expect( + this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, target, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([]); }); it('returns empty for roles with no target functions', async function () { @@ -391,13 +386,15 @@ function shouldBehaveLikeAccessManagerEnumerable() { const target = this.target; await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunctions(roleId, target, 0, 10)).to.eventually.deep.equal([]); + await expect( + this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([]); }); it('supports partial enumeration of target functions', async function () { const roleId = this.roles.SOME.id; const target = this.target; - const selectors = [selector('func1()'), selector('func2()'), selector('func3()'), selector('func4()')]; + const selectors = ['func1()', 'func2()', 'func3()', 'func4()'].map(selector); await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); @@ -406,13 +403,14 @@ function shouldBehaveLikeAccessManagerEnumerable() { // Test partial enumeration const firstTwo = await this.manager.getRoleTargetFunctions(roleId, target, 0, 2); expect(firstTwo).to.have.lengthOf(2); + expect(selectors).to.include.members(firstTwo); const lastTwo = await this.manager.getRoleTargetFunctions(roleId, target, 2, 4); expect(lastTwo).to.have.lengthOf(2); + expect(selectors).to.include.members(firstTwo); // Verify no overlap and complete coverage - const allFunctions = [...firstTwo, ...lastTwo]; - expect(allFunctions).to.have.members(selectors); + expect([].concat(firstTwo, lastTwo)).to.have.members(selectors); }); it('distinguishes between different targets', async function () { @@ -434,11 +432,12 @@ function shouldBehaveLikeAccessManagerEnumerable() { await expect(this.manager.getRoleTargetFunction(roleId, target2, 0)).to.eventually.equal(sel2); // Functions should be isolated per target - const target1Functions = await this.manager.getRoleTargetFunctions(roleId, target1, 0, 1); - const target2Functions = await this.manager.getRoleTargetFunctions(roleId, target2, 0, 1); - - expect(target1Functions).to.deep.equal([sel1]); - expect(target2Functions).to.deep.equal([sel2]); + await expect( + this.manager.getRoleTargetFunctions(roleId, target1, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([sel1]); + await expect( + this.manager.getRoleTargetFunctions(roleId, target2, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([sel2]); }); }); }); From 06052097b69eaf112f1114222b45ed0fa421278f Mon Sep 17 00:00:00 2001 From: ernestognw Date: Thu, 11 Dec 2025 09:52:46 -0600 Subject: [PATCH 14/24] Remove IAccessManagerEnumerable --- contracts/access/README.adoc | 2 - .../extensions/AccessManagerEnumerable.sol | 65 ++++++++++++--- .../extensions/IAccessManagerEnumerable.sol | 83 ------------------- 3 files changed, 55 insertions(+), 95 deletions(-) delete mode 100644 contracts/access/manager/extensions/IAccessManagerEnumerable.sol diff --git a/contracts/access/README.adoc b/contracts/access/README.adoc index ec837cdbd90..36c05e42a9f 100644 --- a/contracts/access/README.adoc +++ b/contracts/access/README.adoc @@ -47,6 +47,4 @@ This directory provides ways to restrict who can access the functions of a contr === Extensions -{{IAccessManagerEnumerable}} - {{AccessManagerEnumerable}} diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index 2d8ec6272f5..acd24f4416c 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -2,7 +2,6 @@ pragma solidity ^0.8.24; -import {IAccessManagerEnumerable} from "./IAccessManagerEnumerable.sol"; import {AccessManager} from "../AccessManager.sol"; import {EnumerableSet} from "../../../utils/structs/EnumerableSet.sol"; @@ -14,35 +13,80 @@ import {EnumerableSet} from "../../../utils/structs/EnumerableSet.sol"; * {getRoleTargetFunctions} and {getRoleTargetFunctionCount} functions will return an empty array * and 0 respectively. */ -abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessManager { +abstract contract AccessManagerEnumerable is AccessManager { using EnumerableSet for EnumerableSet.AddressSet; using EnumerableSet for EnumerableSet.Bytes4Set; mapping(uint64 roleId => EnumerableSet.AddressSet) private _roleMembers; mapping(uint64 roleId => mapping(address target => EnumerableSet.Bytes4Set)) private _roleTargetFunctions; - /// @inheritdoc IAccessManagerEnumerable + /** + * @dev Returns one of the accounts that have `roleId`. `index` must be a + * value between 0 and {getRoleMemberCount}, non-inclusive. + * + * Role bearers are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure + * you perform all queries on the same block. See the following + * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] + * for more information. + */ function getRoleMember(uint64 roleId, uint256 index) public view virtual returns (address) { return _roleMembers[roleId].at(index); } - /// @inheritdoc IAccessManagerEnumerable + /** + * @dev Returns a range of accounts that have `roleId`. `start` and `end` define the range bounds. + * `start` is inclusive and `end` is exclusive. + * + * Role bearers are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed + * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that + * this function has an unbounded cost, and using it as part of a state-changing function may render the function + * uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block. + */ function getRoleMembers(uint64 roleId, uint256 start, uint256 end) public view virtual returns (address[] memory) { return _roleMembers[roleId].values(start, end); } - /// @inheritdoc IAccessManagerEnumerable + /** + * @dev Returns the number of accounts that have `roleId`. Can be used + * together with {getRoleMember} to enumerate all bearers of a role. + */ function getRoleMemberCount(uint64 roleId) public view virtual returns (uint256) { return _roleMembers[roleId].length(); } - /// @inheritdoc IAccessManagerEnumerable + /** + * @dev Returns one of the target function selectors that require `roleId` for the given `target`. + * `index` must be a value between 0 and {getRoleTargetFunctionCount}, non-inclusive. + * + * Target function selectors are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: When using {getRoleTargetFunction} and {getRoleTargetFunctionCount}, make sure + * you perform all queries on the same block. See the following + * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] + * for more information. + */ function getRoleTargetFunction(uint64 roleId, address target, uint256 index) public view virtual returns (bytes4) { return _roleTargetFunctions[roleId][target].at(index); } - /* - * @dev See {IAccessManagerEnumerable-getRoleTargetFunctions} + /** + * @dev Returns a range of target function selectors that require `roleId` for the given `target`. + * `start` and `end` define the range bounds. `start` is inclusive and `end` is exclusive. + * + * Target function selectors are not sorted in any particular way, and their ordering may + * change at any point. + * + * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed + * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that + * this function has an unbounded cost, and using it as part of a state-changing function may render the function + * uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block. * * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will * return an empty array. See {_updateRoleTargetFunction} for more details. @@ -56,8 +100,9 @@ abstract contract AccessManagerEnumerable is IAccessManagerEnumerable, AccessMan return _roleTargetFunctions[roleId][target].values(start, end); } - /* - * @dev See {IAccessManagerEnumerable-getRoleTargetFunctionCount} + /** + * @dev Returns the number of target function selectors that require `roleId` for the given `target`. + * Can be used together with {getRoleTargetFunction} to enumerate all target functions for a role on a specific target. * * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will * return 0. See {_updateRoleTargetFunction} for more details. diff --git a/contracts/access/manager/extensions/IAccessManagerEnumerable.sol b/contracts/access/manager/extensions/IAccessManagerEnumerable.sol deleted file mode 100644 index d5561f2c4d7..00000000000 --- a/contracts/access/manager/extensions/IAccessManagerEnumerable.sol +++ /dev/null @@ -1,83 +0,0 @@ -// SPDX-License-Identifier: MIT - -pragma solidity >=0.8.4; - -import {IAccessManager} from "../IAccessManager.sol"; - -/** - * @dev External interface of AccessManagerEnumerable. - */ -interface IAccessManagerEnumerable is IAccessManager { - /** - * @dev Returns one of the accounts that have `roleId`. `index` must be a - * value between 0 and {getRoleMemberCount}, non-inclusive. - * - * Role bearers are not sorted in any particular way, and their ordering may - * change at any point. - * - * WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure - * you perform all queries on the same block. See the following - * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] - * for more information. - */ - function getRoleMember(uint64 roleId, uint256 index) external view returns (address); - - /** - * @dev Returns a range of accounts that have `roleId`. `start` and `end` define the range bounds. - * `start` is inclusive and `end` is exclusive. - * - * Role bearers are not sorted in any particular way, and their ordering may - * change at any point. - * - * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed - * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that - * this function has an unbounded cost, and using it as part of a state-changing function may render the function - * uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block. - */ - function getRoleMembers(uint64 roleId, uint256 start, uint256 end) external view returns (address[] memory); - - /** - * @dev Returns the number of accounts that have `roleId`. Can be used - * together with {getRoleMember} to enumerate all bearers of a role. - */ - function getRoleMemberCount(uint64 roleId) external view returns (uint256); - - /** - * @dev Returns one of the target function selectors that require `roleId` for the given `target`. - * `index` must be a value between 0 and {getRoleTargetFunctionCount}, non-inclusive. - * - * Target function selectors are not sorted in any particular way, and their ordering may - * change at any point. - * - * WARNING: When using {getRoleTargetFunction} and {getRoleTargetFunctionCount}, make sure - * you perform all queries on the same block. See the following - * https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post] - * for more information. - */ - function getRoleTargetFunction(uint64 roleId, address target, uint256 index) external view returns (bytes4); - - /** - * @dev Returns a range of target function selectors that require `roleId` for the given `target`. - * `start` and `end` define the range bounds. `start` is inclusive and `end` is exclusive. - * - * Target function selectors are not sorted in any particular way, and their ordering may - * change at any point. - * - * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed - * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that - * this function has an unbounded cost, and using it as part of a state-changing function may render the function - * uncallable if the set grows to a point where copying to memory consumes too much gas to fit in a block. - */ - function getRoleTargetFunctions( - uint64 roleId, - address target, - uint256 start, - uint256 end - ) external view returns (bytes4[] memory); - - /** - * @dev Returns the number of target function selectors that require `roleId` for the given `target`. - * Can be used together with {getRoleTargetFunction} to enumerate all target functions for a role on a specific target. - */ - function getRoleTargetFunctionCount(uint64 roleId, address target) external view returns (uint256); -} From a133fc08169a10fda1948f5db617b1ca250f73ab Mon Sep 17 00:00:00 2001 From: ernestognw Date: Thu, 11 Dec 2025 09:53:48 -0600 Subject: [PATCH 15/24] up --- docs/modules/ROOT/pages/access-control.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/modules/ROOT/pages/access-control.adoc b/docs/modules/ROOT/pages/access-control.adoc index 4ac4e4e480f..a7c9f89be40 100644 --- a/docs/modules/ROOT/pages/access-control.adoc +++ b/docs/modules/ROOT/pages/access-control.adoc @@ -303,7 +303,7 @@ for (let i = 0; i < minterCount; ++i) { } // Or get all members at once -const allMembers = await accessManager.getRoleMembers(MINTER_ROLE, 0, minterCount); +const allMembers = await accessManager.getRoleMembers(MINTER_ROLE, 0, ethers.MaxUint256); // Enumerate target functions for a role const target = await myToken.getAddress(); @@ -315,7 +315,7 @@ for (let i = 0; i < functionCount; ++i) { } // Or get all functions at once -const allFunctions = await accessManager.getRoleTargetFunctions(MINTER_ROLE, target, 0, functionCount); +const allFunctions = await accessManager.getRoleTargetFunctions(MINTER_ROLE, target, 0, ethers.MaxUint256); ``` Note that target function enumeration is organized per target contract, allowing you to query which functions a role can access on each specific target separately. This provides fine-grained visibility into the permission structure across your entire system of managed contracts. From 698f9489beaf05c69306c27bef385076784f841f Mon Sep 17 00:00:00 2001 From: ernestognw Date: Thu, 11 Dec 2025 10:27:58 -0600 Subject: [PATCH 16/24] Run AccessManager tests for AccessManagerEnumerable --- test/access/manager/AccessManager.behavior.js | 2409 +++++++++++++++- test/access/manager/AccessManager.test.js | 2436 +---------------- .../AccessManagerEnumerable.test.js | 5 +- 3 files changed, 2413 insertions(+), 2437 deletions(-) diff --git a/test/access/manager/AccessManager.behavior.js b/test/access/manager/AccessManager.behavior.js index aab8ae0a420..b71e2d457ac 100644 --- a/test/access/manager/AccessManager.behavior.js +++ b/test/access/manager/AccessManager.behavior.js @@ -10,8 +10,23 @@ const { testAsDelayedOperation, testAsCanCall, testAsHasRole, + testAsClosable, + testAsDelay, + testAsGetAccess, } = require('./AccessManager.predicate'); +const { + formatAccess, + EXPIRATION, + MINSETBACK, + EXECUTION_ID_STORAGE_SLOT, + CONSUMING_SCHEDULE_STORAGE_SLOT, + prepareOperation, + hashOperation, +} = require('../../helpers/access-manager'); +const { impersonate } = require('../../helpers/account'); +const { MAX_UINT48 } = require('../../helpers/constants'); const { ethers } = require('hardhat'); +const time = require('../../helpers/time'); // ============ ADMIN OPERATION ============ @@ -250,10 +265,2401 @@ function shouldBehaveLikeASelfRestrictedOperation() { }); } +// ============ ACCESS MANAGER ============ + +/** + * This test suite is made using the following tools: + * + * * Predicates: Functions with common conditional setups without assertions. + * * Behaviors: Functions with common assertions. + * + * The behavioral tests are built by composing predicates and are used as templates + * for testing access to restricted functions. + * + * Similarly, unit tests in this suite will use predicates to test subsets of these + * behaviors and are helped by common assertions provided for some of the predicates. + * + * The predicates can be identified by the `testAs*` prefix while the behaviors + * are prefixed with `shouldBehave*`. The common assertions for predicates are + * defined as constants. + * + * @requires this.{admin,roleAdmin,user,other,roles,manager,target} + */ +function shouldBehaveLikeAccessManager() { + describe('during construction', function () { + it('grants admin role to initialAdmin', async function () { + const manager = await ethers.deployContract('$AccessManager', [this.other]); + await expect(manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.eventually.be.deep.equal([ + true, + '0', + ]); + }); + + it('rejects zero address for initialAdmin', async function () { + await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') + .withArgs(ethers.ZeroAddress); + }); + + it('initializes setup roles correctly', async function () { + for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { + await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(admin.id); + await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardian.id); + + for (const user of this.roles.PUBLIC.members) { + await expect(this.manager.hasRole(roleId, user).then(formatAccess)).to.eventually.be.deep.equal([ + members.includes(user), + '0', + ]); + } + } + }); + }); + + describe('getters', function () { + describe('#canCall', function () { + beforeEach('set calldata', function () { + this.calldata = '0x12345678'; + this.role = { id: 379204n }; + }); + + testAsCanCall({ + closed() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.other, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + notExecuting() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('sets execution delay', function () { + this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }, + notScheduled() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + }, + }, + }); + }); + + describe('#expiration', function () { + it('has a 7 days default expiration', async function () { + await expect(this.manager.expiration()).to.eventually.equal(EXPIRATION); + }); + }); + + describe('#minSetback', function () { + it('has a 5 days default minimum setback', async function () { + await expect(this.manager.minSetback()).to.eventually.equal(MINSETBACK); + }); + }); + + describe('#isTargetClosed', function () { + testAsClosable({ + closed() { + it('returns true', async function () { + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; + }); + }, + open() { + it('returns false', async function () { + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; + }); + }, + }); + }); + + describe('#getTargetFunctionRole', function () { + const methodSelector = selector('something(address,bytes)'); + + it('returns the target function role', async function () { + const roleId = 21498n; + await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); + + await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal(roleId); + }); + + it('returns the ADMIN role if not set', async function () { + await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal( + this.roles.ADMIN.id, + ); + }); + }); + + describe('#getTargetAdminDelay', function () { + describe('when the target admin delay is setup', function () { + beforeEach('set target admin delay', async function () { + this.oldDelay = await this.manager.getTargetAdminDelay(this.target); + this.newDelay = time.duration.days(10); + + await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('effect', { + before: function self() { + self.mineDelay = true; + + it('returns the old target admin delay', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new target admin delay', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.newDelay); + }); + }, + }); + }); + + it('returns the 0 if not set', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); + }); + }); + + describe('#getRoleAdmin', function () { + const roleId = 5234907n; + + it('returns the role admin', async function () { + const adminId = 789433n; + + await this.manager.$_setRoleAdmin(roleId, adminId); + + await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(adminId); + }); + + it('returns the ADMIN role if not set', async function () { + await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGuardian', function () { + const roleId = 5234907n; + + it('returns the role guardian', async function () { + const guardianId = 789433n; + + await this.manager.$_setRoleGuardian(roleId, guardianId); + + await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardianId); + }); + + it('returns the ADMIN role if not set', async function () { + await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGrantDelay', function () { + const roleId = 9248439n; + + describe('when the grant admin delay is setup', function () { + beforeEach('set grant admin delay', async function () { + this.oldDelay = await this.manager.getRoleGrantDelay(roleId); + this.newDelay = time.duration.days(11); + + await this.manager.$_setGrantDelay(roleId, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('returns the old role grant delay', async function () { + await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new role grant delay', async function () { + await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.newDelay); + }); + }, + }); + }); + + it('returns 0 if delay is not set', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); + }); + }); + + describe('#getAccess', function () { + beforeEach('set role', function () { + this.role = { id: 9452n }; + this.caller = this.user; + }); + + testAsGetAccess({ + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('role is not in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('access has role not in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('role is in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + callerHasNoExecutionDelay() { + it('access has role in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has empty access', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(0n); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + }); + }, + }); + }); + + describe('#hasRole', function () { + beforeEach('setup testAsHasRole', function () { + this.role = { id: 49832n }; + this.calldata = '0x12345678'; + this.caller = this.user; + }); + + testAsHasRole({ + publicRoleIsRequired() { + it('has PUBLIC role', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role but execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role nor execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has no role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }); + }); + + describe('#getSchedule', function () { + beforeEach('set role and calldata', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 493590n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('returns schedule in the future', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.gt(await time.clock.timestamp()); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns schedule', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.equal(await time.clock.timestamp()); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('returns 0', async function () { + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); + }); + }, + }, + notScheduled() { + it('defaults to 0', async function () { + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); + }); + }, + }); + }); + + describe('#getNonce', function () { + describe('when operation is scheduled', function () { + beforeEach('schedule operation', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 4209043n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.delay = time.duration.days(10); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await schedule(); + this.operationId = operationId; + }); + + it('returns nonce', async function () { + await expect(this.manager.getNonce(this.operationId)).to.eventually.equal(1n); + }); + }); + + describe('when is not scheduled', function () { + it('returns default 0', async function () { + await expect(this.manager.getNonce(ethers.id('operation'))).to.eventually.equal(0n); + }); + }); + }); + + describe('#hashOperation', function () { + it('returns an operationId', async function () { + const args = [this.user, this.other, '0x123543']; + await expect(this.manager.hashOperation(...args)).to.eventually.equal(hashOperation(...args)); + }); + }); + }); + + describe('admin operations', function () { + beforeEach('set required role', function () { + this.role = this.roles.ADMIN; + }); + + describe('subject to a delay', function () { + describe('#labelRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [123443, 'TEST']; + const method = this.manager.interface.getFunction('labelRole(uint64,string)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('emits an event with the label', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Some label'); + }); + + it('updates label on a second call', async function () { + await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); + + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Updated label'); + }); + + it('reverts labeling PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts labeling ADMIN_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleAdmin', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's admin if called by an admin", async function () { + await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.SOME_ADMIN.id); + + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleAdminChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleGuardian', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's guardian if called by an admin", async function () { + await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal( + this.roles.SOME_GUARDIAN.id, + ); + + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleGuardianChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setGrantDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [984910, time.duration.days(2)]; + const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('reverts setting grant delay for the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when increasing the delay', function () { + const oldDelay = 10n; + const newDelay = 100n; + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); + + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(setback); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); + }); + }); + }); + }); + + describe('#setTargetAdminDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, time.duration.days(3)]; + const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + describe('when increasing the delay', function () { + const oldDelay = time.duration.days(10); + const newDelay = time.duration.days(11); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); + + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(setback); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); + }); + }); + }); + }); + }); + + describe('not subject to a delay', function () { + describe('#updateAuthority', function () { + beforeEach('create a target and a new authority', async function () { + this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); + this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ + this.newManagedTarget.target, + this.newAuthority.target, + ]); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('changes the authority', async function () { + await expect(this.newManagedTarget.authority()).to.eventually.equal(this.manager); + + await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) + .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event + .withArgs(this.newAuthority); + + await expect(this.newManagedTarget.authority()).to.eventually.equal(this.newAuthority); + }); + }); + + describe('#setTargetClosed', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, true]; + const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('closes and opens a target', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, true); + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, false); + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; + }); + + describe('when the target is the manager', async function () { + it('closes and opens the manager', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, true); + await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, false); + await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.false; + }); + }); + }); + + describe('#setTargetFunctionRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, ['0x12345678'], 443342]; + const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); + + it('sets function roles', async function () { + for (const sig of sigs) { + await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.ADMIN.id); + } + + const allowRole = await this.manager + .connect(this.admin) + .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); + + for (const sig of sigs) { + await expect(allowRole) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sig, this.roles.SOME.id); + await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.SOME.id); + } + + await expect( + this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), + ) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); + + for (const sig of sigs) { + await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal( + sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, + ); + } + }); + }); + + describe('role admin operations', function () { + const ANOTHER_ADMIN = 0xdeadc0de1n; + const ANOTHER_ROLE = 0xdeadc0de2n; + + beforeEach('set required role', async function () { + // Make admin a member of ANOTHER_ADMIN + await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); + await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); + + this.role = { id: ANOTHER_ADMIN }; + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + }); + + describe('#grantRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [ANOTHER_ROLE, this.other.address, 0]; + const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + it('reverts when granting PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when the user is not a role member', function () { + describe('with grant delay', function () { + beforeEach('set grant delay and grant role', async function () { + // Delay granting + this.grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + + // Grant role + this.executionDelay = time.duration.days(3); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('does not grant role to the user yet', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.be.lt(access[0]); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, this.executionDelay.toString()]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('grants role to the user', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.executionDelay.toString()]); + }); + }, + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + this.grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + it('immediately grants the role to the user', async function () { + const executionDelay = time.duration.days(6); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, executionDelay); + const grantedAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(grantedAt); // inEffectSince + expect(access[1]).to.equal(executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, executionDelay.toString()]); + }); + }); + }); + + describe('when the user is already a role member', function () { + beforeEach('make user role member', async function () { + this.previousExecutionDelay = time.duration.days(6); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); + this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); + }); + + describe('with grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }, + }); + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }, + }); + }); + }); + }); + }); + + describe('#revokeRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', async function () { + const args = [ANOTHER_ROLE, this.other.address]; + const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + + // Need to be set before revoking + await this.manager.$_grantRole(...args, 0, 0); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + describe('when role has been granted', function () { + beforeEach('grant role with grant delay', async function () { + this.grantDelay = time.duration.weeks(1); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); + + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('revokes a granted role that will take effect in the future', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + after: function self() { + self.mineDelay = true; + + it('revokes a granted role that already took effect', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, '0']); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + }); + }); + + describe('when role has not been granted', function () { + it('has no effect', async function () { + await expect( + this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( + this.manager, + 'RoleRevoked', + ); + await expect( + this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + }); + }); + + it('reverts revoking PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + }); + }); + + describe('self role operations', function () { + describe('#renounceRole', function () { + beforeEach('grant role', async function () { + this.role = { id: 783164n }; + this.caller = this.user; + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + }); + + it('renounces a role', async function () { + await expect( + this.manager.hasRole(this.role.id, this.caller).then(formatAccess), + ).to.eventually.be.deep.equal([true, '0']); + await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(this.role.id, this.caller); + await expect( + this.manager.hasRole(this.role.id, this.caller).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + }); + + it('reverts if renouncing the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts if renouncing with bad caller confirmation', async function () { + await expect( + this.manager.connect(this.caller).renounceRole(this.role.id, this.other), + ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); + }); + }); + }); + }); + }); + + describe('access managed self operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 785913n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.manager.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeASelfRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('access managed target operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 3597243n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.target.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeAManagedRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('#schedule', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 498305n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.delay = time.duration.weeks(2); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it.skip('is not reachable because schedule is not restrictable'); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('succeeds', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('succeeds', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await schedule(); + }); + }, + callerHasNoExecutionDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { + const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + const txResponse = await schedule(); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + this.delay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); + }); + + it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { + const executionDelay = await time.duration.hours(72); + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); + const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); + + const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + executionDelay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); + }); + + it('increases the nonce of an operation scheduled more than once', async function () { + // Setup and check initial nonce + const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); + await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('0'); + + // Schedule + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op1.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op1.operationId); + + // Consume + await time.increaseBy.timestamp(this.delay); + await this.manager.$_consumeScheduledOp(expectedOperationId); + + // Check nonce + await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('1'); + + // Schedule again + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op2.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op2.operationId); + + // Check final nonce + await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('2'); + }); + + it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { + const executionDelay = time.duration.weeks(1) + this.delay; + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + + it('reverts if an operation is already schedule', async function () { + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await op1.schedule(); + + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(op2.schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') + .withArgs(op1.operationId); + }); + + it('panics scheduling calldata with less than 4 bytes', async function () { + const calldata = '0x1234'; // 2 bytes + + // Managed contract + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: calldata, + delay: this.delay, + }); + await expect(op1.schedule()).to.be.revertedWithoutReason(); + + // Manager contract + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata: calldata, + delay: this.delay, + }); + await expect(op2.schedule()).to.be.revertedWithoutReason(); + }); + + it('reverts scheduling an unknown operation to the manager', async function () { + const calldata = '0x12345678'; + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.manager, calldata); + }); + }); + + describe('#execute', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 9825430n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + callerHasNoExecutionDelay() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('executes with a delay consuming the scheduled operation', async function () { + const delay = time.duration.hours(4); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); + }); + + it('executes with no delay consuming a scheduled operation', async function () { + const delay = time.duration.hours(4); + + // give caller an execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + + // remove the execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); + }); + + it('keeps the original _executionId after finishing the call', async function () { + const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + expect(executionIdBefore).to.equal(executionIdAfter); + }); + + it('reverts executing twice', async function () { + const delay = time.duration.hours(2); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(operationId); + }); + }); + + describe('#consumeScheduledOp', function () { + beforeEach('define scheduling parameters', async function () { + const method = this.target.fnRestricted.getFragment(); + this.caller = await ethers.getSigner(this.target.target); + await impersonate(this.caller.address); + this.calldata = this.target.interface.encodeFunctionData(method, []); + this.role = { id: 9834983n }; + + await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation + }); + + describe('when caller is not consuming scheduled operation', function () { + beforeEach('set consuming false', async function () { + await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + it('reverts as AccessManagerUnauthorizedConsume', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') + .withArgs(this.caller); + }); + }); + + describe('when caller is consuming scheduled operation', function () { + beforeEach('set consuming true', async function () { + await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + it('reverts as AccessManagerNotReady', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') + .withArgs(this.operationId); + }); + }, + after() { + it('consumes the scheduled operation and resets timepoint', async function () { + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal( + this.scheduledAt + this.scheduleIn, + ); + + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(this.operationId, 1n); + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); + }); + }, + expired() { + it('reverts as AccessManagerExpired', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') + .withArgs(this.operationId); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + }); + }); + + describe('#cancelScheduledOp', function () { + beforeEach('setup scheduling', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.caller = this.roles.SOME.members[0]; + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); + await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + describe('when caller is the scheduler', function () { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is an admin', function () { + it('succeeds', async function () { + await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is the role guardian', function () { + it('succeeds', async function () { + await this.manager + .connect(this.roles.SOME_GUARDIAN.members[0]) + .cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is any other account', function () { + it('reverts as AccessManagerUnauthorizedCancel', async function () { + await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') + .withArgs(this.other, this.caller, this.target, this.method.selector); + }); + }); + }, + after() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + expired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + + it('cancels an operation and resets schedule', async function () { + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.scheduleIn, + }); + await schedule(); + await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) + .to.emit(this.manager, 'OperationCanceled') + .withArgs(operationId, 1n); + await expect(this.manager.getSchedule(operationId)).to.eventually.equal('0'); + }); + }); + + describe('with Ownable target contract', function () { + const roleId = 1n; + + beforeEach(async function () { + this.ownable = await ethers.deployContract('$Ownable', [this.manager]); + + // add user to role + await this.manager.$_grantRole(roleId, this.user, 0, 0); + }); + + it('initial state', async function () { + await expect(this.ownable.owner()).to.eventually.equal(this.manager); + }); + + describe('Contract is closed', function () { + beforeEach(async function () { + await this.manager.$_setTargetClosed(this.ownable, true); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): reverts', async function () { + await expect( + this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('Contract is managed', function () { + describe('function is open to specific role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + roleId, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('function is open to public role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + this.roles.PUBLIC.id, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): success', async function () { + await this.manager + .connect(this.other) + .