[Feature] Authorizer_v2 #760
Conversation
* Feature: Roleauthorizer_v1.1 upgrade * Test Folder restructured * Rename folder mistake * adapt rest of references * Implement Function Lock * Delete TestFolderRefactoring.md * Implement Function Lock * Adapt functionality * Create Tests * Include the rest of the new functions * Change public Role to Id 1 * Deprecate Functions * Rename to key to Permission * Clean up last functions that were still from old implementation * Refactor function postions * Test Permissioned Modifier * Adapt onlyRole to permissioned in Authorizer * Cleanup and missed tests * Adapt modules to use permissioned modifier * Cleanup comments and todos * Update Staking Module * rename to t.sol * Update Recurring Payments * Update Paymentrouter * Comment Cleanup * Add Event references * Update KPIRewarder * Update Optimistic Oracle * Update Bounties * Update PP_Streaming * Update TokenVault * Update BondingCurveBase * Adapt comments * Update RedeemingBondingCurveBase * Update comments * Adapt Event references in tests * Update Bancor Redeeming * Update BondingSurface Redeeming * Update comments * Update Bonding Surface Redeeming Restricted * Fix Typo * Update RoleAuthorizerE2E.t.sol * Update MetaTxAndMulticallE2E.t.sol * Adapt comments * Make the test of the upgraded Authorizer the new standard * Update VotingRoleManagerE2E.t.sol * Update BountyManagerE2E.t.sol * Update BondingCurveFundingManagerE2E.t.sol * Update BondingCurveTokenRescueE2E.t.sol * Update BondingSurfaceFundingManagerE2E.t.sol * Update StakingManagerLifecycle.t.sol * Update KPIRewarderLifecycle.t.sol * Remove Module__CallerNotAuthorized from VotingRoles * Remove Module__CallerNotAuthorized from IModule * Update comments * Remove Authorization from ModuleManagerBase * Adapt Orchestrator to use permissioned functions * Update KPIRewarderLifecycle.t.sol * Make supportsInterface check mandatory for ModuleTest * Update Template * Adapt E2E tests to take regular Authorizer * Remove PIM_Workflowfactory * Remove Restricted Bancor Redeeming * Remove TokenGatedRoleAuthorizer * Adapt comments * Fix Merge with dev * Make FM_Oracle and PP_Queue buildable * Adapt correct file ending * Update OracleFundingManagerAndManualQueueBasedPaymentProcessorE2E.t.sol * Test modifier in places * Do leftover todos - Removing leftover Role declarations - moving Authorization comment to downstream implementation - cleanup comments * Adapt based on Pablos comments * Remove deprecated functions * Fix test * Revert "Remove TokenGatedRoleAuthorizer" This reverts commit b5fa277. * Adapt comments * Adapt Token Gated Roles * Update TokenGatedRoleAuthorizerE2E.t.sol * Update AUT_TokenGated_Roles_v1.sol * Adapt tests * Turn down the rate of assume problems * Addressed Pablos comments * Fix test It was the || * Adapt the function positioning * Adapt natspec * Fix typo Damn copy paste * Fix test for real * Update comments * Adapt natspec * Update Natspec for Token Gated Roles * Apply suggestions from code review Co-authored-by: Marvin Kruse <[email protected]> * Apply suggestions from code review Co-authored-by: Marvin Kruse <[email protected]> * Rename RoleIdCounter to LastAssignedRoleId * Address Marvins comments * Update Voting Roles variable naming * Adapt to inverter standard * Adapt OnlyCallableByMotion modifier and error * Apply suggestions from code review Co-authored-by: Marvin Kruse <[email protected]> * Adapt comments * Remove Pim Workflow as it is outdated * Adapt comments * Apply suggestions from code review Co-authored-by: Marvin Kruse <[email protected]> * Update Authorizer Comments.md * Delete Authorizer Comments.md * Adapt documentation of TokenGated_Roles --------- Co-authored-by: Marvin Kruse <[email protected]> * Move Interface to correct position * Adapt threshold in motion * remove redundant section * Fix merge * Add _validateThreshold to addVoter * Revert "Adapt threshold in motion" This reverts commit 7217a67. And extends it by a natspec section * Move _addVoter to its own subfunction --------- Co-authored-by: Marvin Kruse <[email protected]>
Zitzak
left a comment
Zitzak
left a comment
There was a problem hiding this comment.
Did a review into the main role AUT and module, and adjacent contracts I've touched in the past so I know the change. When I started the review we didn't know the strategic change was coming.
| if (hasRole(DEFAULT_ADMIN_ROLE, caller_)) { | ||
| return true; | ||
| } |
There was a problem hiding this comment.
Is there no way to restrict the default admin to calling a function? I could see usecases whereby a function should (from a legal perspective) be restricted to only a specific address which should for example could be held by an external party for regulation needs
There was a problem hiding this comment.
You are correct that there is no obvious/default way to do this. There is a workaround though:
You can give a role the rights to change the Function Permissions and then renounce the default admin.