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + }); + }); +} + // ============ ENUMERABLE EXTENSION ============ /** - * @requires this.{manager,roles,admin,user,other} + * @requires this.{manager,roles,admin,user,other,target,target2} */ function shouldBehaveLikeAccessManagerEnumerable() { describe('enumerating', function () { @@ -449,5 +2855,6 @@ module.exports = { shouldBehaveLikeRoleAdminOperation, shouldBehaveLikeAManagedRestrictedOperation, shouldBehaveLikeASelfRestrictedOperation, + shouldBehaveLikeAccessManager, shouldBehaveLikeAccessManagerEnumerable, }; diff --git a/test/access/manager/AccessManager.test.js b/test/access/manager/AccessManager.test.js index 7726831b268..9eed99ee713 100644 --- a/test/access/manager/AccessManager.test.js +++ b/test/access/manager/AccessManager.test.js @@ -1,40 +1,7 @@ const { ethers } = require('hardhat'); -const { expect } = require('chai'); const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); - -const { impersonate } = require('../../helpers/account'); -const { MAX_UINT48 } = require('../../helpers/constants'); -const { selector } = require('../../helpers/methods'); -const time = require('../../helpers/time'); - -const { - buildBaseRoles, - formatAccess, - EXPIRATION, - MINSETBACK, - EXECUTION_ID_STORAGE_SLOT, - CONSUMING_SCHEDULE_STORAGE_SLOT, - prepareOperation, - hashOperation, -} = require('../../helpers/access-manager'); - -const { - shouldBehaveLikeDelayedAdminOperation, - shouldBehaveLikeNotDelayedAdminOperation, - shouldBehaveLikeRoleAdminOperation, - shouldBehaveLikeAManagedRestrictedOperation, - shouldBehaveLikeASelfRestrictedOperation, -} = require('./AccessManager.behavior'); - -const { - LIKE_COMMON_SCHEDULABLE, - testAsClosable, - testAsDelay, - testAsSchedulableOperation, - testAsCanCall, - testAsHasRole, - testAsGetAccess, -} = require('./AccessManager.predicate'); +const { buildBaseRoles } = require('../../helpers/access-manager'); +const { shouldBehaveLikeAccessManager } = require('./AccessManager.behavior'); async function fixture() { const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); @@ -83,2407 +50,10 @@ async function fixture() { }; } -// This test suite is made using the following tools: -// -// * Predicates: Functions with common conditional setups without assertions. -// * Behaviors: Functions with common assertions. -// -// The behavioral tests are built by composing predicates and are used as templates -// for testing access to restricted functions. -// -// Similarly, unit tests in this suite will use predicates to test subsets of these -// behaviors and are helped by common assertions provided for some of the predicates. -// -// The predicates can be identified by the `testAs*` prefix while the behaviors -// are prefixed with `shouldBehave*`. The common assertions for predicates are -// defined as constants. describe('AccessManager', function () { beforeEach(async function () { Object.assign(this, await loadFixture(fixture)); }); - describe('during construction', function () { - it('grants admin role to initialAdmin', async function () { - const manager = await ethers.deployContract('$AccessManager', [this.other]); - expect(await manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.be.deep.equal([true, '0']); - }); - - it('rejects zero address for initialAdmin', async function () { - await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') - .withArgs(ethers.ZeroAddress); - }); - - it('initializes setup roles correctly', async function () { - for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { - expect(await this.manager.getRoleAdmin(roleId)).to.equal(admin.id); - expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardian.id); - - for (const user of this.roles.PUBLIC.members) { - expect(await this.manager.hasRole(roleId, user).then(formatAccess)).to.be.deep.equal([ - members.includes(user), - '0', - ]); - } - } - }); - }); - - describe('getters', function () { - describe('#canCall', function () { - beforeEach('set calldata', function () { - this.calldata = '0x12345678'; - this.role = { id: 379204n }; - }); - - testAsCanCall({ - closed() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.other, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - notExecuting() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('sets execution delay', function () { - this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }, - notScheduled() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - }, - }, - }); - }); - - describe('#expiration', function () { - it('has a 7 days default expiration', async function () { - expect(await this.manager.expiration()).to.equal(EXPIRATION); - }); - }); - - describe('#minSetback', function () { - it('has a 5 days default minimum setback', async function () { - expect(await this.manager.minSetback()).to.equal(MINSETBACK); - }); - }); - - describe('#isTargetClosed', function () { - testAsClosable({ - closed() { - it('returns true', async function () { - expect(await this.manager.isTargetClosed(this.target)).to.be.true; - }); - }, - open() { - it('returns false', async function () { - expect(await this.manager.isTargetClosed(this.target)).to.be.false; - }); - }, - }); - }); - - describe('#getTargetFunctionRole', function () { - const methodSelector = selector('something(address,bytes)'); - - it('returns the target function role', async function () { - const roleId = 21498n; - await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); - - expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(roleId); - }); - - it('returns the ADMIN role if not set', async function () { - expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getTargetAdminDelay', function () { - describe('when the target admin delay is setup', function () { - beforeEach('set target admin delay', async function () { - this.oldDelay = await this.manager.getTargetAdminDelay(this.target); - this.newDelay = time.duration.days(10); - - await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('effect', { - before: function self() { - self.mineDelay = true; - - it('returns the old target admin delay', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new target admin delay', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.newDelay); - }); - }, - }); - }); - - it('returns the 0 if not set', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); - }); - }); - - describe('#getRoleAdmin', function () { - const roleId = 5234907n; - - it('returns the role admin', async function () { - const adminId = 789433n; - - await this.manager.$_setRoleAdmin(roleId, adminId); - - expect(await this.manager.getRoleAdmin(roleId)).to.equal(adminId); - }); - - it('returns the ADMIN role if not set', async function () { - expect(await this.manager.getRoleAdmin(roleId)).to.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGuardian', function () { - const roleId = 5234907n; - - it('returns the role guardian', async function () { - const guardianId = 789433n; - - await this.manager.$_setRoleGuardian(roleId, guardianId); - - expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardianId); - }); - - it('returns the ADMIN role if not set', async function () { - expect(await this.manager.getRoleGuardian(roleId)).to.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGrantDelay', function () { - const roleId = 9248439n; - - describe('when the grant admin delay is setup', function () { - beforeEach('set grant admin delay', async function () { - this.oldDelay = await this.manager.getRoleGrantDelay(roleId); - this.newDelay = time.duration.days(11); - - await this.manager.$_setGrantDelay(roleId, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('returns the old role grant delay', async function () { - expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new role grant delay', async function () { - expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.newDelay); - }); - }, - }); - }); - - it('returns 0 if delay is not set', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); - }); - }); - - describe('#getAccess', function () { - beforeEach('set role', function () { - this.role = { id: 9452n }; - this.caller = this.user; - }); - - testAsGetAccess({ - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('role is not in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - expect(await time.clock.timestamp()).to.lt(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('access has role not in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - expect(await time.clock.timestamp()).to.lt(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('role is in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - callerHasNoExecutionDelay() { - it('access has role in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has empty access', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(0n); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - }); - }, - }); - }); - - describe('#hasRole', function () { - beforeEach('setup testAsHasRole', function () { - this.role = { id: 49832n }; - this.calldata = '0x12345678'; - this.caller = this.user; - }); - - testAsHasRole({ - publicRoleIsRequired() { - it('has PUBLIC role', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role but execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role nor execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has no role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }); - }); - - describe('#getSchedule', function () { - beforeEach('set role and calldata', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 493590n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('returns schedule in the future', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.gt(await time.clock.timestamp()); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns schedule', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.equal(await time.clock.timestamp()); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('returns 0', async function () { - expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); - }); - }, - }, - notScheduled() { - it('defaults to 0', async function () { - expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); - }); - }, - }); - }); - - describe('#getNonce', function () { - describe('when operation is scheduled', function () { - beforeEach('schedule operation', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 4209043n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.delay = time.duration.days(10); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await schedule(); - this.operationId = operationId; - }); - - it('returns nonce', async function () { - expect(await this.manager.getNonce(this.operationId)).to.equal(1n); - }); - }); - - describe('when is not scheduled', function () { - it('returns default 0', async function () { - expect(await this.manager.getNonce(ethers.id('operation'))).to.equal(0n); - }); - }); - }); - - describe('#hashOperation', function () { - it('returns an operationId', async function () { - const args = [this.user, this.other, '0x123543']; - expect(await this.manager.hashOperation(...args)).to.equal(hashOperation(...args)); - }); - }); - }); - - describe('admin operations', function () { - beforeEach('set required role', function () { - this.role = this.roles.ADMIN; - }); - - describe('subject to a delay', function () { - describe('#labelRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [123443, 'TEST']; - const method = this.manager.interface.getFunction('labelRole(uint64,string)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('emits an event with the label', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Some label'); - }); - - it('updates label on a second call', async function () { - await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); - - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Updated label'); - }); - - it('reverts labeling PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts labeling ADMIN_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleAdmin', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's admin if called by an admin", async function () { - expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.SOME_ADMIN.id); - - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleAdminChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleGuardian', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's guardian if called by an admin", async function () { - expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.SOME_GUARDIAN.id); - - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleGuardianChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setGrantDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [984910, time.duration.days(2)]; - const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('reverts setting grant delay for the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when increasing the delay', function () { - const oldDelay = 10n; - const newDelay = 100n; - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); - - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - await time.increaseBy.timestamp(setback); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); - }); - }); - }); - }); - - describe('#setTargetAdminDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, time.duration.days(3)]; - const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - describe('when increasing the delay', function () { - const oldDelay = time.duration.days(10); - const newDelay = time.duration.days(11); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); - - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - await time.increaseBy.timestamp(setback); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); - }); - }); - }); - }); - }); - - describe('not subject to a delay', function () { - describe('#updateAuthority', function () { - beforeEach('create a target and a new authority', async function () { - this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); - this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ - this.newManagedTarget.target, - this.newAuthority.target, - ]); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('changes the authority', async function () { - expect(await this.newManagedTarget.authority()).to.equal(this.manager); - - await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) - .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event - .withArgs(this.newAuthority); - - expect(await this.newManagedTarget.authority()).to.equal(this.newAuthority); - }); - }); - - describe('#setTargetClosed', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, true]; - const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('closes and opens a target', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, true); - expect(await this.manager.isTargetClosed(this.target)).to.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, false); - expect(await this.manager.isTargetClosed(this.target)).to.be.false; - }); - - describe('when the target is the manager', async function () { - it('closes and opens the manager', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, true); - expect(await this.manager.isTargetClosed(this.manager)).to.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, false); - expect(await this.manager.isTargetClosed(this.manager)).to.be.false; - }); - }); - }); - - describe('#setTargetFunctionRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, ['0x12345678'], 443342]; - const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); - - it('sets function roles', async function () { - for (const sig of sigs) { - expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.ADMIN.id); - } - - const allowRole = await this.manager - .connect(this.admin) - .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); - - for (const sig of sigs) { - await expect(allowRole) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sig, this.roles.SOME.id); - expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.SOME.id); - } - - await expect( - this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), - ) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); - - for (const sig of sigs) { - expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal( - sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, - ); - } - }); - }); - - describe('role admin operations', function () { - const ANOTHER_ADMIN = 0xdeadc0de1n; - const ANOTHER_ROLE = 0xdeadc0de2n; - - beforeEach('set required role', async function () { - // Make admin a member of ANOTHER_ADMIN - await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); - await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); - - this.role = { id: ANOTHER_ADMIN }; - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - }); - - describe('#grantRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [ANOTHER_ROLE, this.other.address, 0]; - const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - it('reverts when granting PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when the user is not a role member', function () { - describe('with grant delay', function () { - beforeEach('set grant delay and grant role', async function () { - // Delay granting - this.grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - - // Grant role - this.executionDelay = time.duration.days(3); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('does not grant role to the user yet', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.be.lt(access[0]); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - this.executionDelay.toString(), - ]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('grants role to the user', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.executionDelay.toString(), - ]); - }); - }, - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - this.grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - it('immediately grants the role to the user', async function () { - const executionDelay = time.duration.days(6); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, executionDelay); - const grantedAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(grantedAt); // inEffectSince - expect(access[1]).to.equal(executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - executionDelay.toString(), - ]); - }); - }); - }); - - describe('when the user is already a role member', function () { - beforeEach('make user role member', async function () { - this.previousExecutionDelay = time.duration.days(6); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); - this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); - }); - - describe('with grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }, - }); - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }, - }); - }); - }); - }); - }); - - describe('#revokeRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', async function () { - const args = [ANOTHER_ROLE, this.other.address]; - const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - - // Need to be set before revoking - await this.manager.$_grantRole(...args, 0, 0); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - describe('when role has been granted', function () { - beforeEach('grant role with grant delay', async function () { - this.grantDelay = time.duration.weeks(1); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); - - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('revokes a granted role that will take effect in the future', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - after: function self() { - self.mineDelay = true; - - it('revokes a granted role that already took effect', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - '0', - ]); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - }); - }); - - describe('when role has not been granted', function () { - it('has no effect', async function () { - expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( - this.manager, - 'RoleRevoked', - ); - expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - }); - }); - - it('reverts revoking PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - }); - }); - - describe('self role operations', function () { - describe('#renounceRole', function () { - beforeEach('grant role', async function () { - this.role = { id: 783164n }; - this.caller = this.user; - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - }); - - it('renounces a role', async function () { - expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ - true, - '0', - ]); - await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(this.role.id, this.caller); - expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - }); - - it('reverts if renouncing the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts if renouncing with bad caller confirmation', async function () { - await expect( - this.manager.connect(this.caller).renounceRole(this.role.id, this.other), - ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); - }); - }); - }); - }); - }); - - describe('access managed self operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 785913n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.manager.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeASelfRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('access managed target operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 3597243n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.target.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeAManagedRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('#schedule', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 498305n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.delay = time.duration.weeks(2); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it.skip('is not reachable because schedule is not restrictable'); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('succeeds', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('succeeds', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await schedule(); - }); - }, - callerHasNoExecutionDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { - const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - const txResponse = await schedule(); - - expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + this.delay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); - }); - - it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { - const executionDelay = await time.duration.hours(72); - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); - const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); - - const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); - - expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + executionDelay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); - }); - - it('increases the nonce of an operation scheduled more than once', async function () { - // Setup and check initial nonce - const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); - expect(await this.manager.getNonce(expectedOperationId)).to.equal('0'); - - // Schedule - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op1.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op1.operationId); - - // Consume - await time.increaseBy.timestamp(this.delay); - await this.manager.$_consumeScheduledOp(expectedOperationId); - - // Check nonce - expect(await this.manager.getNonce(expectedOperationId)).to.equal('1'); - - // Schedule again - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op2.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op2.operationId); - - // Check final nonce - expect(await this.manager.getNonce(expectedOperationId)).to.equal('2'); - }); - - it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { - const executionDelay = time.duration.weeks(1) + this.delay; - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - - it('reverts if an operation is already schedule', async function () { - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await op1.schedule(); - - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(op2.schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') - .withArgs(op1.operationId); - }); - - it('panics scheduling calldata with less than 4 bytes', async function () { - const calldata = '0x1234'; // 2 bytes - - // Managed contract - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: calldata, - delay: this.delay, - }); - await expect(op1.schedule()).to.be.revertedWithoutReason(); - - // Manager contract - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata: calldata, - delay: this.delay, - }); - await expect(op2.schedule()).to.be.revertedWithoutReason(); - }); - - it('reverts scheduling an unknown operation to the manager', async function () { - const calldata = '0x12345678'; - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.manager, calldata); - }); - }); - - describe('#execute', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 9825430n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - callerHasNoExecutionDelay() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('executes with a delay consuming the scheduled operation', async function () { - const delay = time.duration.hours(4); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - expect(await this.manager.getSchedule(operationId)).to.equal(0n); - }); - - it('executes with no delay consuming a scheduled operation', async function () { - const delay = time.duration.hours(4); - - // give caller an execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - - // remove the execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - expect(await this.manager.getSchedule(operationId)).to.equal(0n); - }); - - it('keeps the original _executionId after finishing the call', async function () { - const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - expect(executionIdBefore).to.equal(executionIdAfter); - }); - - it('reverts executing twice', async function () { - const delay = time.duration.hours(2); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(operationId); - }); - }); - - describe('#consumeScheduledOp', function () { - beforeEach('define scheduling parameters', async function () { - const method = this.target.fnRestricted.getFragment(); - this.caller = await ethers.getSigner(this.target.target); - await impersonate(this.caller.address); - this.calldata = this.target.interface.encodeFunctionData(method, []); - this.role = { id: 9834983n }; - - await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation - }); - - describe('when caller is not consuming scheduled operation', function () { - beforeEach('set consuming false', async function () { - await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - it('reverts as AccessManagerUnauthorizedConsume', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') - .withArgs(this.caller); - }); - }); - - describe('when caller is consuming scheduled operation', function () { - beforeEach('set consuming true', async function () { - await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - it('reverts as AccessManagerNotReady', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') - .withArgs(this.operationId); - }); - }, - after() { - it('consumes the scheduled operation and resets timepoint', async function () { - expect(await this.manager.getSchedule(this.operationId)).to.equal(this.scheduledAt + this.scheduleIn); - - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(this.operationId, 1n); - expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); - }); - }, - expired() { - it('reverts as AccessManagerExpired', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') - .withArgs(this.operationId); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - }); - }); - - describe('#cancelScheduledOp', function () { - beforeEach('setup scheduling', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.caller = this.roles.SOME.members[0]; - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); - await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - describe('when caller is the scheduler', function () { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is an admin', function () { - it('succeeds', async function () { - await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is the role guardian', function () { - it('succeeds', async function () { - await this.manager - .connect(this.roles.SOME_GUARDIAN.members[0]) - .cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is any other account', function () { - it('reverts as AccessManagerUnauthorizedCancel', async function () { - await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') - .withArgs(this.other, this.caller, this.target, this.method.selector); - }); - }); - }, - after() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - expired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - - it('cancels an operation and resets schedule', async function () { - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.scheduleIn, - }); - await schedule(); - await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) - .to.emit(this.manager, 'OperationCanceled') - .withArgs(operationId, 1n); - expect(await this.manager.getSchedule(operationId)).to.equal('0'); - }); - }); - - describe('with Ownable target contract', function () { - const roleId = 1n; - - beforeEach(async function () { - this.ownable = await ethers.deployContract('$Ownable', [this.manager]); - - // add user to role - await this.manager.$_grantRole(roleId, this.user, 0, 0); - }); - - it('initial state', async function () { - expect(await this.ownable.owner()).to.equal(this.manager); - }); - - describe('Contract is closed', function () { - beforeEach(async function () { - await this.manager.$_setTargetClosed(this.ownable, true); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): reverts', async function () { - await expect( - this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('Contract is managed', function () { - describe('function is open to specific role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - roleId, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('function is open to public role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - this.roles.PUBLIC.id, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): success', async function () { - await this.manager - .connect(this.other) - .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - }); - }); + shouldBehaveLikeAccessManager(); }); diff --git a/test/access/manager/extensions/AccessManagerEnumerable.test.js b/test/access/manager/extensions/AccessManagerEnumerable.test.js index d0f3250331d..9b733dacb3d 100644 --- a/test/access/manager/extensions/AccessManagerEnumerable.test.js +++ b/test/access/manager/extensions/AccessManagerEnumerable.test.js @@ -2,7 +2,7 @@ const { ethers } = require('hardhat'); const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); const { buildBaseRoles } = require('../../../helpers/access-manager'); -const { shouldBehaveLikeAccessManagerEnumerable } = require('../AccessManager.behavior'); +const { shouldBehaveLikeAccessManagerEnumerable, shouldBehaveLikeAccessManager } = require('../AccessManager.behavior'); async function fixture() { const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); @@ -44,8 +44,6 @@ async function fixture() { return { admin, roleAdmin, - roleGuardian, - member, user, other, roles, @@ -60,5 +58,6 @@ describe('AccessManagerEnumerable', function () { Object.assign(this, await loadFixture(fixture)); }); + shouldBehaveLikeAccessManager(); shouldBehaveLikeAccessManagerEnumerable(); }); From a4c7b89af0add17076c9204c40bbe81829c1dba4 Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 21:10:30 +0100 Subject: [PATCH 17/24] remove IAccessManagerEnumerable interface --- .../extensions/AccessManagerEnumerable.sol | 88 +++++++------------ 1 file changed, 34 insertions(+), 54 deletions(-) diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/access/manager/extensions/AccessManagerEnumerable.sol index acd24f4416c..2460dea0833 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/access/manager/extensions/AccessManagerEnumerable.sol @@ -20,12 +20,19 @@ abstract contract AccessManagerEnumerable is AccessManager { mapping(uint64 roleId => EnumerableSet.AddressSet) private _roleMembers; mapping(uint64 roleId => mapping(address target => EnumerableSet.Bytes4Set)) private _roleTargetFunctions; + /** + * @dev Returns the number of accounts that have `roleId`. Can be used + * together with {getRoleMember} to enumerate all bearers of a role. + */ + function getRoleMemberCount(uint64 roleId) public view virtual returns (uint256) { + return _roleMembers[roleId].length(); + } + /** * @dev Returns one of the accounts that have `roleId`. `index` must be a * value between 0 and {getRoleMemberCount}, non-inclusive. * - * Role bearers are not sorted in any particular way, and their ordering may - * change at any point. + * Role bearers are not sorted in any particular way, and their ordering may change at any point. * * WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure * you perform all queries on the same block. See the following @@ -40,8 +47,10 @@ abstract contract AccessManagerEnumerable is AccessManager { * @dev Returns a range of accounts that have `roleId`. `start` and `end` define the range bounds. * `start` is inclusive and `end` is exclusive. * - * Role bearers are not sorted in any particular way, and their ordering may - * change at any point. + * Role bearers are not sorted in any particular way, and their ordering may change at any point. + * + * It is not necessary to call {getRoleMemberCount} before calling this function. Using `start = 0` and + * `end = type(uint256).max` will return every member of `roleId`. * * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that @@ -53,19 +62,21 @@ abstract contract AccessManagerEnumerable is AccessManager { } /** - * @dev Returns the number of accounts that have `roleId`. Can be used - * together with {getRoleMember} to enumerate all bearers of a role. + * @dev Returns the number of target function selectors that require `roleId` for the given `target`. + * Can be used together with {getRoleTargetFunction} to enumerate all target functions for a role on a specific target. + * + * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will + * return 0. See {_updateRoleTargetFunction} for more details. */ - function getRoleMemberCount(uint64 roleId) public view virtual returns (uint256) { - return _roleMembers[roleId].length(); + function getRoleTargetFunctionCount(uint64 roleId, address target) public view virtual returns (uint256) { + return _roleTargetFunctions[roleId][target].length(); } /** * @dev Returns one of the target function selectors that require `roleId` for the given `target`. * `index` must be a value between 0 and {getRoleTargetFunctionCount}, non-inclusive. * - * Target function selectors are not sorted in any particular way, and their ordering may - * change at any point. + * Target function selectors are not sorted in any particular way, and their ordering may change at any point. * * WARNING: When using {getRoleTargetFunction} and {getRoleTargetFunctionCount}, make sure * you perform all queries on the same block. See the following @@ -80,8 +91,10 @@ abstract contract AccessManagerEnumerable is AccessManager { * @dev Returns a range of target function selectors that require `roleId` for the given `target`. * `start` and `end` define the range bounds. `start` is inclusive and `end` is exclusive. * - * Target function selectors are not sorted in any particular way, and their ordering may - * change at any point. + * Target function selectors are not sorted in any particular way, and their ordering may change at any point. + * + * It is not necessary to call {getRoleTargetFunctionCount} before calling this function. Using `start = 0` and + * `end = type(uint256).max` will return every function selector that `roleId` is allowed to call on `target`. * * WARNING: This operation will copy the entire storage to memory, which can be quite expensive. This is designed * to mostly be used by view accessors that are queried without any gas fees. Developers should keep in mind that @@ -100,17 +113,6 @@ abstract contract AccessManagerEnumerable is AccessManager { return _roleTargetFunctions[roleId][target].values(start, end); } - /** - * @dev Returns the number of target function selectors that require `roleId` for the given `target`. - * Can be used together with {getRoleTargetFunction} to enumerate all target functions for a role on a specific target. - * - * NOTE: Given {ADMIN_ROLE} is the default role for every restricted function, passing {ADMIN_ROLE} as `roleId` will - * return 0. See {_updateRoleTargetFunction} for more details. - */ - function getRoleTargetFunctionCount(uint64 roleId, address target) public view virtual returns (uint256) { - return _roleTargetFunctions[roleId][target].length(); - } - /// @dev See {AccessManager-_grantRole}. Adds the account to the role members set. function _grantRole( uint64 roleId, @@ -137,45 +139,23 @@ abstract contract AccessManagerEnumerable is AccessManager { /** * @dev See {AccessManager-_setTargetFunctionRole}. Adds the selector to the role target functions set. * - * NOTE: Does not track function selectors for the {ADMIN_ROLE}. See {_updateRoleTargetFunction}. + * NOTE: This function does not track function selectors for the {ADMIN_ROLE}, since exhaustively tracking + * all restricted/admin functions is impractical (by default, all restricted functions are assigned to {ADMIN_ROLE}). + * Therefore, roles assigned as {ADMIN_ROLE} will not have their selectors included in this extension's tracking. */ function _setTargetFunctionRole(address target, bytes4 selector, uint64 roleId) internal virtual override { + // cache old role ID uint64 oldRoleId = getTargetFunctionRole(target, selector); + + // call super super._setTargetFunctionRole(target, selector, roleId); - _updateRoleTargetFunction(target, selector, oldRoleId, roleId); - } - /** - * @dev Updates the role target functions sets when a function's role is changed. - * - * This function does not track function selectors for the {ADMIN_ROLE}, since exhaustively tracking - * all restricted/admin functions is impractical (by default, all restricted functions are assigned to {ADMIN_ROLE}). - * Therefore, roles assigned as {ADMIN_ROLE} will not have their selectors included in this extension's tracking. - * - * Developers who wish to explicitly track {ADMIN_ROLE} can override this function. For example: - * - * ```solidity - * function _updateRoleTargetFunction(address target, bytes4 selector, uint64 oldRoleId, uint64 newRoleId) internal virtual override { - * if (oldRoleId != 0) { - * _roleTargetFunctions[oldRoleId][target].remove(selector); - * } - * if (newRoleId != 0) { - * _roleTargetFunctions[newRoleId][target].add(selector); - * } - * } - * ``` - */ - function _updateRoleTargetFunction( - address target, - bytes4 selector, - uint64 oldRoleId, - uint64 newRoleId - ) internal virtual { + // update enumerable sets if (oldRoleId != ADMIN_ROLE) { _roleTargetFunctions[oldRoleId][target].remove(selector); } - if (newRoleId != ADMIN_ROLE) { - _roleTargetFunctions[newRoleId][target].add(selector); + if (roleId != ADMIN_ROLE) { + _roleTargetFunctions[roleId][target].add(selector); } } } From 903a7da21efe1a485f33dede73d468c2ac9d0044 Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 21:15:44 +0100 Subject: [PATCH 18/24] Move AccessControlEnumerable to mocks/docs --- contracts/mocks/AccessManagerMock.sol | 49 ------------------- .../docs}/AccessManagerEnumerable.sol | 4 +- 2 files changed, 2 insertions(+), 51 deletions(-) delete mode 100644 contracts/mocks/AccessManagerMock.sol rename contracts/{access/manager/extensions => mocks/docs}/AccessManagerEnumerable.sol (98%) diff --git a/contracts/mocks/AccessManagerMock.sol b/contracts/mocks/AccessManagerMock.sol deleted file mode 100644 index 4d0623142bb..00000000000 --- a/contracts/mocks/AccessManagerMock.sol +++ /dev/null @@ -1,49 +0,0 @@ -// SPDX-License-Identifier: MIT - -pragma solidity ^0.8.20; - -import {AccessManager} from "../access/manager/AccessManager.sol"; -import {AccessManagerEnumerable} from "../access/manager/extensions/AccessManagerEnumerable.sol"; - -contract AccessManagerMock is AccessManager { - event CalledRestricted(address caller); - event CalledUnrestricted(address caller); - - constructor(address initialAdmin) AccessManager(initialAdmin) {} - - function fnRestricted() public onlyAuthorized { - emit CalledRestricted(msg.sender); - } - - function fnUnrestricted() public { - emit CalledUnrestricted(msg.sender); - } -} - -contract AccessManagerEnumerableMock is AccessManagerMock, AccessManagerEnumerable { - constructor(address initialAdmin) AccessManagerMock(initialAdmin) {} - - function _grantRole( - uint64 roleId, - address account, - uint32 grantDelay, - uint32 executionDelay - ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { - return super._grantRole(roleId, account, grantDelay, executionDelay); - } - - function _revokeRole( - uint64 roleId, - address account - ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { - return super._revokeRole(roleId, account); - } - - function _setTargetFunctionRole( - address target, - bytes4 selector, - uint64 roleId - ) internal override(AccessManager, AccessManagerEnumerable) { - super._setTargetFunctionRole(target, selector, roleId); - } -} diff --git a/contracts/access/manager/extensions/AccessManagerEnumerable.sol b/contracts/mocks/docs/AccessManagerEnumerable.sol similarity index 98% rename from contracts/access/manager/extensions/AccessManagerEnumerable.sol rename to contracts/mocks/docs/AccessManagerEnumerable.sol index 2460dea0833..629bb2e6c42 100644 --- a/contracts/access/manager/extensions/AccessManagerEnumerable.sol +++ b/contracts/mocks/docs/AccessManagerEnumerable.sol @@ -2,8 +2,8 @@ pragma solidity ^0.8.24; -import {AccessManager} from "../AccessManager.sol"; -import {EnumerableSet} from "../../../utils/structs/EnumerableSet.sol"; +import {AccessManager} from "../../access/manager/AccessManager.sol"; +import {EnumerableSet} from "../../utils/structs/EnumerableSet.sol"; /** * @dev Extension of {AccessManager} that allows enumerating the members of each role From 32fe6f47090dcda79985abaacd828af521ff2bc9 Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 21:21:54 +0100 Subject: [PATCH 19/24] remove tests, and update documentation --- .changeset/crazy-bears-flash.md | 5 - contracts/access/README.adoc | 5 - docs/modules/ROOT/pages/access-control.adoc | 24 +- test/access/manager/AccessManager.behavior.js | 2603 ----------------- test/access/manager/AccessManager.test.js | 2436 ++++++++++++++- .../AccessManagerEnumerable.test.js | 63 - 6 files changed, 2441 insertions(+), 2695 deletions(-) delete mode 100644 .changeset/crazy-bears-flash.md delete mode 100644 test/access/manager/extensions/AccessManagerEnumerable.test.js diff --git a/.changeset/crazy-bears-flash.md b/.changeset/crazy-bears-flash.md deleted file mode 100644 index 5d9f403dddd..00000000000 --- a/.changeset/crazy-bears-flash.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'openzeppelin-solidity': minor ---- - -`AccessManagerEnumerable`: Add an extension of `AccessManager` that supports onchain enumeration of the members of each role and the target functions each role is allowed to call. diff --git a/contracts/access/README.adoc b/contracts/access/README.adoc index 36c05e42a9f..b89865b2c17 100644 --- a/contracts/access/README.adoc +++ b/contracts/access/README.adoc @@ -6,7 +6,6 @@ NOTE: This document is better viewed at https://docs.openzeppelin.com/contracts/ This directory provides ways to restrict who can access the functions of a contract or when they can do it. - {AccessManager} is a full-fledged access control solution for smart contract systems. Allows creating and assigning multiple hierarchical roles with execution delays for each account across various contracts. -- {AccessManagerEnumerable} is an extension to {AccessManager} that enumerates role members and target functions each role can call. - {AccessManaged} delegates its access control to an authority that dictates the permissions of the managed contract. It's compatible with an AccessManager as an authority. - {AccessControl} provides a per-contract role based access control mechanism. Multiple hierarchical roles can be created and assigned each to multiple accounts within the same instance. - {Ownable} is a simpler mechanism with a single owner "role" that can be assigned to a single account. This simpler mechanism can be useful for quick tests but projects with production concerns are likely to outgrow it. @@ -44,7 +43,3 @@ This directory provides ways to restrict who can access the functions of a contr {{AccessManaged}} {{AuthorityUtils}} - -=== Extensions - -{{AccessManagerEnumerable}} diff --git a/docs/modules/ROOT/pages/access-control.adoc b/docs/modules/ROOT/pages/access-control.adoc index a7c9f89be40..6847f4261af 100644 --- a/docs/modules/ROOT/pages/access-control.adoc +++ b/docs/modules/ROOT/pages/access-control.adoc @@ -161,7 +161,7 @@ image::access-manager.svg[AccessManager] The AccessManager is designed around the concept of role and target functions: * Roles are granted to accounts (addresses) following a many-to-many approach for flexibility. This means that each user can have one or multiple roles and multiple users can have the same role. -* Access to a restricted target function is limited to one role. A target function is defined by one https://docs.soliditylang.org/en/v0.8.20/abi-spec.html#function-selector[function selector] on one contract (called target). +* Access to a restricted target function is limited to one role. A target function is defined by one https://docs.soliditylang.org/en/v0.8.20/abi-spec.html#function-selector[function selector] on one contract (called target). For a call to be authorized, the caller must bear the role that is assigned to the current target function (contract address + function selector). @@ -210,11 +210,11 @@ const HOUR = 60 * 60; const GRANT_DELAY = 24 * HOUR; const EXECUTION_DELAY = 5 * HOUR; const ACCOUNT = "0x..."; - + await manager.connect(initialAdmin).setGrantDelay(MINTER, GRANT_DELAY); // The role will go into effect after the GRANT_DELAY passes -await manager.connect(initialAdmin).grantRole(MINTER, ACCOUNT, EXECUTION_DELAY); +await manager.connect(initialAdmin).grantRole(MINTER, ACCOUNT, EXECUTION_DELAY); ``` Note that roles do not define a name. As opposed to the xref:api:access.adoc#AccessControl[`AccessControl`] case, roles are identified as numeric values instead of being hardcoded in the contract as `bytes32` values. It is still possible to allow for tooling discovery (e.g. for role exploration) using role labeling with the xref:api:access.adoc#AccessManager-labelRole-uint64-string-[`labelRole`] function. @@ -279,19 +279,13 @@ Similar to `AccessControl`, accounts might be granted and revoked roles dynamica The base `AccessManager` contract provides comprehensive role-based access control but does not support on-chain enumeration of role members or target function permissions by default. To track which accounts hold roles and which functions are assigned to roles, you should rely on the xref:api:access.adoc#AccessManager-RoleGranted-uint64-address-uint32-uint48-bool-[RoleGranted], xref:api:access.adoc#AccessManager-RoleRevoked-uint64-address-[RoleRevoked], and xref:api:access.adoc#AccessManager-TargetFunctionRoleUpdated-address-bytes4-uint64-[TargetFunctionRoleUpdated] events, which can be processed off-chain. -If on-chain enumeration is required, you can use the xref:api:access.adoc#AccessManagerEnumerable[`AccessManagerEnumerable`] extension. This extension uses `EnumerableSet` internally and provides the following functions for role members: - -* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctionCount-uint64-address-[`getRoleMemberCount`] -* xref:api:access.adoc#AccessManagerEnumerable-getRoleMember-uint64-uint256-[`getRoleMember`] -* xref:api:access.adoc#AccessManagerEnumerable-getRoleMembers-uint64-uint256-uint256-[`getRoleMembers`] - -And these functions for target function permissions: +If on-chain enumeration is required, it can be added implemented on top of the existing logic: -* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctionCount-uint64-address-[`getRoleTargetFunctionCount`] -* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunction-uint64-address-uint256-[`getRoleTargetFunction`] -* xref:api:access.adoc#AccessManagerEnumerable-getRoleTargetFunctions-uint64-address-uint256-uint256-[`getRoleTargetFunctions`] +```solidity +include::api:example$AccessManagerEnumerable.sol[] +``` -These can be used to iterate over the accounts that have been granted a role and the functions that a role is allowed to call on specific targets: +This adds function that can be queried to iterate over the accounts that have been granted a role and the functions that a role is allowed to call on specific targets: ```javascript // Enumerate role members @@ -318,8 +312,6 @@ for (let i = 0; i < functionCount; ++i) { const allFunctions = await accessManager.getRoleTargetFunctions(MINTER_ROLE, target, 0, ethers.MaxUint256); ``` -Note that target function enumeration is organized per target contract, allowing you to query which functions a role can access on each specific target separately. This provides fine-grained visibility into the permission structure across your entire system of managed contracts. - === Using with Ownable Contracts already inheriting from xref:api:access.adoc#Ownable[`Ownable`] can migrate to AccessManager by transferring ownership to the manager. After that, all calls to functions with the `onlyOwner` modifier should be called through the manager's xref:api:access.adoc#AccessManager-execute-address-bytes-[`execute`] function, even if the caller doesn't require a delay. diff --git a/test/access/manager/AccessManager.behavior.js b/test/access/manager/AccessManager.behavior.js index b71e2d457ac..830700e3762 100644 --- a/test/access/manager/AccessManager.behavior.js +++ b/test/access/manager/AccessManager.behavior.js @@ -1,6 +1,5 @@ const { expect } = require('chai'); -const { selector } = require('../../helpers/methods'); const { LIKE_COMMON_IS_EXECUTING, LIKE_COMMON_GET_ACCESS, @@ -10,23 +9,7 @@ const { testAsDelayedOperation, testAsCanCall, testAsHasRole, - testAsClosable, - testAsDelay, - testAsGetAccess, } = require('./AccessManager.predicate'); -const { - formatAccess, - EXPIRATION, - MINSETBACK, - EXECUTION_ID_STORAGE_SLOT, - CONSUMING_SCHEDULE_STORAGE_SLOT, - prepareOperation, - hashOperation, -} = require('../../helpers/access-manager'); -const { impersonate } = require('../../helpers/account'); -const { MAX_UINT48 } = require('../../helpers/constants'); -const { ethers } = require('hardhat'); -const time = require('../../helpers/time'); // ============ ADMIN OPERATION ============ @@ -265,2596 +248,10 @@ function shouldBehaveLikeASelfRestrictedOperation() { }); } -// ============ ACCESS MANAGER ============ - -/** - * This test suite is made using the following tools: - * - * * Predicates: Functions with common conditional setups without assertions. - * * Behaviors: Functions with common assertions. - * - * The behavioral tests are built by composing predicates and are used as templates - * for testing access to restricted functions. - * - * Similarly, unit tests in this suite will use predicates to test subsets of these - * behaviors and are helped by common assertions provided for some of the predicates. - * - * The predicates can be identified by the `testAs*` prefix while the behaviors - * are prefixed with `shouldBehave*`. The common assertions for predicates are - * defined as constants. - * - * @requires this.{admin,roleAdmin,user,other,roles,manager,target} - */ -function shouldBehaveLikeAccessManager() { - describe('during construction', function () { - it('grants admin role to initialAdmin', async function () { - const manager = await ethers.deployContract('$AccessManager', [this.other]); - await expect(manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.eventually.be.deep.equal([ - true, - '0', - ]); - }); - - it('rejects zero address for initialAdmin', async function () { - await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') - .withArgs(ethers.ZeroAddress); - }); - - it('initializes setup roles correctly', async function () { - for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { - await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(admin.id); - await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardian.id); - - for (const user of this.roles.PUBLIC.members) { - await expect(this.manager.hasRole(roleId, user).then(formatAccess)).to.eventually.be.deep.equal([ - members.includes(user), - '0', - ]); - } - } - }); - }); - - describe('getters', function () { - describe('#canCall', function () { - beforeEach('set calldata', function () { - this.calldata = '0x12345678'; - this.role = { id: 379204n }; - }); - - testAsCanCall({ - closed() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.other, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - notExecuting() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('sets execution delay', function () { - this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }, - notScheduled() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - }, - }, - }); - }); - - describe('#expiration', function () { - it('has a 7 days default expiration', async function () { - await expect(this.manager.expiration()).to.eventually.equal(EXPIRATION); - }); - }); - - describe('#minSetback', function () { - it('has a 5 days default minimum setback', async function () { - await expect(this.manager.minSetback()).to.eventually.equal(MINSETBACK); - }); - }); - - describe('#isTargetClosed', function () { - testAsClosable({ - closed() { - it('returns true', async function () { - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; - }); - }, - open() { - it('returns false', async function () { - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; - }); - }, - }); - }); - - describe('#getTargetFunctionRole', function () { - const methodSelector = selector('something(address,bytes)'); - - it('returns the target function role', async function () { - const roleId = 21498n; - await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); - - await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal(roleId); - }); - - it('returns the ADMIN role if not set', async function () { - await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal( - this.roles.ADMIN.id, - ); - }); - }); - - describe('#getTargetAdminDelay', function () { - describe('when the target admin delay is setup', function () { - beforeEach('set target admin delay', async function () { - this.oldDelay = await this.manager.getTargetAdminDelay(this.target); - this.newDelay = time.duration.days(10); - - await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('effect', { - before: function self() { - self.mineDelay = true; - - it('returns the old target admin delay', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new target admin delay', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.newDelay); - }); - }, - }); - }); - - it('returns the 0 if not set', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); - }); - }); - - describe('#getRoleAdmin', function () { - const roleId = 5234907n; - - it('returns the role admin', async function () { - const adminId = 789433n; - - await this.manager.$_setRoleAdmin(roleId, adminId); - - await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(adminId); - }); - - it('returns the ADMIN role if not set', async function () { - await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGuardian', function () { - const roleId = 5234907n; - - it('returns the role guardian', async function () { - const guardianId = 789433n; - - await this.manager.$_setRoleGuardian(roleId, guardianId); - - await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardianId); - }); - - it('returns the ADMIN role if not set', async function () { - await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGrantDelay', function () { - const roleId = 9248439n; - - describe('when the grant admin delay is setup', function () { - beforeEach('set grant admin delay', async function () { - this.oldDelay = await this.manager.getRoleGrantDelay(roleId); - this.newDelay = time.duration.days(11); - - await this.manager.$_setGrantDelay(roleId, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('returns the old role grant delay', async function () { - await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new role grant delay', async function () { - await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.newDelay); - }); - }, - }); - }); - - it('returns 0 if delay is not set', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); - }); - }); - - describe('#getAccess', function () { - beforeEach('set role', function () { - this.role = { id: 9452n }; - this.caller = this.user; - }); - - testAsGetAccess({ - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('role is not in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('access has role not in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('role is in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - callerHasNoExecutionDelay() { - it('access has role in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has empty access', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(0n); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - }); - }, - }); - }); - - describe('#hasRole', function () { - beforeEach('setup testAsHasRole', function () { - this.role = { id: 49832n }; - this.calldata = '0x12345678'; - this.caller = this.user; - }); - - testAsHasRole({ - publicRoleIsRequired() { - it('has PUBLIC role', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role but execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role nor execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has no role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }); - }); - - describe('#getSchedule', function () { - beforeEach('set role and calldata', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 493590n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('returns schedule in the future', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.gt(await time.clock.timestamp()); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns schedule', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.equal(await time.clock.timestamp()); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('returns 0', async function () { - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); - }); - }, - }, - notScheduled() { - it('defaults to 0', async function () { - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); - }); - }, - }); - }); - - describe('#getNonce', function () { - describe('when operation is scheduled', function () { - beforeEach('schedule operation', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 4209043n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.delay = time.duration.days(10); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await schedule(); - this.operationId = operationId; - }); - - it('returns nonce', async function () { - await expect(this.manager.getNonce(this.operationId)).to.eventually.equal(1n); - }); - }); - - describe('when is not scheduled', function () { - it('returns default 0', async function () { - await expect(this.manager.getNonce(ethers.id('operation'))).to.eventually.equal(0n); - }); - }); - }); - - describe('#hashOperation', function () { - it('returns an operationId', async function () { - const args = [this.user, this.other, '0x123543']; - await expect(this.manager.hashOperation(...args)).to.eventually.equal(hashOperation(...args)); - }); - }); - }); - - describe('admin operations', function () { - beforeEach('set required role', function () { - this.role = this.roles.ADMIN; - }); - - describe('subject to a delay', function () { - describe('#labelRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [123443, 'TEST']; - const method = this.manager.interface.getFunction('labelRole(uint64,string)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('emits an event with the label', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Some label'); - }); - - it('updates label on a second call', async function () { - await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); - - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Updated label'); - }); - - it('reverts labeling PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts labeling ADMIN_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleAdmin', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's admin if called by an admin", async function () { - await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.SOME_ADMIN.id); - - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleAdminChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleGuardian', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's guardian if called by an admin", async function () { - await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal( - this.roles.SOME_GUARDIAN.id, - ); - - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleGuardianChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setGrantDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [984910, time.duration.days(2)]; - const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('reverts setting grant delay for the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when increasing the delay', function () { - const oldDelay = 10n; - const newDelay = 100n; - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); - - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(setback); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); - }); - }); - }); - }); - - describe('#setTargetAdminDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, time.duration.days(3)]; - const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - describe('when increasing the delay', function () { - const oldDelay = time.duration.days(10); - const newDelay = time.duration.days(11); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); - - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(setback); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); - }); - }); - }); - }); - }); - - describe('not subject to a delay', function () { - describe('#updateAuthority', function () { - beforeEach('create a target and a new authority', async function () { - this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); - this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ - this.newManagedTarget.target, - this.newAuthority.target, - ]); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('changes the authority', async function () { - await expect(this.newManagedTarget.authority()).to.eventually.equal(this.manager); - - await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) - .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event - .withArgs(this.newAuthority); - - await expect(this.newManagedTarget.authority()).to.eventually.equal(this.newAuthority); - }); - }); - - describe('#setTargetClosed', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, true]; - const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('closes and opens a target', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, true); - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, false); - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; - }); - - describe('when the target is the manager', async function () { - it('closes and opens the manager', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, true); - await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, false); - await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.false; - }); - }); - }); - - describe('#setTargetFunctionRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, ['0x12345678'], 443342]; - const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); - - it('sets function roles', async function () { - for (const sig of sigs) { - await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.ADMIN.id); - } - - const allowRole = await this.manager - .connect(this.admin) - .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); - - for (const sig of sigs) { - await expect(allowRole) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sig, this.roles.SOME.id); - await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.SOME.id); - } - - await expect( - this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), - ) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); - - for (const sig of sigs) { - await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal( - sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, - ); - } - }); - }); - - describe('role admin operations', function () { - const ANOTHER_ADMIN = 0xdeadc0de1n; - const ANOTHER_ROLE = 0xdeadc0de2n; - - beforeEach('set required role', async function () { - // Make admin a member of ANOTHER_ADMIN - await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); - await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); - - this.role = { id: ANOTHER_ADMIN }; - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - }); - - describe('#grantRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [ANOTHER_ROLE, this.other.address, 0]; - const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - it('reverts when granting PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when the user is not a role member', function () { - describe('with grant delay', function () { - beforeEach('set grant delay and grant role', async function () { - // Delay granting - this.grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - - // Grant role - this.executionDelay = time.duration.days(3); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('does not grant role to the user yet', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.be.lt(access[0]); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, this.executionDelay.toString()]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('grants role to the user', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.executionDelay.toString()]); - }); - }, - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - this.grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - it('immediately grants the role to the user', async function () { - const executionDelay = time.duration.days(6); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, executionDelay); - const grantedAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(grantedAt); // inEffectSince - expect(access[1]).to.equal(executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, executionDelay.toString()]); - }); - }); - }); - - describe('when the user is already a role member', function () { - beforeEach('make user role member', async function () { - this.previousExecutionDelay = time.duration.days(6); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); - this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); - }); - - describe('with grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }, - }); - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }, - }); - }); - }); - }); - }); - - describe('#revokeRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', async function () { - const args = [ANOTHER_ROLE, this.other.address]; - const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - - // Need to be set before revoking - await this.manager.$_grantRole(...args, 0, 0); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - describe('when role has been granted', function () { - beforeEach('grant role with grant delay', async function () { - this.grantDelay = time.duration.weeks(1); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); - - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('revokes a granted role that will take effect in the future', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - after: function self() { - self.mineDelay = true; - - it('revokes a granted role that already took effect', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, '0']); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - }); - }); - - describe('when role has not been granted', function () { - it('has no effect', async function () { - await expect( - this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( - this.manager, - 'RoleRevoked', - ); - await expect( - this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - }); - }); - - it('reverts revoking PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - }); - }); - - describe('self role operations', function () { - describe('#renounceRole', function () { - beforeEach('grant role', async function () { - this.role = { id: 783164n }; - this.caller = this.user; - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - }); - - it('renounces a role', async function () { - await expect( - this.manager.hasRole(this.role.id, this.caller).then(formatAccess), - ).to.eventually.be.deep.equal([true, '0']); - await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(this.role.id, this.caller); - await expect( - this.manager.hasRole(this.role.id, this.caller).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - }); - - it('reverts if renouncing the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts if renouncing with bad caller confirmation', async function () { - await expect( - this.manager.connect(this.caller).renounceRole(this.role.id, this.other), - ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); - }); - }); - }); - }); - }); - - describe('access managed self operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 785913n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.manager.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeASelfRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('access managed target operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 3597243n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.target.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeAManagedRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('#schedule', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 498305n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.delay = time.duration.weeks(2); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it.skip('is not reachable because schedule is not restrictable'); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('succeeds', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('succeeds', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await schedule(); - }); - }, - callerHasNoExecutionDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { - const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - const txResponse = await schedule(); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + this.delay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); - }); - - it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { - const executionDelay = await time.duration.hours(72); - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); - const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); - - const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + executionDelay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); - }); - - it('increases the nonce of an operation scheduled more than once', async function () { - // Setup and check initial nonce - const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); - await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('0'); - - // Schedule - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op1.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op1.operationId); - - // Consume - await time.increaseBy.timestamp(this.delay); - await this.manager.$_consumeScheduledOp(expectedOperationId); - - // Check nonce - await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('1'); - - // Schedule again - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op2.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op2.operationId); - - // Check final nonce - await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('2'); - }); - - it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { - const executionDelay = time.duration.weeks(1) + this.delay; - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - - it('reverts if an operation is already schedule', async function () { - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await op1.schedule(); - - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(op2.schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') - .withArgs(op1.operationId); - }); - - it('panics scheduling calldata with less than 4 bytes', async function () { - const calldata = '0x1234'; // 2 bytes - - // Managed contract - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: calldata, - delay: this.delay, - }); - await expect(op1.schedule()).to.be.revertedWithoutReason(); - - // Manager contract - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata: calldata, - delay: this.delay, - }); - await expect(op2.schedule()).to.be.revertedWithoutReason(); - }); - - it('reverts scheduling an unknown operation to the manager', async function () { - const calldata = '0x12345678'; - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.manager, calldata); - }); - }); - - describe('#execute', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 9825430n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - callerHasNoExecutionDelay() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('executes with a delay consuming the scheduled operation', async function () { - const delay = time.duration.hours(4); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); - }); - - it('executes with no delay consuming a scheduled operation', async function () { - const delay = time.duration.hours(4); - - // give caller an execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - - // remove the execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); - }); - - it('keeps the original _executionId after finishing the call', async function () { - const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - expect(executionIdBefore).to.equal(executionIdAfter); - }); - - it('reverts executing twice', async function () { - const delay = time.duration.hours(2); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(operationId); - }); - }); - - describe('#consumeScheduledOp', function () { - beforeEach('define scheduling parameters', async function () { - const method = this.target.fnRestricted.getFragment(); - this.caller = await ethers.getSigner(this.target.target); - await impersonate(this.caller.address); - this.calldata = this.target.interface.encodeFunctionData(method, []); - this.role = { id: 9834983n }; - - await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation - }); - - describe('when caller is not consuming scheduled operation', function () { - beforeEach('set consuming false', async function () { - await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - it('reverts as AccessManagerUnauthorizedConsume', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') - .withArgs(this.caller); - }); - }); - - describe('when caller is consuming scheduled operation', function () { - beforeEach('set consuming true', async function () { - await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - it('reverts as AccessManagerNotReady', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') - .withArgs(this.operationId); - }); - }, - after() { - it('consumes the scheduled operation and resets timepoint', async function () { - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal( - this.scheduledAt + this.scheduleIn, - ); - - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(this.operationId, 1n); - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); - }); - }, - expired() { - it('reverts as AccessManagerExpired', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') - .withArgs(this.operationId); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - }); - }); - - describe('#cancelScheduledOp', function () { - beforeEach('setup scheduling', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.caller = this.roles.SOME.members[0]; - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); - await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - describe('when caller is the scheduler', function () { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is an admin', function () { - it('succeeds', async function () { - await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is the role guardian', function () { - it('succeeds', async function () { - await this.manager - .connect(this.roles.SOME_GUARDIAN.members[0]) - .cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is any other account', function () { - it('reverts as AccessManagerUnauthorizedCancel', async function () { - await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') - .withArgs(this.other, this.caller, this.target, this.method.selector); - }); - }); - }, - after() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - expired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - - it('cancels an operation and resets schedule', async function () { - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.scheduleIn, - }); - await schedule(); - await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) - .to.emit(this.manager, 'OperationCanceled') - .withArgs(operationId, 1n); - await expect(this.manager.getSchedule(operationId)).to.eventually.equal('0'); - }); - }); - - describe('with Ownable target contract', function () { - const roleId = 1n; - - beforeEach(async function () { - this.ownable = await ethers.deployContract('$Ownable', [this.manager]); - - // add user to role - await this.manager.$_grantRole(roleId, this.user, 0, 0); - }); - - it('initial state', async function () { - await expect(this.ownable.owner()).to.eventually.equal(this.manager); - }); - - describe('Contract is closed', function () { - beforeEach(async function () { - await this.manager.$_setTargetClosed(this.ownable, true); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): reverts', async function () { - await expect( - this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('Contract is managed', function () { - describe('function is open to specific role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - roleId, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('function is open to public role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - this.roles.PUBLIC.id, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): success', async function () { - await this.manager - .connect(this.other) - .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - }); - }); -} - -// ============ ENUMERABLE EXTENSION ============ - -/** - * @requires this.{manager,roles,admin,user,other,target,target2} - */ -function shouldBehaveLikeAccessManagerEnumerable() { - describe('enumerating', function () { - const ANOTHER_ROLE = 0xdeadc0de2n; - - describe('role members', function () { - it('role bearers can be enumerated', async function () { - // Grant roles to multiple accounts - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); - - // Revoke one role - await this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.other); - - const expectedMembers = [this.user.address, this.admin.address]; - - // Test individual enumeration - const memberCount = await this.manager.getRoleMemberCount(ANOTHER_ROLE); - const members = Array.from({ length: Number(memberCount) }, (_, i) => - this.manager.getRoleMember(ANOTHER_ROLE, i), - ); - - expect(memberCount).to.equal(expectedMembers.length); - await expect(Promise.all(members)).to.eventually.deep.equal(expectedMembers); - - // Test batch enumeration - await expect(this.manager.getRoleMembers(ANOTHER_ROLE, 0, ethers.MaxUint256)).to.eventually.deep.equal( - expectedMembers, - ); - }); - - it('role enumeration should be in sync after renounceRole call', async function () { - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); - - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); // Only the initial member - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(2); - await this.manager.connect(this.admin).renounceRole(ANOTHER_ROLE, this.admin); - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); - }); - - it('returns empty for roles with no members', async function () { - const roleId = 999n; // Non-existent role - - await expect(this.manager.getRoleMemberCount(roleId)).to.eventually.equal(0); - await expect(this.manager.getRoleMembers(roleId, 0, 10)).to.eventually.deep.equal([]); - }); - - it('supports partial enumeration with start and end parameters', async function () { - // Grant roles to multiple accounts - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); - - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(3); - - const users = [this.user.address, this.other.address, this.admin.address]; - - // Test partial enumeration - const firstTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 0, 2); - expect(firstTwo).to.have.lengthOf(2); - expect(users).to.include.members(firstTwo); - - const lastTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 1, 3); - expect(lastTwo).to.have.lengthOf(2); - expect(users).to.include.members(lastTwo); - }); - }); - - describe('target functions', function () { - it('target functions can be enumerated', async function () { - const roleId = this.roles.SOME.id; - const target = this.target; - const selectors = ['someFunction()', 'anotherFunction(uint256)', 'thirdFunction(address,bool)'].map(selector); - - await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); - - const functionCount = await this.manager.getRoleTargetFunctionCount(roleId, target); - const functions = Array.from({ length: Number(functionCount) }, (_, i) => - this.manager.getRoleTargetFunction(roleId, target, i), - ); - - expect(functionCount).to.equal(selectors.length); - await expect(Promise.all(functions)).to.eventually.have.members(selectors); - - // Test batch enumeration - await expect( - this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), - ).to.eventually.deep.equal(selectors); - }); - - it('target function enumeration updates when roles change', async function () { - const roleId1 = this.roles.SOME.id; - const roleId2 = this.roles.SOME_ADMIN.id; - const target = this.target; - const sel = selector('testFunction()'); - - // Initially assign to roleId1 - await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId1); - - await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunction(roleId1, target, 0)).to.eventually.equal(sel); - - // Reassign to roleId2 - await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId2); - - await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunction(roleId2, target, 0)).to.eventually.equal(sel); - }); - - it('returns empty for ADMIN_ROLE target functions', async function () { - const target = this.target; - const sel = selector('adminFunction()'); - - // Set function to ADMIN_ROLE (default behavior) - await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], this.roles.ADMIN.id); - - // ADMIN_ROLE functions are not tracked - await expect(this.manager.getRoleTargetFunctionCount(this.roles.ADMIN.id, target)).to.eventually.equal(0); - await expect( - this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, target, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([]); - }); - - it('returns empty for roles with no target functions', async function () { - const roleId = 888n; // Role with no functions - const target = this.target; - - await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(0); - await expect( - this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([]); - }); - - it('supports partial enumeration of target functions', async function () { - const roleId = this.roles.SOME.id; - const target = this.target; - const selectors = ['func1()', 'func2()', 'func3()', 'func4()'].map(selector); - - await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); - - await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(4); - - // Test partial enumeration - const firstTwo = await this.manager.getRoleTargetFunctions(roleId, target, 0, 2); - expect(firstTwo).to.have.lengthOf(2); - expect(selectors).to.include.members(firstTwo); - - const lastTwo = await this.manager.getRoleTargetFunctions(roleId, target, 2, 4); - expect(lastTwo).to.have.lengthOf(2); - expect(selectors).to.include.members(firstTwo); - - // Verify no overlap and complete coverage - expect([].concat(firstTwo, lastTwo)).to.have.members(selectors); - }); - - it('distinguishes between different targets', async function () { - const roleId = this.roles.SOME.id; - const target1 = this.target; - const target2 = this.target2; - const sel1 = selector('target1Function()'); - const sel2 = selector('target2Function()'); - - // Set different functions for the same role on different targets - await this.manager.connect(this.admin).setTargetFunctionRole(target1, [sel1], roleId); - await this.manager.connect(this.admin).setTargetFunctionRole(target2, [sel2], roleId); - - // Each target should have its own function tracked - await expect(this.manager.getRoleTargetFunctionCount(roleId, target1)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunctionCount(roleId, target2)).to.eventually.equal(1); - - await expect(this.manager.getRoleTargetFunction(roleId, target1, 0)).to.eventually.equal(sel1); - await expect(this.manager.getRoleTargetFunction(roleId, target2, 0)).to.eventually.equal(sel2); - - // Functions should be isolated per target - await expect( - this.manager.getRoleTargetFunctions(roleId, target1, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([sel1]); - await expect( - this.manager.getRoleTargetFunctions(roleId, target2, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([sel2]); - }); - }); - }); -} - module.exports = { shouldBehaveLikeDelayedAdminOperation, shouldBehaveLikeNotDelayedAdminOperation, shouldBehaveLikeRoleAdminOperation, shouldBehaveLikeAManagedRestrictedOperation, shouldBehaveLikeASelfRestrictedOperation, - shouldBehaveLikeAccessManager, - shouldBehaveLikeAccessManagerEnumerable, }; diff --git a/test/access/manager/AccessManager.test.js b/test/access/manager/AccessManager.test.js index 9eed99ee713..7726831b268 100644 --- a/test/access/manager/AccessManager.test.js +++ b/test/access/manager/AccessManager.test.js @@ -1,7 +1,40 @@ const { ethers } = require('hardhat'); +const { expect } = require('chai'); const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); -const { buildBaseRoles } = require('../../helpers/access-manager'); -const { shouldBehaveLikeAccessManager } = require('./AccessManager.behavior'); + +const { impersonate } = require('../../helpers/account'); +const { MAX_UINT48 } = require('../../helpers/constants'); +const { selector } = require('../../helpers/methods'); +const time = require('../../helpers/time'); + +const { + buildBaseRoles, + formatAccess, + EXPIRATION, + MINSETBACK, + EXECUTION_ID_STORAGE_SLOT, + CONSUMING_SCHEDULE_STORAGE_SLOT, + prepareOperation, + hashOperation, +} = require('../../helpers/access-manager'); + +const { + shouldBehaveLikeDelayedAdminOperation, + shouldBehaveLikeNotDelayedAdminOperation, + shouldBehaveLikeRoleAdminOperation, + shouldBehaveLikeAManagedRestrictedOperation, + shouldBehaveLikeASelfRestrictedOperation, +} = require('./AccessManager.behavior'); + +const { + LIKE_COMMON_SCHEDULABLE, + testAsClosable, + testAsDelay, + testAsSchedulableOperation, + testAsCanCall, + testAsHasRole, + testAsGetAccess, +} = require('./AccessManager.predicate'); async function fixture() { const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); @@ -50,10 +83,2407 @@ async function fixture() { }; } +// This test suite is made using the following tools: +// +// * Predicates: Functions with common conditional setups without assertions. +// * Behaviors: Functions with common assertions. +// +// The behavioral tests are built by composing predicates and are used as templates +// for testing access to restricted functions. +// +// Similarly, unit tests in this suite will use predicates to test subsets of these +// behaviors and are helped by common assertions provided for some of the predicates. +// +// The predicates can be identified by the `testAs*` prefix while the behaviors +// are prefixed with `shouldBehave*`. The common assertions for predicates are +// defined as constants. describe('AccessManager', function () { beforeEach(async function () { Object.assign(this, await loadFixture(fixture)); }); - shouldBehaveLikeAccessManager(); + describe('during construction', function () { + it('grants admin role to initialAdmin', async function () { + const manager = await ethers.deployContract('$AccessManager', [this.other]); + expect(await manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.be.deep.equal([true, '0']); + }); + + it('rejects zero address for initialAdmin', async function () { + await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') + .withArgs(ethers.ZeroAddress); + }); + + it('initializes setup roles correctly', async function () { + for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { + expect(await this.manager.getRoleAdmin(roleId)).to.equal(admin.id); + expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardian.id); + + for (const user of this.roles.PUBLIC.members) { + expect(await this.manager.hasRole(roleId, user).then(formatAccess)).to.be.deep.equal([ + members.includes(user), + '0', + ]); + } + } + }); + }); + + describe('getters', function () { + describe('#canCall', function () { + beforeEach('set calldata', function () { + this.calldata = '0x12345678'; + this.role = { id: 379204n }; + }); + + testAsCanCall({ + closed() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.other, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + notExecuting() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('sets execution delay', function () { + this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }, + notScheduled() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + }, + }, + }); + }); + + describe('#expiration', function () { + it('has a 7 days default expiration', async function () { + expect(await this.manager.expiration()).to.equal(EXPIRATION); + }); + }); + + describe('#minSetback', function () { + it('has a 5 days default minimum setback', async function () { + expect(await this.manager.minSetback()).to.equal(MINSETBACK); + }); + }); + + describe('#isTargetClosed', function () { + testAsClosable({ + closed() { + it('returns true', async function () { + expect(await this.manager.isTargetClosed(this.target)).to.be.true; + }); + }, + open() { + it('returns false', async function () { + expect(await this.manager.isTargetClosed(this.target)).to.be.false; + }); + }, + }); + }); + + describe('#getTargetFunctionRole', function () { + const methodSelector = selector('something(address,bytes)'); + + it('returns the target function role', async function () { + const roleId = 21498n; + await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); + + expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(roleId); + }); + + it('returns the ADMIN role if not set', async function () { + expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getTargetAdminDelay', function () { + describe('when the target admin delay is setup', function () { + beforeEach('set target admin delay', async function () { + this.oldDelay = await this.manager.getTargetAdminDelay(this.target); + this.newDelay = time.duration.days(10); + + await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('effect', { + before: function self() { + self.mineDelay = true; + + it('returns the old target admin delay', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new target admin delay', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.newDelay); + }); + }, + }); + }); + + it('returns the 0 if not set', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); + }); + }); + + describe('#getRoleAdmin', function () { + const roleId = 5234907n; + + it('returns the role admin', async function () { + const adminId = 789433n; + + await this.manager.$_setRoleAdmin(roleId, adminId); + + expect(await this.manager.getRoleAdmin(roleId)).to.equal(adminId); + }); + + it('returns the ADMIN role if not set', async function () { + expect(await this.manager.getRoleAdmin(roleId)).to.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGuardian', function () { + const roleId = 5234907n; + + it('returns the role guardian', async function () { + const guardianId = 789433n; + + await this.manager.$_setRoleGuardian(roleId, guardianId); + + expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardianId); + }); + + it('returns the ADMIN role if not set', async function () { + expect(await this.manager.getRoleGuardian(roleId)).to.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGrantDelay', function () { + const roleId = 9248439n; + + describe('when the grant admin delay is setup', function () { + beforeEach('set grant admin delay', async function () { + this.oldDelay = await this.manager.getRoleGrantDelay(roleId); + this.newDelay = time.duration.days(11); + + await this.manager.$_setGrantDelay(roleId, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('returns the old role grant delay', async function () { + expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new role grant delay', async function () { + expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.newDelay); + }); + }, + }); + }); + + it('returns 0 if delay is not set', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); + }); + }); + + describe('#getAccess', function () { + beforeEach('set role', function () { + this.role = { id: 9452n }; + this.caller = this.user; + }); + + testAsGetAccess({ + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('role is not in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + expect(await time.clock.timestamp()).to.lt(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('access has role not in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + expect(await time.clock.timestamp()).to.lt(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('role is in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + callerHasNoExecutionDelay() { + it('access has role in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has empty access', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(0n); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + }); + }, + }); + }); + + describe('#hasRole', function () { + beforeEach('setup testAsHasRole', function () { + this.role = { id: 49832n }; + this.calldata = '0x12345678'; + this.caller = this.user; + }); + + testAsHasRole({ + publicRoleIsRequired() { + it('has PUBLIC role', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role but execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role nor execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has no role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }); + }); + + describe('#getSchedule', function () { + beforeEach('set role and calldata', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 493590n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('returns schedule in the future', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.gt(await time.clock.timestamp()); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns schedule', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.equal(await time.clock.timestamp()); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('returns 0', async function () { + expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); + }); + }, + }, + notScheduled() { + it('defaults to 0', async function () { + expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); + }); + }, + }); + }); + + describe('#getNonce', function () { + describe('when operation is scheduled', function () { + beforeEach('schedule operation', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 4209043n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.delay = time.duration.days(10); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await schedule(); + this.operationId = operationId; + }); + + it('returns nonce', async function () { + expect(await this.manager.getNonce(this.operationId)).to.equal(1n); + }); + }); + + describe('when is not scheduled', function () { + it('returns default 0', async function () { + expect(await this.manager.getNonce(ethers.id('operation'))).to.equal(0n); + }); + }); + }); + + describe('#hashOperation', function () { + it('returns an operationId', async function () { + const args = [this.user, this.other, '0x123543']; + expect(await this.manager.hashOperation(...args)).to.equal(hashOperation(...args)); + }); + }); + }); + + describe('admin operations', function () { + beforeEach('set required role', function () { + this.role = this.roles.ADMIN; + }); + + describe('subject to a delay', function () { + describe('#labelRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [123443, 'TEST']; + const method = this.manager.interface.getFunction('labelRole(uint64,string)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('emits an event with the label', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Some label'); + }); + + it('updates label on a second call', async function () { + await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); + + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Updated label'); + }); + + it('reverts labeling PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts labeling ADMIN_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleAdmin', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's admin if called by an admin", async function () { + expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.SOME_ADMIN.id); + + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleAdminChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleGuardian', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's guardian if called by an admin", async function () { + expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.SOME_GUARDIAN.id); + + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleGuardianChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setGrantDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [984910, time.duration.days(2)]; + const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('reverts setting grant delay for the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when increasing the delay', function () { + const oldDelay = 10n; + const newDelay = 100n; + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); + + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + await time.increaseBy.timestamp(setback); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); + }); + }); + }); + }); + + describe('#setTargetAdminDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, time.duration.days(3)]; + const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + describe('when increasing the delay', function () { + const oldDelay = time.duration.days(10); + const newDelay = time.duration.days(11); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); + + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + await time.increaseBy.timestamp(setback); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); + }); + }); + }); + }); + }); + + describe('not subject to a delay', function () { + describe('#updateAuthority', function () { + beforeEach('create a target and a new authority', async function () { + this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); + this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ + this.newManagedTarget.target, + this.newAuthority.target, + ]); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('changes the authority', async function () { + expect(await this.newManagedTarget.authority()).to.equal(this.manager); + + await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) + .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event + .withArgs(this.newAuthority); + + expect(await this.newManagedTarget.authority()).to.equal(this.newAuthority); + }); + }); + + describe('#setTargetClosed', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, true]; + const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('closes and opens a target', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, true); + expect(await this.manager.isTargetClosed(this.target)).to.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, false); + expect(await this.manager.isTargetClosed(this.target)).to.be.false; + }); + + describe('when the target is the manager', async function () { + it('closes and opens the manager', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, true); + expect(await this.manager.isTargetClosed(this.manager)).to.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, false); + expect(await this.manager.isTargetClosed(this.manager)).to.be.false; + }); + }); + }); + + describe('#setTargetFunctionRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, ['0x12345678'], 443342]; + const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); + + it('sets function roles', async function () { + for (const sig of sigs) { + expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.ADMIN.id); + } + + const allowRole = await this.manager + .connect(this.admin) + .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); + + for (const sig of sigs) { + await expect(allowRole) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sig, this.roles.SOME.id); + expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.SOME.id); + } + + await expect( + this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), + ) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); + + for (const sig of sigs) { + expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal( + sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, + ); + } + }); + }); + + describe('role admin operations', function () { + const ANOTHER_ADMIN = 0xdeadc0de1n; + const ANOTHER_ROLE = 0xdeadc0de2n; + + beforeEach('set required role', async function () { + // Make admin a member of ANOTHER_ADMIN + await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); + await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); + + this.role = { id: ANOTHER_ADMIN }; + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + }); + + describe('#grantRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [ANOTHER_ROLE, this.other.address, 0]; + const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + it('reverts when granting PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when the user is not a role member', function () { + describe('with grant delay', function () { + beforeEach('set grant delay and grant role', async function () { + // Delay granting + this.grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + + // Grant role + this.executionDelay = time.duration.days(3); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('does not grant role to the user yet', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.be.lt(access[0]); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + this.executionDelay.toString(), + ]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('grants role to the user', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.executionDelay.toString(), + ]); + }); + }, + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + this.grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + it('immediately grants the role to the user', async function () { + const executionDelay = time.duration.days(6); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, executionDelay); + const grantedAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(grantedAt); // inEffectSince + expect(access[1]).to.equal(executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + executionDelay.toString(), + ]); + }); + }); + }); + + describe('when the user is already a role member', function () { + beforeEach('make user role member', async function () { + this.previousExecutionDelay = time.duration.days(6); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); + this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); + }); + + describe('with grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }, + }); + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }, + }); + }); + }); + }); + }); + + describe('#revokeRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', async function () { + const args = [ANOTHER_ROLE, this.other.address]; + const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + + // Need to be set before revoking + await this.manager.$_grantRole(...args, 0, 0); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + describe('when role has been granted', function () { + beforeEach('grant role with grant delay', async function () { + this.grantDelay = time.duration.weeks(1); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); + + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('revokes a granted role that will take effect in the future', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + after: function self() { + self.mineDelay = true; + + it('revokes a granted role that already took effect', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + '0', + ]); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + }); + }); + + describe('when role has not been granted', function () { + it('has no effect', async function () { + expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( + this.manager, + 'RoleRevoked', + ); + expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + }); + }); + + it('reverts revoking PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + }); + }); + + describe('self role operations', function () { + describe('#renounceRole', function () { + beforeEach('grant role', async function () { + this.role = { id: 783164n }; + this.caller = this.user; + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + }); + + it('renounces a role', async function () { + expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ + true, + '0', + ]); + await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(this.role.id, this.caller); + expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + }); + + it('reverts if renouncing the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts if renouncing with bad caller confirmation', async function () { + await expect( + this.manager.connect(this.caller).renounceRole(this.role.id, this.other), + ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); + }); + }); + }); + }); + }); + + describe('access managed self operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 785913n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.manager.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeASelfRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('access managed target operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 3597243n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.target.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeAManagedRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('#schedule', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 498305n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.delay = time.duration.weeks(2); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it.skip('is not reachable because schedule is not restrictable'); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('succeeds', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('succeeds', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await schedule(); + }); + }, + callerHasNoExecutionDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { + const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + const txResponse = await schedule(); + + expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + this.delay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); + }); + + it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { + const executionDelay = await time.duration.hours(72); + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); + const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); + + const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); + + expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + executionDelay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); + }); + + it('increases the nonce of an operation scheduled more than once', async function () { + // Setup and check initial nonce + const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); + expect(await this.manager.getNonce(expectedOperationId)).to.equal('0'); + + // Schedule + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op1.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op1.operationId); + + // Consume + await time.increaseBy.timestamp(this.delay); + await this.manager.$_consumeScheduledOp(expectedOperationId); + + // Check nonce + expect(await this.manager.getNonce(expectedOperationId)).to.equal('1'); + + // Schedule again + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op2.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op2.operationId); + + // Check final nonce + expect(await this.manager.getNonce(expectedOperationId)).to.equal('2'); + }); + + it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { + const executionDelay = time.duration.weeks(1) + this.delay; + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + + it('reverts if an operation is already schedule', async function () { + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await op1.schedule(); + + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(op2.schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') + .withArgs(op1.operationId); + }); + + it('panics scheduling calldata with less than 4 bytes', async function () { + const calldata = '0x1234'; // 2 bytes + + // Managed contract + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: calldata, + delay: this.delay, + }); + await expect(op1.schedule()).to.be.revertedWithoutReason(); + + // Manager contract + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata: calldata, + delay: this.delay, + }); + await expect(op2.schedule()).to.be.revertedWithoutReason(); + }); + + it('reverts scheduling an unknown operation to the manager', async function () { + const calldata = '0x12345678'; + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.manager, calldata); + }); + }); + + describe('#execute', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 9825430n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + callerHasNoExecutionDelay() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('executes with a delay consuming the scheduled operation', async function () { + const delay = time.duration.hours(4); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + expect(await this.manager.getSchedule(operationId)).to.equal(0n); + }); + + it('executes with no delay consuming a scheduled operation', async function () { + const delay = time.duration.hours(4); + + // give caller an execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + + // remove the execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + expect(await this.manager.getSchedule(operationId)).to.equal(0n); + }); + + it('keeps the original _executionId after finishing the call', async function () { + const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + expect(executionIdBefore).to.equal(executionIdAfter); + }); + + it('reverts executing twice', async function () { + const delay = time.duration.hours(2); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(operationId); + }); + }); + + describe('#consumeScheduledOp', function () { + beforeEach('define scheduling parameters', async function () { + const method = this.target.fnRestricted.getFragment(); + this.caller = await ethers.getSigner(this.target.target); + await impersonate(this.caller.address); + this.calldata = this.target.interface.encodeFunctionData(method, []); + this.role = { id: 9834983n }; + + await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation + }); + + describe('when caller is not consuming scheduled operation', function () { + beforeEach('set consuming false', async function () { + await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + it('reverts as AccessManagerUnauthorizedConsume', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') + .withArgs(this.caller); + }); + }); + + describe('when caller is consuming scheduled operation', function () { + beforeEach('set consuming true', async function () { + await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + it('reverts as AccessManagerNotReady', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') + .withArgs(this.operationId); + }); + }, + after() { + it('consumes the scheduled operation and resets timepoint', async function () { + expect(await this.manager.getSchedule(this.operationId)).to.equal(this.scheduledAt + this.scheduleIn); + + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(this.operationId, 1n); + expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); + }); + }, + expired() { + it('reverts as AccessManagerExpired', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') + .withArgs(this.operationId); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + }); + }); + + describe('#cancelScheduledOp', function () { + beforeEach('setup scheduling', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.caller = this.roles.SOME.members[0]; + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); + await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + describe('when caller is the scheduler', function () { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is an admin', function () { + it('succeeds', async function () { + await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is the role guardian', function () { + it('succeeds', async function () { + await this.manager + .connect(this.roles.SOME_GUARDIAN.members[0]) + .cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is any other account', function () { + it('reverts as AccessManagerUnauthorizedCancel', async function () { + await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') + .withArgs(this.other, this.caller, this.target, this.method.selector); + }); + }); + }, + after() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + expired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + + it('cancels an operation and resets schedule', async function () { + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.scheduleIn, + }); + await schedule(); + await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) + .to.emit(this.manager, 'OperationCanceled') + .withArgs(operationId, 1n); + expect(await this.manager.getSchedule(operationId)).to.equal('0'); + }); + }); + + describe('with Ownable target contract', function () { + const roleId = 1n; + + beforeEach(async function () { + this.ownable = await ethers.deployContract('$Ownable', [this.manager]); + + // add user to role + await this.manager.$_grantRole(roleId, this.user, 0, 0); + }); + + it('initial state', async function () { + expect(await this.ownable.owner()).to.equal(this.manager); + }); + + describe('Contract is closed', function () { + beforeEach(async function () { + await this.manager.$_setTargetClosed(this.ownable, true); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): reverts', async function () { + await expect( + this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('Contract is managed', function () { + describe('function is open to specific role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + roleId, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('function is open to public role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + this.roles.PUBLIC.id, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): success', async function () { + await this.manager + .connect(this.other) + .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + }); + }); }); diff --git a/test/access/manager/extensions/AccessManagerEnumerable.test.js b/test/access/manager/extensions/AccessManagerEnumerable.test.js deleted file mode 100644 index 9b733dacb3d..00000000000 --- a/test/access/manager/extensions/AccessManagerEnumerable.test.js +++ /dev/null @@ -1,63 +0,0 @@ -const { ethers } = require('hardhat'); -const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); - -const { buildBaseRoles } = require('../../../helpers/access-manager'); -const { shouldBehaveLikeAccessManagerEnumerable, shouldBehaveLikeAccessManager } = require('../AccessManager.behavior'); - -async function fixture() { - const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); - - // Build roles - const roles = buildBaseRoles(); - - // Add members - roles.ADMIN.members = [admin]; - roles.SOME_ADMIN.members = [roleAdmin]; - roles.SOME_GUARDIAN.members = [roleGuardian]; - roles.SOME.members = [member]; - roles.PUBLIC.members = [admin, roleAdmin, roleGuardian, member, user, other]; - - const manager = await ethers.deployContract('$AccessManagerEnumerableMock', [admin]); - const target = await ethers.deployContract('$AccessManagedTarget', [manager]); - const target2 = await ethers.deployContract('$AccessManagedTarget', [manager]); - - for (const { id: roleId, admin, guardian, members } of Object.values(roles)) { - if (roleId === roles.PUBLIC.id) continue; // Every address belong to public and is locked - if (roleId === roles.ADMIN.id) continue; // Admin set during construction and is locked - - // Set admin role avoiding default - if (admin.id !== roles.ADMIN.id) { - await manager.$_setRoleAdmin(roleId, admin.id); - } - - // Set guardian role avoiding default - if (guardian.id !== roles.ADMIN.id) { - await manager.$_setRoleGuardian(roleId, guardian.id); - } - - // Grant role to members - for (const member of members) { - await manager.$_grantRole(roleId, member, 0, 0); - } - } - - return { - admin, - roleAdmin, - user, - other, - roles, - manager, - target, - target2, - }; -} - -describe('AccessManagerEnumerable', function () { - beforeEach(async function () { - Object.assign(this, await loadFixture(fixture)); - }); - - shouldBehaveLikeAccessManager(); - shouldBehaveLikeAccessManagerEnumerable(); -}); From bf4a2845b9b816f1d0c1bf912af5bab787c8ae66 Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 21:22:23 +0100 Subject: [PATCH 20/24] reset --- contracts/mocks/AccessManagerMock.sol | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 contracts/mocks/AccessManagerMock.sol diff --git a/contracts/mocks/AccessManagerMock.sol b/contracts/mocks/AccessManagerMock.sol new file mode 100644 index 00000000000..4b5be350fc6 --- /dev/null +++ b/contracts/mocks/AccessManagerMock.sol @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: MIT + +pragma solidity ^0.8.20; + +import {AccessManager} from "../access/manager/AccessManager.sol"; + +contract AccessManagerMock is AccessManager { + event CalledRestricted(address caller); + event CalledUnrestricted(address caller); + + constructor(address initialAdmin) AccessManager(initialAdmin) {} + + function fnRestricted() public onlyAuthorized { + emit CalledRestricted(msg.sender); + } + + function fnUnrestricted() public { + emit CalledUnrestricted(msg.sender); + } +} From 0b981fd8bf0e711d5649098894eb4e92d8c41a2c Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 21:34:56 +0100 Subject: [PATCH 21/24] re-enable tests for the enumerable variant of AccessManager --- contracts/mocks/AccessManagerMock.sol | 29 + test/access/manager/AccessManager.behavior.js | 2603 +++++++++++++++++ test/access/manager/AccessManager.test.js | 2436 +-------------- .../manager/AccessManagerEnumerable.test.js | 63 + 4 files changed, 2698 insertions(+), 2433 deletions(-) create mode 100644 test/access/manager/AccessManagerEnumerable.test.js diff --git a/contracts/mocks/AccessManagerMock.sol b/contracts/mocks/AccessManagerMock.sol index 4b5be350fc6..c322c75cf16 100644 --- a/contracts/mocks/AccessManagerMock.sol +++ b/contracts/mocks/AccessManagerMock.sol @@ -3,6 +3,7 @@ pragma solidity ^0.8.20; import {AccessManager} from "../access/manager/AccessManager.sol"; +import {AccessManagerEnumerable} from "./docs/AccessManagerEnumerable.sol"; contract AccessManagerMock is AccessManager { event CalledRestricted(address caller); @@ -18,3 +19,31 @@ contract AccessManagerMock is AccessManager { emit CalledUnrestricted(msg.sender); } } + +contract AccessManagerEnumerableMock is AccessManagerMock, AccessManagerEnumerable { + constructor(address initialAdmin) AccessManagerMock(initialAdmin) {} + + function _grantRole( + uint64 roleId, + address account, + uint32 grantDelay, + uint32 executionDelay + ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { + return super._grantRole(roleId, account, grantDelay, executionDelay); + } + + function _revokeRole( + uint64 roleId, + address account + ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { + return super._revokeRole(roleId, account); + } + + function _setTargetFunctionRole( + address target, + bytes4 selector, + uint64 roleId + ) internal override(AccessManager, AccessManagerEnumerable) { + super._setTargetFunctionRole(target, selector, roleId); + } +} diff --git a/test/access/manager/AccessManager.behavior.js b/test/access/manager/AccessManager.behavior.js index 830700e3762..b71e2d457ac 100644 --- a/test/access/manager/AccessManager.behavior.js +++ b/test/access/manager/AccessManager.behavior.js @@ -1,5 +1,6 @@ const { expect } = require('chai'); +const { selector } = require('../../helpers/methods'); const { LIKE_COMMON_IS_EXECUTING, LIKE_COMMON_GET_ACCESS, @@ -9,7 +10,23 @@ const { testAsDelayedOperation, testAsCanCall, testAsHasRole, + testAsClosable, + testAsDelay, + testAsGetAccess, } = require('./AccessManager.predicate'); +const { + formatAccess, + EXPIRATION, + MINSETBACK, + EXECUTION_ID_STORAGE_SLOT, + CONSUMING_SCHEDULE_STORAGE_SLOT, + prepareOperation, + hashOperation, +} = require('../../helpers/access-manager'); +const { impersonate } = require('../../helpers/account'); +const { MAX_UINT48 } = require('../../helpers/constants'); +const { ethers } = require('hardhat'); +const time = require('../../helpers/time'); // ============ ADMIN OPERATION ============ @@ -248,10 +265,2596 @@ function shouldBehaveLikeASelfRestrictedOperation() { }); } +// ============ ACCESS MANAGER ============ + +/** + * This test suite is made using the following tools: + * + * * Predicates: Functions with common conditional setups without assertions. + * * Behaviors: Functions with common assertions. + * + * The behavioral tests are built by composing predicates and are used as templates + * for testing access to restricted functions. + * + * Similarly, unit tests in this suite will use predicates to test subsets of these + * behaviors and are helped by common assertions provided for some of the predicates. + * + * The predicates can be identified by the `testAs*` prefix while the behaviors + * are prefixed with `shouldBehave*`. The common assertions for predicates are + * defined as constants. + * + * @requires this.{admin,roleAdmin,user,other,roles,manager,target} + */ +function shouldBehaveLikeAccessManager() { + describe('during construction', function () { + it('grants admin role to initialAdmin', async function () { + const manager = await ethers.deployContract('$AccessManager', [this.other]); + await expect(manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.eventually.be.deep.equal([ + true, + '0', + ]); + }); + + it('rejects zero address for initialAdmin', async function () { + await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') + .withArgs(ethers.ZeroAddress); + }); + + it('initializes setup roles correctly', async function () { + for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { + await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(admin.id); + await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardian.id); + + for (const user of this.roles.PUBLIC.members) { + await expect(this.manager.hasRole(roleId, user).then(formatAccess)).to.eventually.be.deep.equal([ + members.includes(user), + '0', + ]); + } + } + }); + }); + + describe('getters', function () { + describe('#canCall', function () { + beforeEach('set calldata', function () { + this.calldata = '0x12345678'; + this.role = { id: 379204n }; + }); + + testAsCanCall({ + closed() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.other, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + notExecuting() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('sets execution delay', function () { + this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }, + notScheduled() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + }, + }, + }); + }); + + describe('#expiration', function () { + it('has a 7 days default expiration', async function () { + await expect(this.manager.expiration()).to.eventually.equal(EXPIRATION); + }); + }); + + describe('#minSetback', function () { + it('has a 5 days default minimum setback', async function () { + await expect(this.manager.minSetback()).to.eventually.equal(MINSETBACK); + }); + }); + + describe('#isTargetClosed', function () { + testAsClosable({ + closed() { + it('returns true', async function () { + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; + }); + }, + open() { + it('returns false', async function () { + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; + }); + }, + }); + }); + + describe('#getTargetFunctionRole', function () { + const methodSelector = selector('something(address,bytes)'); + + it('returns the target function role', async function () { + const roleId = 21498n; + await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); + + await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal(roleId); + }); + + it('returns the ADMIN role if not set', async function () { + await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal( + this.roles.ADMIN.id, + ); + }); + }); + + describe('#getTargetAdminDelay', function () { + describe('when the target admin delay is setup', function () { + beforeEach('set target admin delay', async function () { + this.oldDelay = await this.manager.getTargetAdminDelay(this.target); + this.newDelay = time.duration.days(10); + + await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('effect', { + before: function self() { + self.mineDelay = true; + + it('returns the old target admin delay', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new target admin delay', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.newDelay); + }); + }, + }); + }); + + it('returns the 0 if not set', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); + }); + }); + + describe('#getRoleAdmin', function () { + const roleId = 5234907n; + + it('returns the role admin', async function () { + const adminId = 789433n; + + await this.manager.$_setRoleAdmin(roleId, adminId); + + await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(adminId); + }); + + it('returns the ADMIN role if not set', async function () { + await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGuardian', function () { + const roleId = 5234907n; + + it('returns the role guardian', async function () { + const guardianId = 789433n; + + await this.manager.$_setRoleGuardian(roleId, guardianId); + + await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardianId); + }); + + it('returns the ADMIN role if not set', async function () { + await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGrantDelay', function () { + const roleId = 9248439n; + + describe('when the grant admin delay is setup', function () { + beforeEach('set grant admin delay', async function () { + this.oldDelay = await this.manager.getRoleGrantDelay(roleId); + this.newDelay = time.duration.days(11); + + await this.manager.$_setGrantDelay(roleId, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('returns the old role grant delay', async function () { + await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new role grant delay', async function () { + await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.newDelay); + }); + }, + }); + }); + + it('returns 0 if delay is not set', async function () { + await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); + }); + }); + + describe('#getAccess', function () { + beforeEach('set role', function () { + this.role = { id: 9452n }; + this.caller = this.user; + }); + + testAsGetAccess({ + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('role is not in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('access has role not in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('role is in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + callerHasNoExecutionDelay() { + it('access has role in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect(time.clock.timestamp()).to.eventually.equal(access[0]); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has empty access', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(0n); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + }); + }, + }); + }); + + describe('#hasRole', function () { + beforeEach('setup testAsHasRole', function () { + this.role = { id: 49832n }; + this.calldata = '0x12345678'; + this.caller = this.user; + }); + + testAsHasRole({ + publicRoleIsRequired() { + it('has PUBLIC role', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role but execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role nor execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has no role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }); + }); + + describe('#getSchedule', function () { + beforeEach('set role and calldata', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 493590n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('returns schedule in the future', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.gt(await time.clock.timestamp()); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns schedule', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.equal(await time.clock.timestamp()); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('returns 0', async function () { + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); + }); + }, + }, + notScheduled() { + it('defaults to 0', async function () { + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); + }); + }, + }); + }); + + describe('#getNonce', function () { + describe('when operation is scheduled', function () { + beforeEach('schedule operation', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 4209043n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.delay = time.duration.days(10); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await schedule(); + this.operationId = operationId; + }); + + it('returns nonce', async function () { + await expect(this.manager.getNonce(this.operationId)).to.eventually.equal(1n); + }); + }); + + describe('when is not scheduled', function () { + it('returns default 0', async function () { + await expect(this.manager.getNonce(ethers.id('operation'))).to.eventually.equal(0n); + }); + }); + }); + + describe('#hashOperation', function () { + it('returns an operationId', async function () { + const args = [this.user, this.other, '0x123543']; + await expect(this.manager.hashOperation(...args)).to.eventually.equal(hashOperation(...args)); + }); + }); + }); + + describe('admin operations', function () { + beforeEach('set required role', function () { + this.role = this.roles.ADMIN; + }); + + describe('subject to a delay', function () { + describe('#labelRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [123443, 'TEST']; + const method = this.manager.interface.getFunction('labelRole(uint64,string)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('emits an event with the label', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Some label'); + }); + + it('updates label on a second call', async function () { + await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); + + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Updated label'); + }); + + it('reverts labeling PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts labeling ADMIN_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleAdmin', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's admin if called by an admin", async function () { + await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.SOME_ADMIN.id); + + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleAdminChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleGuardian', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's guardian if called by an admin", async function () { + await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal( + this.roles.SOME_GUARDIAN.id, + ); + + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleGuardianChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setGrantDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [984910, time.duration.days(2)]; + const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('reverts setting grant delay for the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when increasing the delay', function () { + const oldDelay = 10n; + const newDelay = 100n; + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); + + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(setback); + await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); + }); + }); + }); + }); + + describe('#setTargetAdminDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, time.duration.days(3)]; + const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + describe('when increasing the delay', function () { + const oldDelay = time.duration.days(10); + const newDelay = time.duration.days(11); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); + + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); + await time.increaseBy.timestamp(setback); + await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); + }); + }); + }); + }); + }); + + describe('not subject to a delay', function () { + describe('#updateAuthority', function () { + beforeEach('create a target and a new authority', async function () { + this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); + this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ + this.newManagedTarget.target, + this.newAuthority.target, + ]); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('changes the authority', async function () { + await expect(this.newManagedTarget.authority()).to.eventually.equal(this.manager); + + await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) + .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event + .withArgs(this.newAuthority); + + await expect(this.newManagedTarget.authority()).to.eventually.equal(this.newAuthority); + }); + }); + + describe('#setTargetClosed', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, true]; + const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('closes and opens a target', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, true); + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, false); + await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; + }); + + describe('when the target is the manager', async function () { + it('closes and opens the manager', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, true); + await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, false); + await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.false; + }); + }); + }); + + describe('#setTargetFunctionRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, ['0x12345678'], 443342]; + const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); + + it('sets function roles', async function () { + for (const sig of sigs) { + await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.ADMIN.id); + } + + const allowRole = await this.manager + .connect(this.admin) + .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); + + for (const sig of sigs) { + await expect(allowRole) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sig, this.roles.SOME.id); + await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.SOME.id); + } + + await expect( + this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), + ) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); + + for (const sig of sigs) { + await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal( + sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, + ); + } + }); + }); + + describe('role admin operations', function () { + const ANOTHER_ADMIN = 0xdeadc0de1n; + const ANOTHER_ROLE = 0xdeadc0de2n; + + beforeEach('set required role', async function () { + // Make admin a member of ANOTHER_ADMIN + await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); + await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); + + this.role = { id: ANOTHER_ADMIN }; + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + }); + + describe('#grantRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [ANOTHER_ROLE, this.other.address, 0]; + const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + it('reverts when granting PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when the user is not a role member', function () { + describe('with grant delay', function () { + beforeEach('set grant delay and grant role', async function () { + // Delay granting + this.grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + + // Grant role + this.executionDelay = time.duration.days(3); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('does not grant role to the user yet', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.be.lt(access[0]); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, this.executionDelay.toString()]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('grants role to the user', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.executionDelay.toString()]); + }); + }, + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + this.grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + it('immediately grants the role to the user', async function () { + const executionDelay = time.duration.days(6); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, executionDelay); + const grantedAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(grantedAt); // inEffectSince + expect(access[1]).to.equal(executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, executionDelay.toString()]); + }); + }); + }); + + describe('when the user is already a role member', function () { + beforeEach('make user role member', async function () { + this.previousExecutionDelay = time.duration.days(6); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); + this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); + }); + + describe('with grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }, + }); + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); + }); + }, + }); + }); + }); + }); + }); + + describe('#revokeRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', async function () { + const args = [ANOTHER_ROLE, this.other.address]; + const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + + // Need to be set before revoking + await this.manager.$_grantRole(...args, 0, 0); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + describe('when role has been granted', function () { + beforeEach('grant role with grant delay', async function () { + this.grantDelay = time.duration.weeks(1); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); + + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('revokes a granted role that will take effect in the future', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + after: function self() { + self.mineDelay = true; + + it('revokes a granted role that already took effect', async function () { + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([true, '0']); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + await expect( + this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + }); + }); + + describe('when role has not been granted', function () { + it('has no effect', async function () { + await expect( + this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( + this.manager, + 'RoleRevoked', + ); + await expect( + this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + }); + }); + + it('reverts revoking PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + }); + }); + + describe('self role operations', function () { + describe('#renounceRole', function () { + beforeEach('grant role', async function () { + this.role = { id: 783164n }; + this.caller = this.user; + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + }); + + it('renounces a role', async function () { + await expect( + this.manager.hasRole(this.role.id, this.caller).then(formatAccess), + ).to.eventually.be.deep.equal([true, '0']); + await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(this.role.id, this.caller); + await expect( + this.manager.hasRole(this.role.id, this.caller).then(formatAccess), + ).to.eventually.be.deep.equal([false, '0']); + }); + + it('reverts if renouncing the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts if renouncing with bad caller confirmation', async function () { + await expect( + this.manager.connect(this.caller).renounceRole(this.role.id, this.other), + ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); + }); + }); + }); + }); + }); + + describe('access managed self operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 785913n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.manager.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeASelfRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('access managed target operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 3597243n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.target.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeAManagedRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('#schedule', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 498305n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.delay = time.duration.weeks(2); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it.skip('is not reachable because schedule is not restrictable'); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('succeeds', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('succeeds', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await schedule(); + }); + }, + callerHasNoExecutionDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { + const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + const txResponse = await schedule(); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + this.delay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); + }); + + it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { + const executionDelay = await time.duration.hours(72); + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); + const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); + + const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + executionDelay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); + }); + + it('increases the nonce of an operation scheduled more than once', async function () { + // Setup and check initial nonce + const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); + await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('0'); + + // Schedule + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op1.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op1.operationId); + + // Consume + await time.increaseBy.timestamp(this.delay); + await this.manager.$_consumeScheduledOp(expectedOperationId); + + // Check nonce + await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('1'); + + // Schedule again + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op2.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op2.operationId); + + // Check final nonce + await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('2'); + }); + + it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { + const executionDelay = time.duration.weeks(1) + this.delay; + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + + it('reverts if an operation is already schedule', async function () { + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await op1.schedule(); + + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(op2.schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') + .withArgs(op1.operationId); + }); + + it('panics scheduling calldata with less than 4 bytes', async function () { + const calldata = '0x1234'; // 2 bytes + + // Managed contract + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: calldata, + delay: this.delay, + }); + await expect(op1.schedule()).to.be.revertedWithoutReason(); + + // Manager contract + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata: calldata, + delay: this.delay, + }); + await expect(op2.schedule()).to.be.revertedWithoutReason(); + }); + + it('reverts scheduling an unknown operation to the manager', async function () { + const calldata = '0x12345678'; + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.manager, calldata); + }); + }); + + describe('#execute', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 9825430n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + callerHasNoExecutionDelay() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('executes with a delay consuming the scheduled operation', async function () { + const delay = time.duration.hours(4); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); + }); + + it('executes with no delay consuming a scheduled operation', async function () { + const delay = time.duration.hours(4); + + // give caller an execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + + // remove the execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); + }); + + it('keeps the original _executionId after finishing the call', async function () { + const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + expect(executionIdBefore).to.equal(executionIdAfter); + }); + + it('reverts executing twice', async function () { + const delay = time.duration.hours(2); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(operationId); + }); + }); + + describe('#consumeScheduledOp', function () { + beforeEach('define scheduling parameters', async function () { + const method = this.target.fnRestricted.getFragment(); + this.caller = await ethers.getSigner(this.target.target); + await impersonate(this.caller.address); + this.calldata = this.target.interface.encodeFunctionData(method, []); + this.role = { id: 9834983n }; + + await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation + }); + + describe('when caller is not consuming scheduled operation', function () { + beforeEach('set consuming false', async function () { + await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + it('reverts as AccessManagerUnauthorizedConsume', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') + .withArgs(this.caller); + }); + }); + + describe('when caller is consuming scheduled operation', function () { + beforeEach('set consuming true', async function () { + await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + it('reverts as AccessManagerNotReady', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') + .withArgs(this.operationId); + }); + }, + after() { + it('consumes the scheduled operation and resets timepoint', async function () { + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal( + this.scheduledAt + this.scheduleIn, + ); + + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(this.operationId, 1n); + await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); + }); + }, + expired() { + it('reverts as AccessManagerExpired', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') + .withArgs(this.operationId); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + }); + }); + + describe('#cancelScheduledOp', function () { + beforeEach('setup scheduling', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.caller = this.roles.SOME.members[0]; + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); + await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + describe('when caller is the scheduler', function () { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is an admin', function () { + it('succeeds', async function () { + await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is the role guardian', function () { + it('succeeds', async function () { + await this.manager + .connect(this.roles.SOME_GUARDIAN.members[0]) + .cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is any other account', function () { + it('reverts as AccessManagerUnauthorizedCancel', async function () { + await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') + .withArgs(this.other, this.caller, this.target, this.method.selector); + }); + }); + }, + after() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + expired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + + it('cancels an operation and resets schedule', async function () { + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.scheduleIn, + }); + await schedule(); + await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) + .to.emit(this.manager, 'OperationCanceled') + .withArgs(operationId, 1n); + await expect(this.manager.getSchedule(operationId)).to.eventually.equal('0'); + }); + }); + + describe('with Ownable target contract', function () { + const roleId = 1n; + + beforeEach(async function () { + this.ownable = await ethers.deployContract('$Ownable', [this.manager]); + + // add user to role + await this.manager.$_grantRole(roleId, this.user, 0, 0); + }); + + it('initial state', async function () { + await expect(this.ownable.owner()).to.eventually.equal(this.manager); + }); + + describe('Contract is closed', function () { + beforeEach(async function () { + await this.manager.$_setTargetClosed(this.ownable, true); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): reverts', async function () { + await expect( + this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('Contract is managed', function () { + describe('function is open to specific role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + roleId, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('function is open to public role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + this.roles.PUBLIC.id, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): success', async function () { + await this.manager + .connect(this.other) + .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + }); + }); +} + +// ============ ENUMERABLE EXTENSION ============ + +/** + * @requires this.{manager,roles,admin,user,other,target,target2} + */ +function shouldBehaveLikeAccessManagerEnumerable() { + describe('enumerating', function () { + const ANOTHER_ROLE = 0xdeadc0de2n; + + describe('role members', function () { + it('role bearers can be enumerated', async function () { + // Grant roles to multiple accounts + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); + + // Revoke one role + await this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.other); + + const expectedMembers = [this.user.address, this.admin.address]; + + // Test individual enumeration + const memberCount = await this.manager.getRoleMemberCount(ANOTHER_ROLE); + const members = Array.from({ length: Number(memberCount) }, (_, i) => + this.manager.getRoleMember(ANOTHER_ROLE, i), + ); + + expect(memberCount).to.equal(expectedMembers.length); + await expect(Promise.all(members)).to.eventually.deep.equal(expectedMembers); + + // Test batch enumeration + await expect(this.manager.getRoleMembers(ANOTHER_ROLE, 0, ethers.MaxUint256)).to.eventually.deep.equal( + expectedMembers, + ); + }); + + it('role enumeration should be in sync after renounceRole call', async function () { + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); + + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); // Only the initial member + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(2); + await this.manager.connect(this.admin).renounceRole(ANOTHER_ROLE, this.admin); + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); + }); + + it('returns empty for roles with no members', async function () { + const roleId = 999n; // Non-existent role + + await expect(this.manager.getRoleMemberCount(roleId)).to.eventually.equal(0); + await expect(this.manager.getRoleMembers(roleId, 0, 10)).to.eventually.deep.equal([]); + }); + + it('supports partial enumeration with start and end parameters', async function () { + // Grant roles to multiple accounts + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); + await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); + + await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(3); + + const users = [this.user.address, this.other.address, this.admin.address]; + + // Test partial enumeration + const firstTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 0, 2); + expect(firstTwo).to.have.lengthOf(2); + expect(users).to.include.members(firstTwo); + + const lastTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 1, 3); + expect(lastTwo).to.have.lengthOf(2); + expect(users).to.include.members(lastTwo); + }); + }); + + describe('target functions', function () { + it('target functions can be enumerated', async function () { + const roleId = this.roles.SOME.id; + const target = this.target; + const selectors = ['someFunction()', 'anotherFunction(uint256)', 'thirdFunction(address,bool)'].map(selector); + + await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); + + const functionCount = await this.manager.getRoleTargetFunctionCount(roleId, target); + const functions = Array.from({ length: Number(functionCount) }, (_, i) => + this.manager.getRoleTargetFunction(roleId, target, i), + ); + + expect(functionCount).to.equal(selectors.length); + await expect(Promise.all(functions)).to.eventually.have.members(selectors); + + // Test batch enumeration + await expect( + this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), + ).to.eventually.deep.equal(selectors); + }); + + it('target function enumeration updates when roles change', async function () { + const roleId1 = this.roles.SOME.id; + const roleId2 = this.roles.SOME_ADMIN.id; + const target = this.target; + const sel = selector('testFunction()'); + + // Initially assign to roleId1 + await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId1); + + await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunction(roleId1, target, 0)).to.eventually.equal(sel); + + // Reassign to roleId2 + await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId2); + + await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(0); + await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunction(roleId2, target, 0)).to.eventually.equal(sel); + }); + + it('returns empty for ADMIN_ROLE target functions', async function () { + const target = this.target; + const sel = selector('adminFunction()'); + + // Set function to ADMIN_ROLE (default behavior) + await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], this.roles.ADMIN.id); + + // ADMIN_ROLE functions are not tracked + await expect(this.manager.getRoleTargetFunctionCount(this.roles.ADMIN.id, target)).to.eventually.equal(0); + await expect( + this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, target, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([]); + }); + + it('returns empty for roles with no target functions', async function () { + const roleId = 888n; // Role with no functions + const target = this.target; + + await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(0); + await expect( + this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([]); + }); + + it('supports partial enumeration of target functions', async function () { + const roleId = this.roles.SOME.id; + const target = this.target; + const selectors = ['func1()', 'func2()', 'func3()', 'func4()'].map(selector); + + await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); + + await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(4); + + // Test partial enumeration + const firstTwo = await this.manager.getRoleTargetFunctions(roleId, target, 0, 2); + expect(firstTwo).to.have.lengthOf(2); + expect(selectors).to.include.members(firstTwo); + + const lastTwo = await this.manager.getRoleTargetFunctions(roleId, target, 2, 4); + expect(lastTwo).to.have.lengthOf(2); + expect(selectors).to.include.members(firstTwo); + + // Verify no overlap and complete coverage + expect([].concat(firstTwo, lastTwo)).to.have.members(selectors); + }); + + it('distinguishes between different targets', async function () { + const roleId = this.roles.SOME.id; + const target1 = this.target; + const target2 = this.target2; + const sel1 = selector('target1Function()'); + const sel2 = selector('target2Function()'); + + // Set different functions for the same role on different targets + await this.manager.connect(this.admin).setTargetFunctionRole(target1, [sel1], roleId); + await this.manager.connect(this.admin).setTargetFunctionRole(target2, [sel2], roleId); + + // Each target should have its own function tracked + await expect(this.manager.getRoleTargetFunctionCount(roleId, target1)).to.eventually.equal(1); + await expect(this.manager.getRoleTargetFunctionCount(roleId, target2)).to.eventually.equal(1); + + await expect(this.manager.getRoleTargetFunction(roleId, target1, 0)).to.eventually.equal(sel1); + await expect(this.manager.getRoleTargetFunction(roleId, target2, 0)).to.eventually.equal(sel2); + + // Functions should be isolated per target + await expect( + this.manager.getRoleTargetFunctions(roleId, target1, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([sel1]); + await expect( + this.manager.getRoleTargetFunctions(roleId, target2, 0, ethers.MaxUint256), + ).to.eventually.deep.equal([sel2]); + }); + }); + }); +} + module.exports = { shouldBehaveLikeDelayedAdminOperation, shouldBehaveLikeNotDelayedAdminOperation, shouldBehaveLikeRoleAdminOperation, shouldBehaveLikeAManagedRestrictedOperation, shouldBehaveLikeASelfRestrictedOperation, + shouldBehaveLikeAccessManager, + shouldBehaveLikeAccessManagerEnumerable, }; diff --git a/test/access/manager/AccessManager.test.js b/test/access/manager/AccessManager.test.js index 7726831b268..9eed99ee713 100644 --- a/test/access/manager/AccessManager.test.js +++ b/test/access/manager/AccessManager.test.js @@ -1,40 +1,7 @@ const { ethers } = require('hardhat'); -const { expect } = require('chai'); const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); - -const { impersonate } = require('../../helpers/account'); -const { MAX_UINT48 } = require('../../helpers/constants'); -const { selector } = require('../../helpers/methods'); -const time = require('../../helpers/time'); - -const { - buildBaseRoles, - formatAccess, - EXPIRATION, - MINSETBACK, - EXECUTION_ID_STORAGE_SLOT, - CONSUMING_SCHEDULE_STORAGE_SLOT, - prepareOperation, - hashOperation, -} = require('../../helpers/access-manager'); - -const { - shouldBehaveLikeDelayedAdminOperation, - shouldBehaveLikeNotDelayedAdminOperation, - shouldBehaveLikeRoleAdminOperation, - shouldBehaveLikeAManagedRestrictedOperation, - shouldBehaveLikeASelfRestrictedOperation, -} = require('./AccessManager.behavior'); - -const { - LIKE_COMMON_SCHEDULABLE, - testAsClosable, - testAsDelay, - testAsSchedulableOperation, - testAsCanCall, - testAsHasRole, - testAsGetAccess, -} = require('./AccessManager.predicate'); +const { buildBaseRoles } = require('../../helpers/access-manager'); +const { shouldBehaveLikeAccessManager } = require('./AccessManager.behavior'); async function fixture() { const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); @@ -83,2407 +50,10 @@ async function fixture() { }; } -// This test suite is made using the following tools: -// -// * Predicates: Functions with common conditional setups without assertions. -// * Behaviors: Functions with common assertions. -// -// The behavioral tests are built by composing predicates and are used as templates -// for testing access to restricted functions. -// -// Similarly, unit tests in this suite will use predicates to test subsets of these -// behaviors and are helped by common assertions provided for some of the predicates. -// -// The predicates can be identified by the `testAs*` prefix while the behaviors -// are prefixed with `shouldBehave*`. The common assertions for predicates are -// defined as constants. describe('AccessManager', function () { beforeEach(async function () { Object.assign(this, await loadFixture(fixture)); }); - describe('during construction', function () { - it('grants admin role to initialAdmin', async function () { - const manager = await ethers.deployContract('$AccessManager', [this.other]); - expect(await manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.be.deep.equal([true, '0']); - }); - - it('rejects zero address for initialAdmin', async function () { - await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') - .withArgs(ethers.ZeroAddress); - }); - - it('initializes setup roles correctly', async function () { - for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { - expect(await this.manager.getRoleAdmin(roleId)).to.equal(admin.id); - expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardian.id); - - for (const user of this.roles.PUBLIC.members) { - expect(await this.manager.hasRole(roleId, user).then(formatAccess)).to.be.deep.equal([ - members.includes(user), - '0', - ]); - } - } - }); - }); - - describe('getters', function () { - describe('#canCall', function () { - beforeEach('set calldata', function () { - this.calldata = '0x12345678'; - this.role = { id: 379204n }; - }); - - testAsCanCall({ - closed() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.other, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - notExecuting() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('sets execution delay', function () { - this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }, - notScheduled() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - }, - }, - }); - }); - - describe('#expiration', function () { - it('has a 7 days default expiration', async function () { - expect(await this.manager.expiration()).to.equal(EXPIRATION); - }); - }); - - describe('#minSetback', function () { - it('has a 5 days default minimum setback', async function () { - expect(await this.manager.minSetback()).to.equal(MINSETBACK); - }); - }); - - describe('#isTargetClosed', function () { - testAsClosable({ - closed() { - it('returns true', async function () { - expect(await this.manager.isTargetClosed(this.target)).to.be.true; - }); - }, - open() { - it('returns false', async function () { - expect(await this.manager.isTargetClosed(this.target)).to.be.false; - }); - }, - }); - }); - - describe('#getTargetFunctionRole', function () { - const methodSelector = selector('something(address,bytes)'); - - it('returns the target function role', async function () { - const roleId = 21498n; - await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); - - expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(roleId); - }); - - it('returns the ADMIN role if not set', async function () { - expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getTargetAdminDelay', function () { - describe('when the target admin delay is setup', function () { - beforeEach('set target admin delay', async function () { - this.oldDelay = await this.manager.getTargetAdminDelay(this.target); - this.newDelay = time.duration.days(10); - - await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('effect', { - before: function self() { - self.mineDelay = true; - - it('returns the old target admin delay', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new target admin delay', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.newDelay); - }); - }, - }); - }); - - it('returns the 0 if not set', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); - }); - }); - - describe('#getRoleAdmin', function () { - const roleId = 5234907n; - - it('returns the role admin', async function () { - const adminId = 789433n; - - await this.manager.$_setRoleAdmin(roleId, adminId); - - expect(await this.manager.getRoleAdmin(roleId)).to.equal(adminId); - }); - - it('returns the ADMIN role if not set', async function () { - expect(await this.manager.getRoleAdmin(roleId)).to.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGuardian', function () { - const roleId = 5234907n; - - it('returns the role guardian', async function () { - const guardianId = 789433n; - - await this.manager.$_setRoleGuardian(roleId, guardianId); - - expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardianId); - }); - - it('returns the ADMIN role if not set', async function () { - expect(await this.manager.getRoleGuardian(roleId)).to.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGrantDelay', function () { - const roleId = 9248439n; - - describe('when the grant admin delay is setup', function () { - beforeEach('set grant admin delay', async function () { - this.oldDelay = await this.manager.getRoleGrantDelay(roleId); - this.newDelay = time.duration.days(11); - - await this.manager.$_setGrantDelay(roleId, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('returns the old role grant delay', async function () { - expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new role grant delay', async function () { - expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.newDelay); - }); - }, - }); - }); - - it('returns 0 if delay is not set', async function () { - expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); - }); - }); - - describe('#getAccess', function () { - beforeEach('set role', function () { - this.role = { id: 9452n }; - this.caller = this.user; - }); - - testAsGetAccess({ - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('role is not in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - expect(await time.clock.timestamp()).to.lt(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('access has role not in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - expect(await time.clock.timestamp()).to.lt(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('role is in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - callerHasNoExecutionDelay() { - it('access has role in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await time.clock.timestamp()).to.equal(access[0]); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has empty access', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(0n); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - }); - }, - }); - }); - - describe('#hasRole', function () { - beforeEach('setup testAsHasRole', function () { - this.role = { id: 49832n }; - this.calldata = '0x12345678'; - this.caller = this.user; - }); - - testAsHasRole({ - publicRoleIsRequired() { - it('has PUBLIC role', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role but execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role nor execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has no role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }); - }); - - describe('#getSchedule', function () { - beforeEach('set role and calldata', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 493590n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('returns schedule in the future', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.gt(await time.clock.timestamp()); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns schedule', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.equal(await time.clock.timestamp()); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('returns 0', async function () { - expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); - }); - }, - }, - notScheduled() { - it('defaults to 0', async function () { - expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); - }); - }, - }); - }); - - describe('#getNonce', function () { - describe('when operation is scheduled', function () { - beforeEach('schedule operation', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 4209043n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.delay = time.duration.days(10); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await schedule(); - this.operationId = operationId; - }); - - it('returns nonce', async function () { - expect(await this.manager.getNonce(this.operationId)).to.equal(1n); - }); - }); - - describe('when is not scheduled', function () { - it('returns default 0', async function () { - expect(await this.manager.getNonce(ethers.id('operation'))).to.equal(0n); - }); - }); - }); - - describe('#hashOperation', function () { - it('returns an operationId', async function () { - const args = [this.user, this.other, '0x123543']; - expect(await this.manager.hashOperation(...args)).to.equal(hashOperation(...args)); - }); - }); - }); - - describe('admin operations', function () { - beforeEach('set required role', function () { - this.role = this.roles.ADMIN; - }); - - describe('subject to a delay', function () { - describe('#labelRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [123443, 'TEST']; - const method = this.manager.interface.getFunction('labelRole(uint64,string)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('emits an event with the label', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Some label'); - }); - - it('updates label on a second call', async function () { - await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); - - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Updated label'); - }); - - it('reverts labeling PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts labeling ADMIN_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleAdmin', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's admin if called by an admin", async function () { - expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.SOME_ADMIN.id); - - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleAdminChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleGuardian', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's guardian if called by an admin", async function () { - expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.SOME_GUARDIAN.id); - - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleGuardianChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setGrantDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [984910, time.duration.days(2)]; - const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('reverts setting grant delay for the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when increasing the delay', function () { - const oldDelay = 10n; - const newDelay = 100n; - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); - - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); - await time.increaseBy.timestamp(setback); - expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); - }); - }); - }); - }); - - describe('#setTargetAdminDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, time.duration.days(3)]; - const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - describe('when increasing the delay', function () { - const oldDelay = time.duration.days(10); - const newDelay = time.duration.days(11); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); - - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); - await time.increaseBy.timestamp(setback); - expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); - }); - }); - }); - }); - }); - - describe('not subject to a delay', function () { - describe('#updateAuthority', function () { - beforeEach('create a target and a new authority', async function () { - this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); - this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ - this.newManagedTarget.target, - this.newAuthority.target, - ]); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('changes the authority', async function () { - expect(await this.newManagedTarget.authority()).to.equal(this.manager); - - await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) - .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event - .withArgs(this.newAuthority); - - expect(await this.newManagedTarget.authority()).to.equal(this.newAuthority); - }); - }); - - describe('#setTargetClosed', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, true]; - const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('closes and opens a target', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, true); - expect(await this.manager.isTargetClosed(this.target)).to.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, false); - expect(await this.manager.isTargetClosed(this.target)).to.be.false; - }); - - describe('when the target is the manager', async function () { - it('closes and opens the manager', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, true); - expect(await this.manager.isTargetClosed(this.manager)).to.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, false); - expect(await this.manager.isTargetClosed(this.manager)).to.be.false; - }); - }); - }); - - describe('#setTargetFunctionRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, ['0x12345678'], 443342]; - const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); - - it('sets function roles', async function () { - for (const sig of sigs) { - expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.ADMIN.id); - } - - const allowRole = await this.manager - .connect(this.admin) - .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); - - for (const sig of sigs) { - await expect(allowRole) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sig, this.roles.SOME.id); - expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.SOME.id); - } - - await expect( - this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), - ) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); - - for (const sig of sigs) { - expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal( - sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, - ); - } - }); - }); - - describe('role admin operations', function () { - const ANOTHER_ADMIN = 0xdeadc0de1n; - const ANOTHER_ROLE = 0xdeadc0de2n; - - beforeEach('set required role', async function () { - // Make admin a member of ANOTHER_ADMIN - await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); - await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); - - this.role = { id: ANOTHER_ADMIN }; - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - }); - - describe('#grantRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [ANOTHER_ROLE, this.other.address, 0]; - const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - it('reverts when granting PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when the user is not a role member', function () { - describe('with grant delay', function () { - beforeEach('set grant delay and grant role', async function () { - // Delay granting - this.grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - - // Grant role - this.executionDelay = time.duration.days(3); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('does not grant role to the user yet', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.be.lt(access[0]); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - this.executionDelay.toString(), - ]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('grants role to the user', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.executionDelay.toString(), - ]); - }); - }, - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - this.grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - it('immediately grants the role to the user', async function () { - const executionDelay = time.duration.days(6); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, executionDelay); - const grantedAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(grantedAt); // inEffectSince - expect(access[1]).to.equal(executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - executionDelay.toString(), - ]); - }); - }); - }); - - describe('when the user is already a role member', function () { - beforeEach('make user role member', async function () { - this.previousExecutionDelay = time.duration.days(6); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); - this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); - }); - - describe('with grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }, - }); - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.previousExecutionDelay.toString(), - ]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - this.newExecutionDelay.toString(), - ]); - }); - }, - }); - }); - }); - }); - }); - - describe('#revokeRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', async function () { - const args = [ANOTHER_ROLE, this.other.address]; - const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - - // Need to be set before revoking - await this.manager.$_grantRole(...args, 0, 0); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - describe('when role has been granted', function () { - beforeEach('grant role with grant delay', async function () { - this.grantDelay = time.duration.weeks(1); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); - - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('revokes a granted role that will take effect in the future', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - after: function self() { - self.mineDelay = true; - - it('revokes a granted role that already took effect', async function () { - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - true, - '0', - ]); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - }); - }); - - describe('when role has not been granted', function () { - it('has no effect', async function () { - expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( - this.manager, - 'RoleRevoked', - ); - expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - }); - }); - - it('reverts revoking PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - }); - }); - - describe('self role operations', function () { - describe('#renounceRole', function () { - beforeEach('grant role', async function () { - this.role = { id: 783164n }; - this.caller = this.user; - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - }); - - it('renounces a role', async function () { - expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ - true, - '0', - ]); - await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(this.role.id, this.caller); - expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ - false, - '0', - ]); - }); - - it('reverts if renouncing the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts if renouncing with bad caller confirmation', async function () { - await expect( - this.manager.connect(this.caller).renounceRole(this.role.id, this.other), - ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); - }); - }); - }); - }); - }); - - describe('access managed self operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 785913n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.manager.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeASelfRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('access managed target operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 3597243n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.target.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeAManagedRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('#schedule', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 498305n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.delay = time.duration.weeks(2); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it.skip('is not reachable because schedule is not restrictable'); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('succeeds', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('succeeds', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await schedule(); - }); - }, - callerHasNoExecutionDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { - const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - const txResponse = await schedule(); - - expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + this.delay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); - }); - - it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { - const executionDelay = await time.duration.hours(72); - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); - const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); - - const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); - - expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + executionDelay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); - }); - - it('increases the nonce of an operation scheduled more than once', async function () { - // Setup and check initial nonce - const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); - expect(await this.manager.getNonce(expectedOperationId)).to.equal('0'); - - // Schedule - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op1.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op1.operationId); - - // Consume - await time.increaseBy.timestamp(this.delay); - await this.manager.$_consumeScheduledOp(expectedOperationId); - - // Check nonce - expect(await this.manager.getNonce(expectedOperationId)).to.equal('1'); - - // Schedule again - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op2.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op2.operationId); - - // Check final nonce - expect(await this.manager.getNonce(expectedOperationId)).to.equal('2'); - }); - - it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { - const executionDelay = time.duration.weeks(1) + this.delay; - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - - it('reverts if an operation is already schedule', async function () { - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await op1.schedule(); - - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(op2.schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') - .withArgs(op1.operationId); - }); - - it('panics scheduling calldata with less than 4 bytes', async function () { - const calldata = '0x1234'; // 2 bytes - - // Managed contract - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: calldata, - delay: this.delay, - }); - await expect(op1.schedule()).to.be.revertedWithoutReason(); - - // Manager contract - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata: calldata, - delay: this.delay, - }); - await expect(op2.schedule()).to.be.revertedWithoutReason(); - }); - - it('reverts scheduling an unknown operation to the manager', async function () { - const calldata = '0x12345678'; - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.manager, calldata); - }); - }); - - describe('#execute', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 9825430n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - callerHasNoExecutionDelay() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('executes with a delay consuming the scheduled operation', async function () { - const delay = time.duration.hours(4); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - expect(await this.manager.getSchedule(operationId)).to.equal(0n); - }); - - it('executes with no delay consuming a scheduled operation', async function () { - const delay = time.duration.hours(4); - - // give caller an execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - - // remove the execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - expect(await this.manager.getSchedule(operationId)).to.equal(0n); - }); - - it('keeps the original _executionId after finishing the call', async function () { - const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - expect(executionIdBefore).to.equal(executionIdAfter); - }); - - it('reverts executing twice', async function () { - const delay = time.duration.hours(2); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(operationId); - }); - }); - - describe('#consumeScheduledOp', function () { - beforeEach('define scheduling parameters', async function () { - const method = this.target.fnRestricted.getFragment(); - this.caller = await ethers.getSigner(this.target.target); - await impersonate(this.caller.address); - this.calldata = this.target.interface.encodeFunctionData(method, []); - this.role = { id: 9834983n }; - - await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation - }); - - describe('when caller is not consuming scheduled operation', function () { - beforeEach('set consuming false', async function () { - await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - it('reverts as AccessManagerUnauthorizedConsume', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') - .withArgs(this.caller); - }); - }); - - describe('when caller is consuming scheduled operation', function () { - beforeEach('set consuming true', async function () { - await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - it('reverts as AccessManagerNotReady', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') - .withArgs(this.operationId); - }); - }, - after() { - it('consumes the scheduled operation and resets timepoint', async function () { - expect(await this.manager.getSchedule(this.operationId)).to.equal(this.scheduledAt + this.scheduleIn); - - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(this.operationId, 1n); - expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); - }); - }, - expired() { - it('reverts as AccessManagerExpired', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') - .withArgs(this.operationId); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - }); - }); - - describe('#cancelScheduledOp', function () { - beforeEach('setup scheduling', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.caller = this.roles.SOME.members[0]; - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); - await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - describe('when caller is the scheduler', function () { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is an admin', function () { - it('succeeds', async function () { - await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is the role guardian', function () { - it('succeeds', async function () { - await this.manager - .connect(this.roles.SOME_GUARDIAN.members[0]) - .cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is any other account', function () { - it('reverts as AccessManagerUnauthorizedCancel', async function () { - await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') - .withArgs(this.other, this.caller, this.target, this.method.selector); - }); - }); - }, - after() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - expired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - - it('cancels an operation and resets schedule', async function () { - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.scheduleIn, - }); - await schedule(); - await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) - .to.emit(this.manager, 'OperationCanceled') - .withArgs(operationId, 1n); - expect(await this.manager.getSchedule(operationId)).to.equal('0'); - }); - }); - - describe('with Ownable target contract', function () { - const roleId = 1n; - - beforeEach(async function () { - this.ownable = await ethers.deployContract('$Ownable', [this.manager]); - - // add user to role - await this.manager.$_grantRole(roleId, this.user, 0, 0); - }); - - it('initial state', async function () { - expect(await this.ownable.owner()).to.equal(this.manager); - }); - - describe('Contract is closed', function () { - beforeEach(async function () { - await this.manager.$_setTargetClosed(this.ownable, true); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): reverts', async function () { - await expect( - this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('Contract is managed', function () { - describe('function is open to specific role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - roleId, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('function is open to public role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - this.roles.PUBLIC.id, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): success', async function () { - await this.manager - .connect(this.other) - .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - }); - }); + shouldBehaveLikeAccessManager(); }); diff --git a/test/access/manager/AccessManagerEnumerable.test.js b/test/access/manager/AccessManagerEnumerable.test.js new file mode 100644 index 00000000000..854a8587efe --- /dev/null +++ b/test/access/manager/AccessManagerEnumerable.test.js @@ -0,0 +1,63 @@ +const { ethers } = require('hardhat'); +const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); + +const { buildBaseRoles } = require('../../helpers/access-manager'); +const { shouldBehaveLikeAccessManagerEnumerable, shouldBehaveLikeAccessManager } = require('./AccessManager.behavior'); + +async function fixture() { + const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); + + // Build roles + const roles = buildBaseRoles(); + + // Add members + roles.ADMIN.members = [admin]; + roles.SOME_ADMIN.members = [roleAdmin]; + roles.SOME_GUARDIAN.members = [roleGuardian]; + roles.SOME.members = [member]; + roles.PUBLIC.members = [admin, roleAdmin, roleGuardian, member, user, other]; + + const manager = await ethers.deployContract('$AccessManagerEnumerableMock', [admin]); + const target = await ethers.deployContract('$AccessManagedTarget', [manager]); + const target2 = await ethers.deployContract('$AccessManagedTarget', [manager]); + + for (const { id: roleId, admin, guardian, members } of Object.values(roles)) { + if (roleId === roles.PUBLIC.id) continue; // Every address belong to public and is locked + if (roleId === roles.ADMIN.id) continue; // Admin set during construction and is locked + + // Set admin role avoiding default + if (admin.id !== roles.ADMIN.id) { + await manager.$_setRoleAdmin(roleId, admin.id); + } + + // Set guardian role avoiding default + if (guardian.id !== roles.ADMIN.id) { + await manager.$_setRoleGuardian(roleId, guardian.id); + } + + // Grant role to members + for (const member of members) { + await manager.$_grantRole(roleId, member, 0, 0); + } + } + + return { + admin, + roleAdmin, + user, + other, + roles, + manager, + target, + target2, + }; +} + +describe('AccessManagerEnumerable', function () { + beforeEach(async function () { + Object.assign(this, await loadFixture(fixture)); + }); + + shouldBehaveLikeAccessManager(); + shouldBehaveLikeAccessManagerEnumerable(); +}); From b1c9eb9db109bbe41ccdba0869c3648e66c51f60 Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 21:40:12 +0100 Subject: [PATCH 22/24] revert changes to AccessManager tests --- test/access/manager/AccessManager.behavior.js | 2603 ----------------- test/access/manager/AccessManager.test.js | 2436 ++++++++++++++- .../manager/AccessManagerEnumerable.test.js | 63 - 3 files changed, 2433 insertions(+), 2669 deletions(-) delete mode 100644 test/access/manager/AccessManagerEnumerable.test.js diff --git a/test/access/manager/AccessManager.behavior.js b/test/access/manager/AccessManager.behavior.js index b71e2d457ac..830700e3762 100644 --- a/test/access/manager/AccessManager.behavior.js +++ b/test/access/manager/AccessManager.behavior.js @@ -1,6 +1,5 @@ const { expect } = require('chai'); -const { selector } = require('../../helpers/methods'); const { LIKE_COMMON_IS_EXECUTING, LIKE_COMMON_GET_ACCESS, @@ -10,23 +9,7 @@ const { testAsDelayedOperation, testAsCanCall, testAsHasRole, - testAsClosable, - testAsDelay, - testAsGetAccess, } = require('./AccessManager.predicate'); -const { - formatAccess, - EXPIRATION, - MINSETBACK, - EXECUTION_ID_STORAGE_SLOT, - CONSUMING_SCHEDULE_STORAGE_SLOT, - prepareOperation, - hashOperation, -} = require('../../helpers/access-manager'); -const { impersonate } = require('../../helpers/account'); -const { MAX_UINT48 } = require('../../helpers/constants'); -const { ethers } = require('hardhat'); -const time = require('../../helpers/time'); // ============ ADMIN OPERATION ============ @@ -265,2596 +248,10 @@ function shouldBehaveLikeASelfRestrictedOperation() { }); } -// ============ ACCESS MANAGER ============ - -/** - * This test suite is made using the following tools: - * - * * Predicates: Functions with common conditional setups without assertions. - * * Behaviors: Functions with common assertions. - * - * The behavioral tests are built by composing predicates and are used as templates - * for testing access to restricted functions. - * - * Similarly, unit tests in this suite will use predicates to test subsets of these - * behaviors and are helped by common assertions provided for some of the predicates. - * - * The predicates can be identified by the `testAs*` prefix while the behaviors - * are prefixed with `shouldBehave*`. The common assertions for predicates are - * defined as constants. - * - * @requires this.{admin,roleAdmin,user,other,roles,manager,target} - */ -function shouldBehaveLikeAccessManager() { - describe('during construction', function () { - it('grants admin role to initialAdmin', async function () { - const manager = await ethers.deployContract('$AccessManager', [this.other]); - await expect(manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.eventually.be.deep.equal([ - true, - '0', - ]); - }); - - it('rejects zero address for initialAdmin', async function () { - await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') - .withArgs(ethers.ZeroAddress); - }); - - it('initializes setup roles correctly', async function () { - for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { - await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(admin.id); - await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardian.id); - - for (const user of this.roles.PUBLIC.members) { - await expect(this.manager.hasRole(roleId, user).then(formatAccess)).to.eventually.be.deep.equal([ - members.includes(user), - '0', - ]); - } - } - }); - }); - - describe('getters', function () { - describe('#canCall', function () { - beforeEach('set calldata', function () { - this.calldata = '0x12345678'; - this.role = { id: 379204n }; - }); - - testAsCanCall({ - closed() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.other, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - notExecuting() { - it('should return false and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('should return true and no delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('sets execution delay', function () { - this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }, - notScheduled() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('should return false and execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('should return true and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.true; - expect(delay).to.equal(0n); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('should return false and no execution delay', async function () { - const { immediate, delay } = await this.manager.canCall( - this.caller, - this.target, - this.calldata.substring(0, 10), - ); - expect(immediate).to.be.false; - expect(delay).to.equal(0n); - }); - }, - }, - }, - }, - }); - }); - - describe('#expiration', function () { - it('has a 7 days default expiration', async function () { - await expect(this.manager.expiration()).to.eventually.equal(EXPIRATION); - }); - }); - - describe('#minSetback', function () { - it('has a 5 days default minimum setback', async function () { - await expect(this.manager.minSetback()).to.eventually.equal(MINSETBACK); - }); - }); - - describe('#isTargetClosed', function () { - testAsClosable({ - closed() { - it('returns true', async function () { - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; - }); - }, - open() { - it('returns false', async function () { - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; - }); - }, - }); - }); - - describe('#getTargetFunctionRole', function () { - const methodSelector = selector('something(address,bytes)'); - - it('returns the target function role', async function () { - const roleId = 21498n; - await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); - - await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal(roleId); - }); - - it('returns the ADMIN role if not set', async function () { - await expect(this.manager.getTargetFunctionRole(this.target, methodSelector)).to.eventually.equal( - this.roles.ADMIN.id, - ); - }); - }); - - describe('#getTargetAdminDelay', function () { - describe('when the target admin delay is setup', function () { - beforeEach('set target admin delay', async function () { - this.oldDelay = await this.manager.getTargetAdminDelay(this.target); - this.newDelay = time.duration.days(10); - - await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('effect', { - before: function self() { - self.mineDelay = true; - - it('returns the old target admin delay', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new target admin delay', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(this.newDelay); - }); - }, - }); - }); - - it('returns the 0 if not set', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); - }); - }); - - describe('#getRoleAdmin', function () { - const roleId = 5234907n; - - it('returns the role admin', async function () { - const adminId = 789433n; - - await this.manager.$_setRoleAdmin(roleId, adminId); - - await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(adminId); - }); - - it('returns the ADMIN role if not set', async function () { - await expect(this.manager.getRoleAdmin(roleId)).to.eventually.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGuardian', function () { - const roleId = 5234907n; - - it('returns the role guardian', async function () { - const guardianId = 789433n; - - await this.manager.$_setRoleGuardian(roleId, guardianId); - - await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(guardianId); - }); - - it('returns the ADMIN role if not set', async function () { - await expect(this.manager.getRoleGuardian(roleId)).to.eventually.equal(this.roles.ADMIN.id); - }); - }); - - describe('#getRoleGrantDelay', function () { - const roleId = 9248439n; - - describe('when the grant admin delay is setup', function () { - beforeEach('set grant admin delay', async function () { - this.oldDelay = await this.manager.getRoleGrantDelay(roleId); - this.newDelay = time.duration.days(11); - - await this.manager.$_setGrantDelay(roleId, this.newDelay); - this.delay = MINSETBACK; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('returns the old role grant delay', async function () { - await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.oldDelay); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns the new role grant delay', async function () { - await expect(this.manager.getRoleGrantDelay(roleId)).to.eventually.equal(this.newDelay); - }); - }, - }); - }); - - it('returns 0 if delay is not set', async function () { - await expect(this.manager.getTargetAdminDelay(this.target)).to.eventually.equal(0n); - }); - }); - - describe('#getAccess', function () { - beforeEach('set role', function () { - this.role = { id: 9452n }; - this.caller = this.user; - }); - - testAsGetAccess({ - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('role is not in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('access has role not in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - await expect(time.clock.timestamp()).to.eventually.be.below(access[0]); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('role is in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(this.delayEffect); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('access has role in effect and execution delay is set', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - callerHasNoExecutionDelay() { - it('access has role in effect without execution delay', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect(time.clock.timestamp()).to.eventually.equal(access[0]); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has empty access', async function () { - const access = await this.manager.getAccess(this.role.id, this.caller); - expect(access[0]).to.equal(0n); // inEffectSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - }); - }, - }); - }); - - describe('#hasRole', function () { - beforeEach('setup testAsHasRole', function () { - this.role = { id: 49832n }; - this.calldata = '0x12345678'; - this.caller = this.user; - }); - - testAsHasRole({ - publicRoleIsRequired() { - it('has PUBLIC role', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role but execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay: function self() { - self.mineDelay = true; - - it('does not have role nor execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('has role and execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal(this.executionDelay); - }); - }, - callerHasNoExecutionDelay() { - it('has role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.true; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('has no role and no execution delay', async function () { - const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); - expect(isMember).to.be.false; - expect(executionDelay).to.equal('0'); - }); - }, - }, - }); - }); - - describe('#getSchedule', function () { - beforeEach('set role and calldata', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 493590n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before: function self() { - self.mineDelay = true; - - it('returns schedule in the future', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.gt(await time.clock.timestamp()); - }); - }, - after: function self() { - self.mineDelay = true; - - it('returns schedule', async function () { - const schedule = await this.manager.getSchedule(this.operationId); - expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); - expect(schedule).to.equal(await time.clock.timestamp()); - }); - }, - expired: function self() { - self.mineDelay = true; - - it('returns 0', async function () { - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); - }); - }, - }, - notScheduled() { - it('defaults to 0', async function () { - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); - }); - }, - }); - }); - - describe('#getNonce', function () { - describe('when operation is scheduled', function () { - beforeEach('schedule operation', async function () { - const fnRestricted = this.target.fnRestricted.getFragment().selector; - this.caller = this.user; - this.role = { id: 4209043n }; - await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); - this.delay = time.duration.days(10); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await schedule(); - this.operationId = operationId; - }); - - it('returns nonce', async function () { - await expect(this.manager.getNonce(this.operationId)).to.eventually.equal(1n); - }); - }); - - describe('when is not scheduled', function () { - it('returns default 0', async function () { - await expect(this.manager.getNonce(ethers.id('operation'))).to.eventually.equal(0n); - }); - }); - }); - - describe('#hashOperation', function () { - it('returns an operationId', async function () { - const args = [this.user, this.other, '0x123543']; - await expect(this.manager.hashOperation(...args)).to.eventually.equal(hashOperation(...args)); - }); - }); - }); - - describe('admin operations', function () { - beforeEach('set required role', function () { - this.role = this.roles.ADMIN; - }); - - describe('subject to a delay', function () { - describe('#labelRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [123443, 'TEST']; - const method = this.manager.interface.getFunction('labelRole(uint64,string)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('emits an event with the label', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Some label'); - }); - - it('updates label on a second call', async function () { - await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); - - await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) - .to.emit(this.manager, 'RoleLabel') - .withArgs(this.roles.SOME.id, 'Updated label'); - }); - - it('reverts labeling PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts labeling ADMIN_ROLE', async function () { - await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleAdmin', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's admin if called by an admin", async function () { - await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.SOME_ADMIN.id); - - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleAdminChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - await expect(this.manager.getRoleAdmin(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setRoleGuardian', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [93445, 84532]; - const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it("sets any role's guardian if called by an admin", async function () { - await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal( - this.roles.SOME_GUARDIAN.id, - ); - - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) - .to.emit(this.manager, 'RoleGuardianChanged') - .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); - - await expect(this.manager.getRoleGuardian(this.roles.SOME.id)).to.eventually.equal(this.roles.ADMIN.id); - }); - - it('reverts setting PUBLIC_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts setting ADMIN_ROLE admin', async function () { - await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.ADMIN.id); - }); - }); - - describe('#setGrantDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [984910, time.duration.days(2)]; - const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - it('reverts setting grant delay for the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when increasing the delay', function () { - const oldDelay = 10n; - const newDelay = 100n; - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - this.role = this.roles.SOME; - await this.manager.$_setGrantDelay(this.role.id, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); - - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); - const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGrantDelayChanged') - .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); - - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(setback); - await expect(this.manager.getRoleGrantDelay(this.role.id)).to.eventually.equal(newDelay); - }); - }); - }); - }); - - describe('#setTargetAdminDelay', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, time.duration.days(3)]; - const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeDelayedAdminOperation(); - }); - - describe('when increasing the delay', function () { - const oldDelay = time.duration.days(10); - const newDelay = time.duration.days(11); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - }); - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); - }); - }); - - describe('when reducing the delay', function () { - const oldDelay = time.duration.days(10); - - beforeEach('sets old delay', async function () { - await this.manager.$_setTargetAdminDelay(this.other, oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - }); - - describe('when the delay difference is shorter than minimum setback', function () { - const newDelay = oldDelay - 1n; - - it('increases the delay after minsetback', async function () { - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); - - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(MINSETBACK); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); - }); - }); - - describe('when the delay difference is longer than minimum setback', function () { - const newDelay = 1n; - - beforeEach('assert delay difference is higher than minsetback', function () { - expect(oldDelay - newDelay).to.gt(MINSETBACK); - }); - - it('increases the delay after delay difference', async function () { - const setback = oldDelay - newDelay; - - const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); - const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'TargetAdminDelayUpdated') - .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); - - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(oldDelay); - await time.increaseBy.timestamp(setback); - await expect(this.manager.getTargetAdminDelay(this.other)).to.eventually.equal(newDelay); - }); - }); - }); - }); - }); - - describe('not subject to a delay', function () { - describe('#updateAuthority', function () { - beforeEach('create a target and a new authority', async function () { - this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); - this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ - this.newManagedTarget.target, - this.newAuthority.target, - ]); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('changes the authority', async function () { - await expect(this.newManagedTarget.authority()).to.eventually.equal(this.manager); - - await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) - .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event - .withArgs(this.newAuthority); - - await expect(this.newManagedTarget.authority()).to.eventually.equal(this.newAuthority); - }); - }); - - describe('#setTargetClosed', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, true]; - const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - it('closes and opens a target', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, true); - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.target, false); - await expect(this.manager.isTargetClosed(this.target)).to.eventually.be.false; - }); - - describe('when the target is the manager', async function () { - it('closes and opens the manager', async function () { - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, true); - await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.true; - - await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) - .to.emit(this.manager, 'TargetClosed') - .withArgs(this.manager, false); - await expect(this.manager.isTargetClosed(this.manager)).to.eventually.be.false; - }); - }); - }); - - describe('#setTargetFunctionRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [this.other.address, ['0x12345678'], 443342]; - const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeNotDelayedAdminOperation(); - }); - - const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); - - it('sets function roles', async function () { - for (const sig of sigs) { - await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.ADMIN.id); - } - - const allowRole = await this.manager - .connect(this.admin) - .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); - - for (const sig of sigs) { - await expect(allowRole) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sig, this.roles.SOME.id); - await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal(this.roles.SOME.id); - } - - await expect( - this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), - ) - .to.emit(this.manager, 'TargetFunctionRoleUpdated') - .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); - - for (const sig of sigs) { - await expect(this.manager.getTargetFunctionRole(this.target, sig)).to.eventually.equal( - sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, - ); - } - }); - }); - - describe('role admin operations', function () { - const ANOTHER_ADMIN = 0xdeadc0de1n; - const ANOTHER_ROLE = 0xdeadc0de2n; - - beforeEach('set required role', async function () { - // Make admin a member of ANOTHER_ADMIN - await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); - await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); - - this.role = { id: ANOTHER_ADMIN }; - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - }); - - describe('#grantRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', function () { - const args = [ANOTHER_ROLE, this.other.address, 0]; - const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - it('reverts when granting PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - describe('when the user is not a role member', function () { - describe('with grant delay', function () { - beforeEach('set grant delay and grant role', async function () { - // Delay granting - this.grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - - // Grant role - this.executionDelay = time.duration.days(3); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('does not grant role to the user yet', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Not in effect yet - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.be.lt(access[0]); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, this.executionDelay.toString()]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('grants role to the user', async function () { - const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince - expect(access[1]).to.equal(this.executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.executionDelay.toString()]); - }); - }, - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - this.grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - it('immediately grants the role to the user', async function () { - const executionDelay = time.duration.days(6); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, executionDelay); - const grantedAt = await time.clockFromReceipt.timestamp(txResponse); - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(grantedAt); // inEffectSince - expect(access[1]).to.equal(executionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - const currentTimestamp = await time.clock.timestamp(); - expect(currentTimestamp).to.equal(access[0]); - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, executionDelay.toString()]); - }); - }); - }); - - describe('when the user is already a role member', function () { - beforeEach('make user role member', async function () { - this.previousExecutionDelay = time.duration.days(6); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); - this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); - }); - - describe('with grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = time.duration.weeks(2); - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }, - }); - }); - }); - - describe('without grant delay', function () { - beforeEach('set granting delay', async function () { - // Delay granting - const grantDelay = 0; - await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); - await time.increaseBy.timestamp(MINSETBACK); - }); - - describe('when increasing the execution delay', function () { - beforeEach('set increased new execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); - }); - - it('emits event and immediately changes the execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - const txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - const timestamp = await time.clockFromReceipt.timestamp(txResponse); - - await expect(txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); - - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }); - - describe('when decreasing the execution delay', function () { - beforeEach('decrease execution delay', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - - this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); - this.txResponse = await this.manager - .connect(this.admin) - .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); - this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); - - this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay - }); - - it('emits event', async function () { - await expect(this.txResponse) - .to.emit(this.manager, 'RoleGranted') - .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); - }); - - testAsDelay('execution delay effect', { - before: function self() { - self.mineDelay = true; - - it('does not change the execution delay yet', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay - expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay - expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect - - // Not in effect yet - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.previousExecutionDelay.toString()]); - }); - }, - after: function self() { - self.mineDelay = true; - - it('changes the execution delay', async function () { - // Access is correctly stored - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - - expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince - expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // pendingDelayEffect - - // Already in effect - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, this.newExecutionDelay.toString()]); - }); - }, - }); - }); - }); - }); - }); - - describe('#revokeRole', function () { - describe('restrictions', function () { - beforeEach('set method and args', async function () { - const args = [ANOTHER_ROLE, this.other.address]; - const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); - this.calldata = this.manager.interface.encodeFunctionData(method, args); - - // Need to be set before revoking - await this.manager.$_grantRole(...args, 0, 0); - }); - - shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); - }); - - describe('when role has been granted', function () { - beforeEach('grant role with grant delay', async function () { - this.grantDelay = time.duration.weeks(1); - await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); - - this.delay = this.grantDelay; // For testAsDelay - }); - - testAsDelay('grant', { - before: function self() { - self.mineDelay = true; - - it('revokes a granted role that will take effect in the future', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - after: function self() { - self.mineDelay = true; - - it('revokes a granted role that already took effect', async function () { - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([true, '0']); - - await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(ANOTHER_ROLE, this.user); - - await expect( - this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - - const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); - expect(access[0]).to.equal(0n); // inRoleSince - expect(access[1]).to.equal(0n); // currentDelay - expect(access[2]).to.equal(0n); // pendingDelay - expect(access[3]).to.equal(0n); // effect - }); - }, - }); - }); - - describe('when role has not been granted', function () { - it('has no effect', async function () { - await expect( - this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( - this.manager, - 'RoleRevoked', - ); - await expect( - this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - }); - }); - - it('reverts revoking PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - }); - }); - - describe('self role operations', function () { - describe('#renounceRole', function () { - beforeEach('grant role', async function () { - this.role = { id: 783164n }; - this.caller = this.user; - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - }); - - it('renounces a role', async function () { - await expect( - this.manager.hasRole(this.role.id, this.caller).then(formatAccess), - ).to.eventually.be.deep.equal([true, '0']); - await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) - .to.emit(this.manager, 'RoleRevoked') - .withArgs(this.role.id, this.caller); - await expect( - this.manager.hasRole(this.role.id, this.caller).then(formatAccess), - ).to.eventually.be.deep.equal([false, '0']); - }); - - it('reverts if renouncing the PUBLIC_ROLE', async function () { - await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') - .withArgs(this.roles.PUBLIC.id); - }); - - it('reverts if renouncing with bad caller confirmation', async function () { - await expect( - this.manager.connect(this.caller).renounceRole(this.role.id, this.other), - ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); - }); - }); - }); - }); - }); - - describe('access managed self operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 785913n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.manager.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeASelfRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.manager, - this.manager[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.manager.connect(this.user)[method]()) - .to.emit(this.manager, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('access managed target operations', function () { - describe('when calling a restricted target function', function () { - const method = 'fnRestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 3597243n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - describe('restrictions', function () { - beforeEach('set method and args', function () { - this.caller = this.user; - this.calldata = this.target.interface.encodeFunctionData(method, []); - }); - - shouldBehaveLikeAManagedRestrictedOperation(); - }); - - it('succeeds called by a role member', async function () { - await this.manager.$_grantRole(this.role.id, this.user, 0, 0); - - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledRestricted') - .withArgs(this.user); - }); - }); - - describe('when calling a non-restricted target function', function () { - const method = 'fnUnrestricted()'; - - beforeEach('set required role', async function () { - this.role = { id: 879435n }; - await this.manager.$_setTargetFunctionRole( - this.target, - this.target[method].getFragment().selector, - this.role.id, - ); - }); - - it('succeeds called by anyone', async function () { - await expect(this.target.connect(this.user)[method]()) - .to.emit(this.target, 'CalledUnrestricted') - .withArgs(this.user); - }); - }); - }); - - describe('#schedule', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 498305n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.delay = time.duration.weeks(2); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it.skip('is not reachable because schedule is not restrictable'); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('succeeds', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); - }); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - it('succeeds', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await schedule(); - }); - }, - callerHasNoExecutionDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - // prepareOperation is not used here because it alters the next block timestamp - await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { - const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - const txResponse = await schedule(); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + this.delay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); - }); - - it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { - const executionDelay = await time.duration.hours(72); - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); - const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); - - const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(scheduledAt + executionDelay); - await expect(txResponse) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); - }); - - it('increases the nonce of an operation scheduled more than once', async function () { - // Setup and check initial nonce - const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); - await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('0'); - - // Schedule - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op1.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op1.operationId); - - // Consume - await time.increaseBy.timestamp(this.delay); - await this.manager.$_consumeScheduledOp(expectedOperationId); - - // Check nonce - await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('1'); - - // Schedule again - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - await expect(op2.schedule()) - .to.emit(this.manager, 'OperationScheduled') - .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); - expect(expectedOperationId).to.equal(op2.operationId); - - // Check final nonce - await expect(this.manager.getNonce(expectedOperationId)).to.eventually.equal('2'); - }); - - it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { - const executionDelay = time.duration.weeks(1) + this.delay; - await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - - it('reverts if an operation is already schedule', async function () { - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await op1.schedule(); - - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.delay, - }); - - await expect(op2.schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') - .withArgs(op1.operationId); - }); - - it('panics scheduling calldata with less than 4 bytes', async function () { - const calldata = '0x1234'; // 2 bytes - - // Managed contract - const op1 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: calldata, - delay: this.delay, - }); - await expect(op1.schedule()).to.be.revertedWithoutReason(); - - // Manager contract - const op2 = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata: calldata, - delay: this.delay, - }); - await expect(op2.schedule()).to.be.revertedWithoutReason(); - }); - - it('reverts scheduling an unknown operation to the manager', async function () { - const calldata = '0x12345678'; - - const { schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.manager, - calldata, - delay: this.delay, - }); - - await expect(schedule()) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.manager, calldata); - }); - }); - - describe('#execute', function () { - beforeEach('set target function role', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.role = { id: 9825430n }; - this.caller = this.user; - - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - }); - - describe('restrictions', function () { - testAsCanCall({ - closed() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - open: { - callerIsTheManager: { - executing() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - notExecuting() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - callerIsNotTheManager: { - publicRoleIsRequired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - specificRoleIsRequired: { - requiredRoleIsGranted: { - roleGrantingIsDelayed: { - callerHasAnExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - }, - callerHasNoExecutionDelay: { - beforeGrantDelay() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - afterGrantDelay: function self() { - self.mineDelay = true; - - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - roleGrantingIsNotDelayed: { - callerHasAnExecutionDelay() { - beforeEach('define schedule delay', function () { - this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); - }, - callerHasNoExecutionDelay() { - it('succeeds', async function () { - await this.manager.connect(this.caller).execute(this.target, this.calldata); - }); - }, - }, - }, - requiredRoleIsNotGranted() { - it('reverts as AccessManagerUnauthorizedCall', async function () { - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); - }); - }, - }, - }, - }, - }); - }); - - it('executes with a delay consuming the scheduled operation', async function () { - const delay = time.duration.hours(4); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); - }); - - it('executes with no delay consuming a scheduled operation', async function () { - const delay = time.duration.hours(4); - - // give caller an execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - - // remove the execution delay - await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); - - await time.increaseBy.timestamp(delay); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(operationId, 1n); - - await expect(this.manager.getSchedule(operationId)).to.eventually.equal(0n); - }); - - it('keeps the original _executionId after finishing the call', async function () { - const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); - expect(executionIdBefore).to.equal(executionIdAfter); - }); - - it('reverts executing twice', async function () { - const delay = time.duration.hours(2); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed - - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay, - }); - await schedule(); - await time.increaseBy.timestamp(delay); - await this.manager.connect(this.caller).execute(this.target, this.calldata); - await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(operationId); - }); - }); - - describe('#consumeScheduledOp', function () { - beforeEach('define scheduling parameters', async function () { - const method = this.target.fnRestricted.getFragment(); - this.caller = await ethers.getSigner(this.target.target); - await impersonate(this.caller.address); - this.calldata = this.target.interface.encodeFunctionData(method, []); - this.role = { id: 9834983n }; - - await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); - await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay - - this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation - }); - - describe('when caller is not consuming scheduled operation', function () { - beforeEach('set consuming false', async function () { - await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - it('reverts as AccessManagerUnauthorizedConsume', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') - .withArgs(this.caller); - }); - }); - - describe('when caller is consuming scheduled operation', function () { - beforeEach('set consuming true', async function () { - await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - it('reverts as AccessManagerNotReady', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') - .withArgs(this.operationId); - }); - }, - after() { - it('consumes the scheduled operation and resets timepoint', async function () { - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal( - this.scheduledAt + this.scheduleIn, - ); - - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.emit(this.manager, 'OperationExecuted') - .withArgs(this.operationId, 1n); - await expect(this.manager.getSchedule(this.operationId)).to.eventually.equal(0n); - }); - }, - expired() { - it('reverts as AccessManagerExpired', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') - .withArgs(this.operationId); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - }); - }); - - describe('#cancelScheduledOp', function () { - beforeEach('setup scheduling', async function () { - this.method = this.target.fnRestricted.getFragment(); - this.caller = this.roles.SOME.members[0]; - await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); - await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay - - this.calldata = this.target.interface.encodeFunctionData(this.method, []); - this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation - }); - - testAsSchedulableOperation({ - scheduled: { - before() { - describe('when caller is the scheduler', function () { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is an admin', function () { - it('succeeds', async function () { - await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is the role guardian', function () { - it('succeeds', async function () { - await this.manager - .connect(this.roles.SOME_GUARDIAN.members[0]) - .cancel(this.caller, this.target, this.calldata); - }); - }); - - describe('when caller is any other account', function () { - it('reverts as AccessManagerUnauthorizedCancel', async function () { - await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') - .withArgs(this.other, this.caller, this.target, this.method.selector); - }); - }); - }, - after() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - expired() { - it('succeeds', async function () { - await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); - }); - }, - }, - notScheduled() { - it('reverts as AccessManagerNotScheduled', async function () { - await expect(this.manager.cancel(this.caller, this.target, this.calldata)) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') - .withArgs(this.operationId); - }); - }, - }); - - it('cancels an operation and resets schedule', async function () { - const { operationId, schedule } = await prepareOperation(this.manager, { - caller: this.caller, - target: this.target, - calldata: this.calldata, - delay: this.scheduleIn, - }); - await schedule(); - await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) - .to.emit(this.manager, 'OperationCanceled') - .withArgs(operationId, 1n); - await expect(this.manager.getSchedule(operationId)).to.eventually.equal('0'); - }); - }); - - describe('with Ownable target contract', function () { - const roleId = 1n; - - beforeEach(async function () { - this.ownable = await ethers.deployContract('$Ownable', [this.manager]); - - // add user to role - await this.manager.$_grantRole(roleId, this.user, 0, 0); - }); - - it('initial state', async function () { - await expect(this.ownable.owner()).to.eventually.equal(this.manager); - }); - - describe('Contract is closed', function () { - beforeEach(async function () { - await this.manager.$_setTargetClosed(this.ownable, true); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): reverts', async function () { - await expect( - this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('Contract is managed', function () { - describe('function is open to specific role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - roleId, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): reverts', async function () { - await expect( - this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), - ) - .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') - .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - - describe('function is open to public role', function () { - beforeEach(async function () { - await this.manager.$_setTargetFunctionRole( - this.ownable, - this.ownable.$_checkOwner.getFragment().selector, - this.roles.PUBLIC.id, - ); - }); - - it('directly call: reverts', async function () { - await expect(this.ownable.connect(this.user).$_checkOwner()) - .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') - .withArgs(this.user); - }); - - it('relayed call (with role): success', async function () { - await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - - it('relayed call (without role): success', async function () { - await this.manager - .connect(this.other) - .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); - }); - }); - }); - }); -} - -// ============ ENUMERABLE EXTENSION ============ - -/** - * @requires this.{manager,roles,admin,user,other,target,target2} - */ -function shouldBehaveLikeAccessManagerEnumerable() { - describe('enumerating', function () { - const ANOTHER_ROLE = 0xdeadc0de2n; - - describe('role members', function () { - it('role bearers can be enumerated', async function () { - // Grant roles to multiple accounts - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); - - // Revoke one role - await this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.other); - - const expectedMembers = [this.user.address, this.admin.address]; - - // Test individual enumeration - const memberCount = await this.manager.getRoleMemberCount(ANOTHER_ROLE); - const members = Array.from({ length: Number(memberCount) }, (_, i) => - this.manager.getRoleMember(ANOTHER_ROLE, i), - ); - - expect(memberCount).to.equal(expectedMembers.length); - await expect(Promise.all(members)).to.eventually.deep.equal(expectedMembers); - - // Test batch enumeration - await expect(this.manager.getRoleMembers(ANOTHER_ROLE, 0, ethers.MaxUint256)).to.eventually.deep.equal( - expectedMembers, - ); - }); - - it('role enumeration should be in sync after renounceRole call', async function () { - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); - - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); // Only the initial member - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(2); - await this.manager.connect(this.admin).renounceRole(ANOTHER_ROLE, this.admin); - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(1); - }); - - it('returns empty for roles with no members', async function () { - const roleId = 999n; // Non-existent role - - await expect(this.manager.getRoleMemberCount(roleId)).to.eventually.equal(0); - await expect(this.manager.getRoleMembers(roleId, 0, 10)).to.eventually.deep.equal([]); - }); - - it('supports partial enumeration with start and end parameters', async function () { - // Grant roles to multiple accounts - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.user, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.other, 0); - await this.manager.connect(this.admin).grantRole(ANOTHER_ROLE, this.admin, 0); - - await expect(this.manager.getRoleMemberCount(ANOTHER_ROLE)).to.eventually.equal(3); - - const users = [this.user.address, this.other.address, this.admin.address]; - - // Test partial enumeration - const firstTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 0, 2); - expect(firstTwo).to.have.lengthOf(2); - expect(users).to.include.members(firstTwo); - - const lastTwo = await this.manager.getRoleMembers(ANOTHER_ROLE, 1, 3); - expect(lastTwo).to.have.lengthOf(2); - expect(users).to.include.members(lastTwo); - }); - }); - - describe('target functions', function () { - it('target functions can be enumerated', async function () { - const roleId = this.roles.SOME.id; - const target = this.target; - const selectors = ['someFunction()', 'anotherFunction(uint256)', 'thirdFunction(address,bool)'].map(selector); - - await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); - - const functionCount = await this.manager.getRoleTargetFunctionCount(roleId, target); - const functions = Array.from({ length: Number(functionCount) }, (_, i) => - this.manager.getRoleTargetFunction(roleId, target, i), - ); - - expect(functionCount).to.equal(selectors.length); - await expect(Promise.all(functions)).to.eventually.have.members(selectors); - - // Test batch enumeration - await expect( - this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), - ).to.eventually.deep.equal(selectors); - }); - - it('target function enumeration updates when roles change', async function () { - const roleId1 = this.roles.SOME.id; - const roleId2 = this.roles.SOME_ADMIN.id; - const target = this.target; - const sel = selector('testFunction()'); - - // Initially assign to roleId1 - await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId1); - - await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunction(roleId1, target, 0)).to.eventually.equal(sel); - - // Reassign to roleId2 - await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], roleId2); - - await expect(this.manager.getRoleTargetFunctionCount(roleId1, target)).to.eventually.equal(0); - await expect(this.manager.getRoleTargetFunctionCount(roleId2, target)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunction(roleId2, target, 0)).to.eventually.equal(sel); - }); - - it('returns empty for ADMIN_ROLE target functions', async function () { - const target = this.target; - const sel = selector('adminFunction()'); - - // Set function to ADMIN_ROLE (default behavior) - await this.manager.connect(this.admin).setTargetFunctionRole(target, [sel], this.roles.ADMIN.id); - - // ADMIN_ROLE functions are not tracked - await expect(this.manager.getRoleTargetFunctionCount(this.roles.ADMIN.id, target)).to.eventually.equal(0); - await expect( - this.manager.getRoleTargetFunctions(this.roles.ADMIN.id, target, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([]); - }); - - it('returns empty for roles with no target functions', async function () { - const roleId = 888n; // Role with no functions - const target = this.target; - - await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(0); - await expect( - this.manager.getRoleTargetFunctions(roleId, target, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([]); - }); - - it('supports partial enumeration of target functions', async function () { - const roleId = this.roles.SOME.id; - const target = this.target; - const selectors = ['func1()', 'func2()', 'func3()', 'func4()'].map(selector); - - await this.manager.connect(this.admin).setTargetFunctionRole(target, selectors, roleId); - - await expect(this.manager.getRoleTargetFunctionCount(roleId, target)).to.eventually.equal(4); - - // Test partial enumeration - const firstTwo = await this.manager.getRoleTargetFunctions(roleId, target, 0, 2); - expect(firstTwo).to.have.lengthOf(2); - expect(selectors).to.include.members(firstTwo); - - const lastTwo = await this.manager.getRoleTargetFunctions(roleId, target, 2, 4); - expect(lastTwo).to.have.lengthOf(2); - expect(selectors).to.include.members(firstTwo); - - // Verify no overlap and complete coverage - expect([].concat(firstTwo, lastTwo)).to.have.members(selectors); - }); - - it('distinguishes between different targets', async function () { - const roleId = this.roles.SOME.id; - const target1 = this.target; - const target2 = this.target2; - const sel1 = selector('target1Function()'); - const sel2 = selector('target2Function()'); - - // Set different functions for the same role on different targets - await this.manager.connect(this.admin).setTargetFunctionRole(target1, [sel1], roleId); - await this.manager.connect(this.admin).setTargetFunctionRole(target2, [sel2], roleId); - - // Each target should have its own function tracked - await expect(this.manager.getRoleTargetFunctionCount(roleId, target1)).to.eventually.equal(1); - await expect(this.manager.getRoleTargetFunctionCount(roleId, target2)).to.eventually.equal(1); - - await expect(this.manager.getRoleTargetFunction(roleId, target1, 0)).to.eventually.equal(sel1); - await expect(this.manager.getRoleTargetFunction(roleId, target2, 0)).to.eventually.equal(sel2); - - // Functions should be isolated per target - await expect( - this.manager.getRoleTargetFunctions(roleId, target1, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([sel1]); - await expect( - this.manager.getRoleTargetFunctions(roleId, target2, 0, ethers.MaxUint256), - ).to.eventually.deep.equal([sel2]); - }); - }); - }); -} - module.exports = { shouldBehaveLikeDelayedAdminOperation, shouldBehaveLikeNotDelayedAdminOperation, shouldBehaveLikeRoleAdminOperation, shouldBehaveLikeAManagedRestrictedOperation, shouldBehaveLikeASelfRestrictedOperation, - shouldBehaveLikeAccessManager, - shouldBehaveLikeAccessManagerEnumerable, }; diff --git a/test/access/manager/AccessManager.test.js b/test/access/manager/AccessManager.test.js index 9eed99ee713..7726831b268 100644 --- a/test/access/manager/AccessManager.test.js +++ b/test/access/manager/AccessManager.test.js @@ -1,7 +1,40 @@ const { ethers } = require('hardhat'); +const { expect } = require('chai'); const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); -const { buildBaseRoles } = require('../../helpers/access-manager'); -const { shouldBehaveLikeAccessManager } = require('./AccessManager.behavior'); + +const { impersonate } = require('../../helpers/account'); +const { MAX_UINT48 } = require('../../helpers/constants'); +const { selector } = require('../../helpers/methods'); +const time = require('../../helpers/time'); + +const { + buildBaseRoles, + formatAccess, + EXPIRATION, + MINSETBACK, + EXECUTION_ID_STORAGE_SLOT, + CONSUMING_SCHEDULE_STORAGE_SLOT, + prepareOperation, + hashOperation, +} = require('../../helpers/access-manager'); + +const { + shouldBehaveLikeDelayedAdminOperation, + shouldBehaveLikeNotDelayedAdminOperation, + shouldBehaveLikeRoleAdminOperation, + shouldBehaveLikeAManagedRestrictedOperation, + shouldBehaveLikeASelfRestrictedOperation, +} = require('./AccessManager.behavior'); + +const { + LIKE_COMMON_SCHEDULABLE, + testAsClosable, + testAsDelay, + testAsSchedulableOperation, + testAsCanCall, + testAsHasRole, + testAsGetAccess, +} = require('./AccessManager.predicate'); async function fixture() { const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); @@ -50,10 +83,2407 @@ async function fixture() { }; } +// This test suite is made using the following tools: +// +// * Predicates: Functions with common conditional setups without assertions. +// * Behaviors: Functions with common assertions. +// +// The behavioral tests are built by composing predicates and are used as templates +// for testing access to restricted functions. +// +// Similarly, unit tests in this suite will use predicates to test subsets of these +// behaviors and are helped by common assertions provided for some of the predicates. +// +// The predicates can be identified by the `testAs*` prefix while the behaviors +// are prefixed with `shouldBehave*`. The common assertions for predicates are +// defined as constants. describe('AccessManager', function () { beforeEach(async function () { Object.assign(this, await loadFixture(fixture)); }); - shouldBehaveLikeAccessManager(); + describe('during construction', function () { + it('grants admin role to initialAdmin', async function () { + const manager = await ethers.deployContract('$AccessManager', [this.other]); + expect(await manager.hasRole(this.roles.ADMIN.id, this.other).then(formatAccess)).to.be.deep.equal([true, '0']); + }); + + it('rejects zero address for initialAdmin', async function () { + await expect(ethers.deployContract('$AccessManager', [ethers.ZeroAddress])) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerInvalidInitialAdmin') + .withArgs(ethers.ZeroAddress); + }); + + it('initializes setup roles correctly', async function () { + for (const { id: roleId, admin, guardian, members } of Object.values(this.roles)) { + expect(await this.manager.getRoleAdmin(roleId)).to.equal(admin.id); + expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardian.id); + + for (const user of this.roles.PUBLIC.members) { + expect(await this.manager.hasRole(roleId, user).then(formatAccess)).to.be.deep.equal([ + members.includes(user), + '0', + ]); + } + } + }); + }); + + describe('getters', function () { + describe('#canCall', function () { + beforeEach('set calldata', function () { + this.calldata = '0x12345678'; + this.role = { id: 379204n }; + }); + + testAsCanCall({ + closed() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.other, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + notExecuting() { + it('should return false and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('should return true and no delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('sets execution delay', function () { + this.scheduleIn = this.executionDelay; // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }, + notScheduled() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('should return false and execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('should return true and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.true; + expect(delay).to.equal(0n); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('should return false and no execution delay', async function () { + const { immediate, delay } = await this.manager.canCall( + this.caller, + this.target, + this.calldata.substring(0, 10), + ); + expect(immediate).to.be.false; + expect(delay).to.equal(0n); + }); + }, + }, + }, + }, + }); + }); + + describe('#expiration', function () { + it('has a 7 days default expiration', async function () { + expect(await this.manager.expiration()).to.equal(EXPIRATION); + }); + }); + + describe('#minSetback', function () { + it('has a 5 days default minimum setback', async function () { + expect(await this.manager.minSetback()).to.equal(MINSETBACK); + }); + }); + + describe('#isTargetClosed', function () { + testAsClosable({ + closed() { + it('returns true', async function () { + expect(await this.manager.isTargetClosed(this.target)).to.be.true; + }); + }, + open() { + it('returns false', async function () { + expect(await this.manager.isTargetClosed(this.target)).to.be.false; + }); + }, + }); + }); + + describe('#getTargetFunctionRole', function () { + const methodSelector = selector('something(address,bytes)'); + + it('returns the target function role', async function () { + const roleId = 21498n; + await this.manager.$_setTargetFunctionRole(this.target, methodSelector, roleId); + + expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(roleId); + }); + + it('returns the ADMIN role if not set', async function () { + expect(await this.manager.getTargetFunctionRole(this.target, methodSelector)).to.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getTargetAdminDelay', function () { + describe('when the target admin delay is setup', function () { + beforeEach('set target admin delay', async function () { + this.oldDelay = await this.manager.getTargetAdminDelay(this.target); + this.newDelay = time.duration.days(10); + + await this.manager.$_setTargetAdminDelay(this.target, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('effect', { + before: function self() { + self.mineDelay = true; + + it('returns the old target admin delay', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new target admin delay', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(this.newDelay); + }); + }, + }); + }); + + it('returns the 0 if not set', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); + }); + }); + + describe('#getRoleAdmin', function () { + const roleId = 5234907n; + + it('returns the role admin', async function () { + const adminId = 789433n; + + await this.manager.$_setRoleAdmin(roleId, adminId); + + expect(await this.manager.getRoleAdmin(roleId)).to.equal(adminId); + }); + + it('returns the ADMIN role if not set', async function () { + expect(await this.manager.getRoleAdmin(roleId)).to.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGuardian', function () { + const roleId = 5234907n; + + it('returns the role guardian', async function () { + const guardianId = 789433n; + + await this.manager.$_setRoleGuardian(roleId, guardianId); + + expect(await this.manager.getRoleGuardian(roleId)).to.equal(guardianId); + }); + + it('returns the ADMIN role if not set', async function () { + expect(await this.manager.getRoleGuardian(roleId)).to.equal(this.roles.ADMIN.id); + }); + }); + + describe('#getRoleGrantDelay', function () { + const roleId = 9248439n; + + describe('when the grant admin delay is setup', function () { + beforeEach('set grant admin delay', async function () { + this.oldDelay = await this.manager.getRoleGrantDelay(roleId); + this.newDelay = time.duration.days(11); + + await this.manager.$_setGrantDelay(roleId, this.newDelay); + this.delay = MINSETBACK; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('returns the old role grant delay', async function () { + expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.oldDelay); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns the new role grant delay', async function () { + expect(await this.manager.getRoleGrantDelay(roleId)).to.equal(this.newDelay); + }); + }, + }); + }); + + it('returns 0 if delay is not set', async function () { + expect(await this.manager.getTargetAdminDelay(this.target)).to.equal(0n); + }); + }); + + describe('#getAccess', function () { + beforeEach('set role', function () { + this.role = { id: 9452n }; + this.caller = this.user; + }); + + testAsGetAccess({ + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('role is not in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + expect(await time.clock.timestamp()).to.lt(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('access has role not in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + expect(await time.clock.timestamp()).to.lt(access[0]); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('role is in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(this.delayEffect); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('access has role in effect and execution delay is set', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + callerHasNoExecutionDelay() { + it('access has role in effect without execution delay', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(await time.clock.timestamp()); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await time.clock.timestamp()).to.equal(access[0]); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has empty access', async function () { + const access = await this.manager.getAccess(this.role.id, this.caller); + expect(access[0]).to.equal(0n); // inEffectSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + }); + }, + }); + }); + + describe('#hasRole', function () { + beforeEach('setup testAsHasRole', function () { + this.role = { id: 49832n }; + this.calldata = '0x12345678'; + this.caller = this.user; + }); + + testAsHasRole({ + publicRoleIsRequired() { + it('has PUBLIC role', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role but execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay: function self() { + self.mineDelay = true; + + it('does not have role nor execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('has role and execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal(this.executionDelay); + }); + }, + callerHasNoExecutionDelay() { + it('has role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.true; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('has no role and no execution delay', async function () { + const { isMember, executionDelay } = await this.manager.hasRole(this.role.id, this.caller); + expect(isMember).to.be.false; + expect(executionDelay).to.equal('0'); + }); + }, + }, + }); + }); + + describe('#getSchedule', function () { + beforeEach('set role and calldata', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 493590n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before: function self() { + self.mineDelay = true; + + it('returns schedule in the future', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.gt(await time.clock.timestamp()); + }); + }, + after: function self() { + self.mineDelay = true; + + it('returns schedule', async function () { + const schedule = await this.manager.getSchedule(this.operationId); + expect(schedule).to.equal(this.scheduledAt + this.scheduleIn); + expect(schedule).to.equal(await time.clock.timestamp()); + }); + }, + expired: function self() { + self.mineDelay = true; + + it('returns 0', async function () { + expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); + }); + }, + }, + notScheduled() { + it('defaults to 0', async function () { + expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); + }); + }, + }); + }); + + describe('#getNonce', function () { + describe('when operation is scheduled', function () { + beforeEach('schedule operation', async function () { + const fnRestricted = this.target.fnRestricted.getFragment().selector; + this.caller = this.user; + this.role = { id: 4209043n }; + await this.manager.$_setTargetFunctionRole(this.target, fnRestricted, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(fnRestricted, []); + this.delay = time.duration.days(10); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await schedule(); + this.operationId = operationId; + }); + + it('returns nonce', async function () { + expect(await this.manager.getNonce(this.operationId)).to.equal(1n); + }); + }); + + describe('when is not scheduled', function () { + it('returns default 0', async function () { + expect(await this.manager.getNonce(ethers.id('operation'))).to.equal(0n); + }); + }); + }); + + describe('#hashOperation', function () { + it('returns an operationId', async function () { + const args = [this.user, this.other, '0x123543']; + expect(await this.manager.hashOperation(...args)).to.equal(hashOperation(...args)); + }); + }); + }); + + describe('admin operations', function () { + beforeEach('set required role', function () { + this.role = this.roles.ADMIN; + }); + + describe('subject to a delay', function () { + describe('#labelRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [123443, 'TEST']; + const method = this.manager.interface.getFunction('labelRole(uint64,string)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('emits an event with the label', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Some label'); + }); + + it('updates label on a second call', async function () { + await this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Some label'); + + await expect(this.manager.connect(this.admin).labelRole(this.roles.SOME.id, 'Updated label')) + .to.emit(this.manager, 'RoleLabel') + .withArgs(this.roles.SOME.id, 'Updated label'); + }); + + it('reverts labeling PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.PUBLIC.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts labeling ADMIN_ROLE', async function () { + await expect(this.manager.connect(this.admin).labelRole(this.roles.ADMIN.id, 'Some label')) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleAdmin', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleAdmin(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's admin if called by an admin", async function () { + expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.SOME_ADMIN.id); + + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleAdminChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + expect(await this.manager.getRoleAdmin(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleAdmin(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setRoleGuardian', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [93445, 84532]; + const method = this.manager.interface.getFunction('setRoleGuardian(uint64,uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it("sets any role's guardian if called by an admin", async function () { + expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.SOME_GUARDIAN.id); + + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.SOME.id, this.roles.ADMIN.id)) + .to.emit(this.manager, 'RoleGuardianChanged') + .withArgs(this.roles.SOME.id, this.roles.ADMIN.id); + + expect(await this.manager.getRoleGuardian(this.roles.SOME.id)).to.equal(this.roles.ADMIN.id); + }); + + it('reverts setting PUBLIC_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.PUBLIC.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts setting ADMIN_ROLE admin', async function () { + await expect(this.manager.connect(this.admin).setRoleGuardian(this.roles.ADMIN.id, this.roles.ADMIN.id)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.ADMIN.id); + }); + }); + + describe('#setGrantDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [984910, time.duration.days(2)]; + const method = this.manager.interface.getFunction('setGrantDelay(uint64,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + it('reverts setting grant delay for the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).setGrantDelay(this.roles.PUBLIC.id, 69n)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when increasing the delay', function () { + const oldDelay = 10n; + const newDelay = 100n; + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + this.role = this.roles.SOME; + await this.manager.$_setGrantDelay(this.role.id, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + MINSETBACK); + + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setGrantDelay(this.role.id, newDelay); + const setGrantDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGrantDelayChanged') + .withArgs(this.role.id, newDelay, setGrantDelayAt + setback); + + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(oldDelay); + await time.increaseBy.timestamp(setback); + expect(await this.manager.getRoleGrantDelay(this.role.id)).to.equal(newDelay); + }); + }); + }); + }); + + describe('#setTargetAdminDelay', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, time.duration.days(3)]; + const method = this.manager.interface.getFunction('setTargetAdminDelay(address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeDelayedAdminOperation(); + }); + + describe('when increasing the delay', function () { + const oldDelay = time.duration.days(10); + const newDelay = time.duration.days(11); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + }); + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); + }); + }); + + describe('when reducing the delay', function () { + const oldDelay = time.duration.days(10); + + beforeEach('sets old delay', async function () { + await this.manager.$_setTargetAdminDelay(this.other, oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + }); + + describe('when the delay difference is shorter than minimum setback', function () { + const newDelay = oldDelay - 1n; + + it('increases the delay after minsetback', async function () { + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + MINSETBACK); + + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + await time.increaseBy.timestamp(MINSETBACK); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); + }); + }); + + describe('when the delay difference is longer than minimum setback', function () { + const newDelay = 1n; + + beforeEach('assert delay difference is higher than minsetback', function () { + expect(oldDelay - newDelay).to.gt(MINSETBACK); + }); + + it('increases the delay after delay difference', async function () { + const setback = oldDelay - newDelay; + + const txResponse = await this.manager.connect(this.admin).setTargetAdminDelay(this.other, newDelay); + const setTargetAdminDelayAt = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'TargetAdminDelayUpdated') + .withArgs(this.other, newDelay, setTargetAdminDelayAt + setback); + + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(oldDelay); + await time.increaseBy.timestamp(setback); + expect(await this.manager.getTargetAdminDelay(this.other)).to.equal(newDelay); + }); + }); + }); + }); + }); + + describe('not subject to a delay', function () { + describe('#updateAuthority', function () { + beforeEach('create a target and a new authority', async function () { + this.newAuthority = await ethers.deployContract('$AccessManager', [this.admin]); + this.newManagedTarget = await ethers.deployContract('$AccessManagedTarget', [this.manager]); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.calldata = this.manager.interface.encodeFunctionData('updateAuthority(address,address)', [ + this.newManagedTarget.target, + this.newAuthority.target, + ]); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('changes the authority', async function () { + expect(await this.newManagedTarget.authority()).to.equal(this.manager); + + await expect(this.manager.connect(this.admin).updateAuthority(this.newManagedTarget, this.newAuthority)) + .to.emit(this.newManagedTarget, 'AuthorityUpdated') // Managed contract is responsible of notifying the change through an event + .withArgs(this.newAuthority); + + expect(await this.newManagedTarget.authority()).to.equal(this.newAuthority); + }); + }); + + describe('#setTargetClosed', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, true]; + const method = this.manager.interface.getFunction('setTargetClosed(address,bool)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + it('closes and opens a target', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, true); + expect(await this.manager.isTargetClosed(this.target)).to.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.target, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.target, false); + expect(await this.manager.isTargetClosed(this.target)).to.be.false; + }); + + describe('when the target is the manager', async function () { + it('closes and opens the manager', async function () { + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, true)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, true); + expect(await this.manager.isTargetClosed(this.manager)).to.be.true; + + await expect(this.manager.connect(this.admin).setTargetClosed(this.manager, false)) + .to.emit(this.manager, 'TargetClosed') + .withArgs(this.manager, false); + expect(await this.manager.isTargetClosed(this.manager)).to.be.false; + }); + }); + }); + + describe('#setTargetFunctionRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [this.other.address, ['0x12345678'], 443342]; + const method = this.manager.interface.getFunction('setTargetFunctionRole(address,bytes4[],uint64)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeNotDelayedAdminOperation(); + }); + + const sigs = ['someFunction()', 'someOtherFunction(uint256)', 'oneMoreFunction(address,uint8)'].map(selector); + + it('sets function roles', async function () { + for (const sig of sigs) { + expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.ADMIN.id); + } + + const allowRole = await this.manager + .connect(this.admin) + .setTargetFunctionRole(this.target, sigs, this.roles.SOME.id); + + for (const sig of sigs) { + await expect(allowRole) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sig, this.roles.SOME.id); + expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal(this.roles.SOME.id); + } + + await expect( + this.manager.connect(this.admin).setTargetFunctionRole(this.target, [sigs[1]], this.roles.SOME_ADMIN.id), + ) + .to.emit(this.manager, 'TargetFunctionRoleUpdated') + .withArgs(this.target, sigs[1], this.roles.SOME_ADMIN.id); + + for (const sig of sigs) { + expect(await this.manager.getTargetFunctionRole(this.target, sig)).to.equal( + sig == sigs[1] ? this.roles.SOME_ADMIN.id : this.roles.SOME.id, + ); + } + }); + }); + + describe('role admin operations', function () { + const ANOTHER_ADMIN = 0xdeadc0de1n; + const ANOTHER_ROLE = 0xdeadc0de2n; + + beforeEach('set required role', async function () { + // Make admin a member of ANOTHER_ADMIN + await this.manager.$_grantRole(ANOTHER_ADMIN, this.admin, 0, 0); + await this.manager.$_setRoleAdmin(ANOTHER_ROLE, ANOTHER_ADMIN); + + this.role = { id: ANOTHER_ADMIN }; + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + }); + + describe('#grantRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', function () { + const args = [ANOTHER_ROLE, this.other.address, 0]; + const method = this.manager.interface.getFunction('grantRole(uint64,address,uint32)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + it('reverts when granting PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).grantRole(this.roles.PUBLIC.id, this.user, 0)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + describe('when the user is not a role member', function () { + describe('with grant delay', function () { + beforeEach('set grant delay and grant role', async function () { + // Delay granting + this.grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + + // Grant role + this.executionDelay = time.duration.days(3); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.executionDelay); + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('does not grant role to the user yet', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Not in effect yet + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.be.lt(access[0]); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + this.executionDelay.toString(), + ]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('grants role to the user', async function () { + const timestamp = await time.clockFromReceipt.timestamp(this.txResponse); + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.executionDelay, timestamp + this.grantDelay, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(timestamp + this.grantDelay); // inEffectSince + expect(access[1]).to.equal(this.executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.executionDelay.toString(), + ]); + }); + }, + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + this.grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, this.grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + it('immediately grants the role to the user', async function () { + const executionDelay = time.duration.days(6); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, executionDelay); + const grantedAt = await time.clockFromReceipt.timestamp(txResponse); + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, executionDelay, grantedAt, true); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(grantedAt); // inEffectSince + expect(access[1]).to.equal(executionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + const currentTimestamp = await time.clock.timestamp(); + expect(currentTimestamp).to.equal(access[0]); + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + executionDelay.toString(), + ]); + }); + }); + }); + + describe('when the user is already a role member', function () { + beforeEach('make user role member', async function () { + this.previousExecutionDelay = time.duration.days(6); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, 0, this.previousExecutionDelay); + this.oldAccess = await this.manager.getAccess(ANOTHER_ROLE, this.user); + }); + + describe('with grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = time.duration.weeks(2); + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }, + }); + }); + }); + + describe('without grant delay', function () { + beforeEach('set granting delay', async function () { + // Delay granting + const grantDelay = 0; + await this.manager.$_setGrantDelay(ANOTHER_ROLE, grantDelay); + await time.increaseBy.timestamp(MINSETBACK); + }); + + describe('when increasing the execution delay', function () { + beforeEach('set increased new execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay + time.duration.days(4); + }); + + it('emits event and immediately changes the execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + const txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + const timestamp = await time.clockFromReceipt.timestamp(txResponse); + + await expect(txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, timestamp, false); + + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }); + + describe('when decreasing the execution delay', function () { + beforeEach('decrease execution delay', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + + this.newExecutionDelay = this.previousExecutionDelay - time.duration.days(4); + this.txResponse = await this.manager + .connect(this.admin) + .grantRole(ANOTHER_ROLE, this.user, this.newExecutionDelay); + this.grantTimestamp = await time.clockFromReceipt.timestamp(this.txResponse); + + this.delay = this.previousExecutionDelay - this.newExecutionDelay; // For testAsDelay + }); + + it('emits event', async function () { + await expect(this.txResponse) + .to.emit(this.manager, 'RoleGranted') + .withArgs(ANOTHER_ROLE, this.user, this.newExecutionDelay, this.grantTimestamp + this.delay, false); + }); + + testAsDelay('execution delay effect', { + before: function self() { + self.mineDelay = true; + + it('does not change the execution delay yet', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.previousExecutionDelay); // currentDelay + expect(access[2]).to.equal(this.newExecutionDelay); // pendingDelay + expect(access[3]).to.equal(this.grantTimestamp + this.delay); // pendingDelayEffect + + // Not in effect yet + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.previousExecutionDelay.toString(), + ]); + }); + }, + after: function self() { + self.mineDelay = true; + + it('changes the execution delay', async function () { + // Access is correctly stored + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + + expect(access[0]).to.equal(this.oldAccess[0]); // inEffectSince + expect(access[1]).to.equal(this.newExecutionDelay); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // pendingDelayEffect + + // Already in effect + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + this.newExecutionDelay.toString(), + ]); + }); + }, + }); + }); + }); + }); + }); + + describe('#revokeRole', function () { + describe('restrictions', function () { + beforeEach('set method and args', async function () { + const args = [ANOTHER_ROLE, this.other.address]; + const method = this.manager.interface.getFunction('revokeRole(uint64,address)'); + this.calldata = this.manager.interface.encodeFunctionData(method, args); + + // Need to be set before revoking + await this.manager.$_grantRole(...args, 0, 0); + }); + + shouldBehaveLikeRoleAdminOperation(ANOTHER_ADMIN); + }); + + describe('when role has been granted', function () { + beforeEach('grant role with grant delay', async function () { + this.grantDelay = time.duration.weeks(1); + await this.manager.$_grantRole(ANOTHER_ROLE, this.user, this.grantDelay, 0); + + this.delay = this.grantDelay; // For testAsDelay + }); + + testAsDelay('grant', { + before: function self() { + self.mineDelay = true; + + it('revokes a granted role that will take effect in the future', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + after: function self() { + self.mineDelay = true; + + it('revokes a granted role that already took effect', async function () { + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + true, + '0', + ]); + + await expect(this.manager.connect(this.admin).revokeRole(ANOTHER_ROLE, this.user)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(ANOTHER_ROLE, this.user); + + expect(await this.manager.hasRole(ANOTHER_ROLE, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + + const access = await this.manager.getAccess(ANOTHER_ROLE, this.user); + expect(access[0]).to.equal(0n); // inRoleSince + expect(access[1]).to.equal(0n); // currentDelay + expect(access[2]).to.equal(0n); // pendingDelay + expect(access[3]).to.equal(0n); // effect + }); + }, + }); + }); + + describe('when role has not been granted', function () { + it('has no effect', async function () { + expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + await expect(this.manager.connect(this.roleAdmin).revokeRole(this.roles.SOME.id, this.user)).to.not.emit( + this.manager, + 'RoleRevoked', + ); + expect(await this.manager.hasRole(this.roles.SOME.id, this.user).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + }); + }); + + it('reverts revoking PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.admin).revokeRole(this.roles.PUBLIC.id, this.user)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + }); + }); + + describe('self role operations', function () { + describe('#renounceRole', function () { + beforeEach('grant role', async function () { + this.role = { id: 783164n }; + this.caller = this.user; + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + }); + + it('renounces a role', async function () { + expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ + true, + '0', + ]); + await expect(this.manager.connect(this.caller).renounceRole(this.role.id, this.caller)) + .to.emit(this.manager, 'RoleRevoked') + .withArgs(this.role.id, this.caller); + expect(await this.manager.hasRole(this.role.id, this.caller).then(formatAccess)).to.be.deep.equal([ + false, + '0', + ]); + }); + + it('reverts if renouncing the PUBLIC_ROLE', async function () { + await expect(this.manager.connect(this.caller).renounceRole(this.roles.PUBLIC.id, this.caller)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerLockedRole') + .withArgs(this.roles.PUBLIC.id); + }); + + it('reverts if renouncing with bad caller confirmation', async function () { + await expect( + this.manager.connect(this.caller).renounceRole(this.role.id, this.other), + ).to.be.revertedWithCustomError(this.manager, 'AccessManagerBadConfirmation'); + }); + }); + }); + }); + }); + + describe('access managed self operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 785913n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.manager.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeASelfRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.manager, + this.manager[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.manager.connect(this.user)[method]()) + .to.emit(this.manager, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('access managed target operations', function () { + describe('when calling a restricted target function', function () { + const method = 'fnRestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 3597243n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + describe('restrictions', function () { + beforeEach('set method and args', function () { + this.caller = this.user; + this.calldata = this.target.interface.encodeFunctionData(method, []); + }); + + shouldBehaveLikeAManagedRestrictedOperation(); + }); + + it('succeeds called by a role member', async function () { + await this.manager.$_grantRole(this.role.id, this.user, 0, 0); + + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledRestricted') + .withArgs(this.user); + }); + }); + + describe('when calling a non-restricted target function', function () { + const method = 'fnUnrestricted()'; + + beforeEach('set required role', async function () { + this.role = { id: 879435n }; + await this.manager.$_setTargetFunctionRole( + this.target, + this.target[method].getFragment().selector, + this.role.id, + ); + }); + + it('succeeds called by anyone', async function () { + await expect(this.target.connect(this.user)[method]()) + .to.emit(this.target, 'CalledUnrestricted') + .withArgs(this.user); + }); + }); + }); + + describe('#schedule', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 498305n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.delay = time.duration.weeks(2); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it.skip('is not reachable because schedule is not restrictable'); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('succeeds', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48); + }); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + it('succeeds', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await schedule(); + }); + }, + callerHasNoExecutionDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + // prepareOperation is not used here because it alters the next block timestamp + await expect(this.manager.connect(this.caller).schedule(this.target, this.calldata, MAX_UINT48)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('schedules an operation at the specified execution date if it is larger than caller execution delay', async function () { + const { operationId, scheduledAt, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + const txResponse = await schedule(); + + expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + this.delay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + this.delay, this.caller, this.target, this.calldata); + }); + + it('schedules an operation at the minimum execution date if no specified execution date (when == 0)', async function () { + const executionDelay = await time.duration.hours(72); + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const txResponse = await this.manager.connect(this.caller).schedule(this.target, this.calldata, 0); + const scheduledAt = await time.clockFromReceipt.timestamp(txResponse); + + const operationId = await this.manager.hashOperation(this.caller, this.target, this.calldata); + + expect(await this.manager.getSchedule(operationId)).to.equal(scheduledAt + executionDelay); + await expect(txResponse) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(operationId, '1', scheduledAt + executionDelay, this.caller, this.target, this.calldata); + }); + + it('increases the nonce of an operation scheduled more than once', async function () { + // Setup and check initial nonce + const expectedOperationId = hashOperation(this.caller, this.target, this.calldata); + expect(await this.manager.getNonce(expectedOperationId)).to.equal('0'); + + // Schedule + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op1.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op1.operationId, 1n, op1.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op1.operationId); + + // Consume + await time.increaseBy.timestamp(this.delay); + await this.manager.$_consumeScheduledOp(expectedOperationId); + + // Check nonce + expect(await this.manager.getNonce(expectedOperationId)).to.equal('1'); + + // Schedule again + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + await expect(op2.schedule()) + .to.emit(this.manager, 'OperationScheduled') + .withArgs(op2.operationId, 2n, op2.scheduledAt + this.delay, this.caller, this.target, this.calldata); + expect(expectedOperationId).to.equal(op2.operationId); + + // Check final nonce + expect(await this.manager.getNonce(expectedOperationId)).to.equal('2'); + }); + + it('reverts if the specified execution date is before the current timestamp + caller execution delay', async function () { + const executionDelay = time.duration.weeks(1) + this.delay; + await this.manager.$_grantRole(this.role.id, this.caller, 0, executionDelay); + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + + it('reverts if an operation is already schedule', async function () { + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await op1.schedule(); + + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.delay, + }); + + await expect(op2.schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerAlreadyScheduled') + .withArgs(op1.operationId); + }); + + it('panics scheduling calldata with less than 4 bytes', async function () { + const calldata = '0x1234'; // 2 bytes + + // Managed contract + const op1 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: calldata, + delay: this.delay, + }); + await expect(op1.schedule()).to.be.revertedWithoutReason(); + + // Manager contract + const op2 = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata: calldata, + delay: this.delay, + }); + await expect(op2.schedule()).to.be.revertedWithoutReason(); + }); + + it('reverts scheduling an unknown operation to the manager', async function () { + const calldata = '0x12345678'; + + const { schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.manager, + calldata, + delay: this.delay, + }); + + await expect(schedule()) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.manager, calldata); + }); + }); + + describe('#execute', function () { + beforeEach('set target function role', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.role = { id: 9825430n }; + this.caller = this.user; + + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + }); + + describe('restrictions', function () { + testAsCanCall({ + closed() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + open: { + callerIsTheManager: { + executing() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + notExecuting() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + callerIsNotTheManager: { + publicRoleIsRequired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + specificRoleIsRequired: { + requiredRoleIsGranted: { + roleGrantingIsDelayed: { + callerHasAnExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(21); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + }, + callerHasNoExecutionDelay: { + beforeGrantDelay() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + afterGrantDelay: function self() { + self.mineDelay = true; + + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + roleGrantingIsNotDelayed: { + callerHasAnExecutionDelay() { + beforeEach('define schedule delay', function () { + this.scheduleIn = time.duration.days(15); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation(LIKE_COMMON_SCHEDULABLE); + }, + callerHasNoExecutionDelay() { + it('succeeds', async function () { + await this.manager.connect(this.caller).execute(this.target, this.calldata); + }); + }, + }, + }, + requiredRoleIsNotGranted() { + it('reverts as AccessManagerUnauthorizedCall', async function () { + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.caller, this.target, this.calldata.substring(0, 10)); + }); + }, + }, + }, + }, + }); + }); + + it('executes with a delay consuming the scheduled operation', async function () { + const delay = time.duration.hours(4); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + expect(await this.manager.getSchedule(operationId)).to.equal(0n); + }); + + it('executes with no delay consuming a scheduled operation', async function () { + const delay = time.duration.hours(4); + + // give caller an execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + + // remove the execution delay + await this.manager.$_grantRole(this.role.id, this.caller, 0, 0); + + await time.increaseBy.timestamp(delay); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(operationId, 1n); + + expect(await this.manager.getSchedule(operationId)).to.equal(0n); + }); + + it('keeps the original _executionId after finishing the call', async function () { + const executionIdBefore = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + const executionIdAfter = await ethers.provider.getStorage(this.manager, EXECUTION_ID_STORAGE_SLOT); + expect(executionIdBefore).to.equal(executionIdAfter); + }); + + it('reverts executing twice', async function () { + const delay = time.duration.hours(2); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // Execution delay is needed so the operation is consumed + + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay, + }); + await schedule(); + await time.increaseBy.timestamp(delay); + await this.manager.connect(this.caller).execute(this.target, this.calldata); + await expect(this.manager.connect(this.caller).execute(this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(operationId); + }); + }); + + describe('#consumeScheduledOp', function () { + beforeEach('define scheduling parameters', async function () { + const method = this.target.fnRestricted.getFragment(); + this.caller = await ethers.getSigner(this.target.target); + await impersonate(this.caller.address); + this.calldata = this.target.interface.encodeFunctionData(method, []); + this.role = { id: 9834983n }; + + await this.manager.$_setTargetFunctionRole(this.target, method.selector, this.role.id); + await this.manager.$_grantRole(this.role.id, this.caller, 0, 1); // nonzero execution delay + + this.scheduleIn = time.duration.hours(10); // For testAsSchedulableOperation + }); + + describe('when caller is not consuming scheduled operation', function () { + beforeEach('set consuming false', async function () { + await this.target.setIsConsumingScheduledOp(false, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + it('reverts as AccessManagerUnauthorizedConsume', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedConsume') + .withArgs(this.caller); + }); + }); + + describe('when caller is consuming scheduled operation', function () { + beforeEach('set consuming true', async function () { + await this.target.setIsConsumingScheduledOp(true, ethers.toBeHex(CONSUMING_SCHEDULE_STORAGE_SLOT, 32)); + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + it('reverts as AccessManagerNotReady', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotReady') + .withArgs(this.operationId); + }); + }, + after() { + it('consumes the scheduled operation and resets timepoint', async function () { + expect(await this.manager.getSchedule(this.operationId)).to.equal(this.scheduledAt + this.scheduleIn); + + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.emit(this.manager, 'OperationExecuted') + .withArgs(this.operationId, 1n); + expect(await this.manager.getSchedule(this.operationId)).to.equal(0n); + }); + }, + expired() { + it('reverts as AccessManagerExpired', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerExpired') + .withArgs(this.operationId); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.connect(this.caller).consumeScheduledOp(this.caller, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + }); + }); + + describe('#cancelScheduledOp', function () { + beforeEach('setup scheduling', async function () { + this.method = this.target.fnRestricted.getFragment(); + this.caller = this.roles.SOME.members[0]; + await this.manager.$_setTargetFunctionRole(this.target, this.method.selector, this.roles.SOME.id); + await this.manager.$_grantRole(this.roles.SOME.id, this.caller, 0, 1); // nonzero execution delay + + this.calldata = this.target.interface.encodeFunctionData(this.method, []); + this.scheduleIn = time.duration.days(10); // For testAsSchedulableOperation + }); + + testAsSchedulableOperation({ + scheduled: { + before() { + describe('when caller is the scheduler', function () { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is an admin', function () { + it('succeeds', async function () { + await this.manager.connect(this.roles.ADMIN.members[0]).cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is the role guardian', function () { + it('succeeds', async function () { + await this.manager + .connect(this.roles.SOME_GUARDIAN.members[0]) + .cancel(this.caller, this.target, this.calldata); + }); + }); + + describe('when caller is any other account', function () { + it('reverts as AccessManagerUnauthorizedCancel', async function () { + await expect(this.manager.connect(this.other).cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCancel') + .withArgs(this.other, this.caller, this.target, this.method.selector); + }); + }); + }, + after() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + expired() { + it('succeeds', async function () { + await this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata); + }); + }, + }, + notScheduled() { + it('reverts as AccessManagerNotScheduled', async function () { + await expect(this.manager.cancel(this.caller, this.target, this.calldata)) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerNotScheduled') + .withArgs(this.operationId); + }); + }, + }); + + it('cancels an operation and resets schedule', async function () { + const { operationId, schedule } = await prepareOperation(this.manager, { + caller: this.caller, + target: this.target, + calldata: this.calldata, + delay: this.scheduleIn, + }); + await schedule(); + await expect(this.manager.connect(this.caller).cancel(this.caller, this.target, this.calldata)) + .to.emit(this.manager, 'OperationCanceled') + .withArgs(operationId, 1n); + expect(await this.manager.getSchedule(operationId)).to.equal('0'); + }); + }); + + describe('with Ownable target contract', function () { + const roleId = 1n; + + beforeEach(async function () { + this.ownable = await ethers.deployContract('$Ownable', [this.manager]); + + // add user to role + await this.manager.$_grantRole(roleId, this.user, 0, 0); + }); + + it('initial state', async function () { + expect(await this.ownable.owner()).to.equal(this.manager); + }); + + describe('Contract is closed', function () { + beforeEach(async function () { + await this.manager.$_setTargetClosed(this.ownable, true); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): reverts', async function () { + await expect( + this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.user, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('Contract is managed', function () { + describe('function is open to specific role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + roleId, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): reverts', async function () { + await expect( + this.manager.connect(this.other).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector), + ) + .to.be.revertedWithCustomError(this.manager, 'AccessManagerUnauthorizedCall') + .withArgs(this.other, this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + + describe('function is open to public role', function () { + beforeEach(async function () { + await this.manager.$_setTargetFunctionRole( + this.ownable, + this.ownable.$_checkOwner.getFragment().selector, + this.roles.PUBLIC.id, + ); + }); + + it('directly call: reverts', async function () { + await expect(this.ownable.connect(this.user).$_checkOwner()) + .to.be.revertedWithCustomError(this.ownable, 'OwnableUnauthorizedAccount') + .withArgs(this.user); + }); + + it('relayed call (with role): success', async function () { + await this.manager.connect(this.user).execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + + it('relayed call (without role): success', async function () { + await this.manager + .connect(this.other) + .execute(this.ownable, this.ownable.$_checkOwner.getFragment().selector); + }); + }); + }); + }); }); diff --git a/test/access/manager/AccessManagerEnumerable.test.js b/test/access/manager/AccessManagerEnumerable.test.js deleted file mode 100644 index 854a8587efe..00000000000 --- a/test/access/manager/AccessManagerEnumerable.test.js +++ /dev/null @@ -1,63 +0,0 @@ -const { ethers } = require('hardhat'); -const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); - -const { buildBaseRoles } = require('../../helpers/access-manager'); -const { shouldBehaveLikeAccessManagerEnumerable, shouldBehaveLikeAccessManager } = require('./AccessManager.behavior'); - -async function fixture() { - const [admin, roleAdmin, roleGuardian, member, user, other] = await ethers.getSigners(); - - // Build roles - const roles = buildBaseRoles(); - - // Add members - roles.ADMIN.members = [admin]; - roles.SOME_ADMIN.members = [roleAdmin]; - roles.SOME_GUARDIAN.members = [roleGuardian]; - roles.SOME.members = [member]; - roles.PUBLIC.members = [admin, roleAdmin, roleGuardian, member, user, other]; - - const manager = await ethers.deployContract('$AccessManagerEnumerableMock', [admin]); - const target = await ethers.deployContract('$AccessManagedTarget', [manager]); - const target2 = await ethers.deployContract('$AccessManagedTarget', [manager]); - - for (const { id: roleId, admin, guardian, members } of Object.values(roles)) { - if (roleId === roles.PUBLIC.id) continue; // Every address belong to public and is locked - if (roleId === roles.ADMIN.id) continue; // Admin set during construction and is locked - - // Set admin role avoiding default - if (admin.id !== roles.ADMIN.id) { - await manager.$_setRoleAdmin(roleId, admin.id); - } - - // Set guardian role avoiding default - if (guardian.id !== roles.ADMIN.id) { - await manager.$_setRoleGuardian(roleId, guardian.id); - } - - // Grant role to members - for (const member of members) { - await manager.$_grantRole(roleId, member, 0, 0); - } - } - - return { - admin, - roleAdmin, - user, - other, - roles, - manager, - target, - target2, - }; -} - -describe('AccessManagerEnumerable', function () { - beforeEach(async function () { - Object.assign(this, await loadFixture(fixture)); - }); - - shouldBehaveLikeAccessManager(); - shouldBehaveLikeAccessManagerEnumerable(); -}); From 13f08cf925886afd29405093cea83c27048f90fd Mon Sep 17 00:00:00 2001 From: Hadrien Croubois Date: Thu, 11 Dec 2025 21:47:42 +0100 Subject: [PATCH 23/24] reset mock --- contracts/mocks/AccessManagerMock.sol | 29 --------------------------- 1 file changed, 29 deletions(-) diff --git a/contracts/mocks/AccessManagerMock.sol b/contracts/mocks/AccessManagerMock.sol index c322c75cf16..4b5be350fc6 100644 --- a/contracts/mocks/AccessManagerMock.sol +++ b/contracts/mocks/AccessManagerMock.sol @@ -3,7 +3,6 @@ pragma solidity ^0.8.20; import {AccessManager} from "../access/manager/AccessManager.sol"; -import {AccessManagerEnumerable} from "./docs/AccessManagerEnumerable.sol"; contract AccessManagerMock is AccessManager { event CalledRestricted(address caller); @@ -19,31 +18,3 @@ contract AccessManagerMock is AccessManager { emit CalledUnrestricted(msg.sender); } } - -contract AccessManagerEnumerableMock is AccessManagerMock, AccessManagerEnumerable { - constructor(address initialAdmin) AccessManagerMock(initialAdmin) {} - - function _grantRole( - uint64 roleId, - address account, - uint32 grantDelay, - uint32 executionDelay - ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { - return super._grantRole(roleId, account, grantDelay, executionDelay); - } - - function _revokeRole( - uint64 roleId, - address account - ) internal override(AccessManager, AccessManagerEnumerable) returns (bool) { - return super._revokeRole(roleId, account); - } - - function _setTargetFunctionRole( - address target, - bytes4 selector, - uint64 roleId - ) internal override(AccessManager, AccessManagerEnumerable) { - super._setTargetFunctionRole(target, selector, roleId); - } -} From d39400a00c33b2d4c70162f8f6fd90592d15ded2 Mon Sep 17 00:00:00 2001 From: ernestognw Date: Fri, 12 Dec 2025 10:07:39 -0600 Subject: [PATCH 24/24] up --- docs/modules/ROOT/pages/access-control.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/access-control.adoc b/docs/modules/ROOT/pages/access-control.adoc index 6847f4261af..43e08d22aa3 100644 --- a/docs/modules/ROOT/pages/access-control.adoc +++ b/docs/modules/ROOT/pages/access-control.adoc @@ -273,7 +273,7 @@ The delayed admin actions are: * Closing or opening a target via xref:api:access.adoc#AccessManager-setTargetClosed-address-bool-[`setTargetClosed`]. * Changing permissions of whether a role can call a target function with xref:api:access.adoc#AccessManager-setTargetFunctionRole-address-bytes4---uint64-[`setTargetFunctionRole`]. -=== Querying Privileged Accounts +=== Manager Enumerability Similar to `AccessControl`, accounts might be granted and revoked roles dynamically in an `AccessManager`, making it challenging to determine which accounts hold a particular role at any given time. This capability is essential for proving certain properties about a system, such as verifying that an administrative role is held by a multisig or DAO, or that a certain role has been completely removed to disable associated functionality. @@ -285,6 +285,8 @@ If on-chain enumeration is required, it can be added implemented on top of the e include::api:example$AccessManagerEnumerable.sol[] ``` +NOTE: The enumerable example only enumerates members of a role and functions that each role can call. Yet, it's possible to enumerate roles active (i.e. roles granted to at least 1 member), guardians and admins. + This adds function that can be queried to iterate over the accounts that have been granted a role and the functions that a role is allowed to call on specific targets: ```javascript