THe new role then cannot call all functions automatically, but has the rights to adapt that (kinda simulating the rights of the default admin)
| } | ||
|
|
||
| /// @inheritdoc IAuthorizer_v2 | ||
| function transferAdminRole(bytes32 roleId_, bytes32 newAdminRoleId_) |
There was a problem hiding this comment.
This function, and multiple below, are not virtual
| - The role id of the role that will become the admin of the new role. | ||
| - The addresses of the initial members of the new role. | ||
|
|
||
| The rolename in this context refers to the label of the role and is therefor not referenceable onchain. The function can only be called by a permissioned address (See [permissioned](#permissioned-modifier)). |
|
|
||
| // RoleAuthorizer | ||
| IModule_v1.Metadata public roleAuthorizerMetadata = IModule_v1.Metadata( | ||
| 1, 0, 0, "https://github.com/InverterNetwork/contracts", "AUT_Roles_v1" |
| "@fm/depositVault/interfaces/IFM_DepositVault_v1.sol"; | ||
|
|
||
| // Internal Dependencies | ||
| import {Module_v1, IModule_v1} from "src/modules/base/Module_v1.sol"; |
There was a problem hiding this comment.
Curious about your choice to not make deposit permissioned here. Not saying I disagree, I think it makes sense to have a "super basic" FM, but was there any particular reason apart from ressource allocation?
There was a problem hiding this comment.
Nope, it was just to enable everybody to do deposits
| console2.log(" -- Logic Modules"); | ||
|
|
||
| impl_mod_LM_PC_Oracle_Permissioned_v1 = deployAndLogWithCreate2( | ||
| "LM_Oracle_Permissioned_v1", |
There was a problem hiding this comment.
var name should be renamed :|
| /// @notice Returns the module's {Orchestrator_v2} interface, {IOrchestrator_v2}. | ||
| /// @return The module's {Orchestrator_1}. | ||
| function orchestrator() external view returns (IOrchestrator_v1); | ||
| function orchestrator() external view returns (IOrchestrator_v2); //@todo what to do with this? Should this be version 1? |
There was a problem hiding this comment.
Why are we keeping the V1s at all?
There was a problem hiding this comment.
because workflows and modules still exist that reference them, use them, etc. - so I think we have a few cases where we can't just remove this.
we could look into this though with our new strategy potentially, to just cut old modules out kinda.
| pragma solidity ^0.8.0; | ||
|
|
||
| // Internal Interfaces | ||
| import {IPaymentProcessor_v3} from |
There was a problem hiding this comment.
Import can be removed, also in v2 and v1
|
|
||
| # Inverter Network Smart Contracts | ||
| *Inverter is the pioneering web3 protocol for token economies, enabling conditional token issuance, dynamic utility management, and token distribution. Build, customize, and innovate with Inverter's modular logic and extensive web3 interoperability.* | ||
|
|
There was a problem hiding this comment.
Why is this change being done? Or rather: was this an accident or on purpose?
There was a problem hiding this comment.
Looks like it may just be your formatter or something? Same as later in the same file?
There was a problem hiding this comment.
Yeah seems to be formatter issue
Doesnt seem to change the form of the output file though
So I would keep it
| - The role id of the role to revoke | ||
| - The address to revoke the role from | ||
|
|
||
| The revokeRole function can only be called by according admin of the role. |
There was a problem hiding this comment.
There is a general inconsistency in formatting function names as normal text vs codeText. I think it makes more sense to be strict and just have it all as codeText, but at least it should be consistent throughout.
There was a problem hiding this comment.
The metadata didn't change, so it makes no difference alltogether I'd say. I think the Metadata shouldn't have been part of the Module in the first place probably, but we can leave it like it as and just use v2. Unless I'm missing something?
| if (permissionLength == 0) { | ||
| return false; | ||
| } |
There was a problem hiding this comment.
What does this do in the end? The code behaves the same way if this didn't exist, as the for loop below just doesn't do anything and the return false is reached below.
| // Storage | ||
|
|
||
| /// @dev Stores if a role is token gated. | ||
| mapping(bytes32 => bool) internal _isTokenGated; |
There was a problem hiding this comment.
I think we wanted to have named parameters here for mapping as well.
| /// @notice Returns the module's {Orchestrator_v2} interface, {IOrchestrator_v2}. | ||
| /// @return The module's {Orchestrator_1}. | ||
| function orchestrator() external view returns (IOrchestrator_v1); | ||
| function orchestrator() external view returns (IOrchestrator_v2); //@todo what to do with this? Should this be version 1? |
There was a problem hiding this comment.
because workflows and modules still exist that reference them, use them, etc. - so I think we have a few cases where we can't just remove this.
we could look into this though with our new strategy potentially, to just cut old modules out kinda.
Co-authored-by: Marvin Kruse <[email protected]>
Co-authored-by: Marvin Kruse <[email protected]>
…twork/contracts into feature/Authorizer_v2
| // Mutating - Mixed Utility | ||
|
|
||
| /// @inheritdoc IAuthorizer_v2 | ||
| function createRoleAndAddAccessPermissions( |
There was a problem hiding this comment.
Just a suggestion: I could imagine this running into "out of gas" issues if the role setup becomes too complex. Maybe add a upper cap in the amount of targets/selectors? To force the developer to "split the setup" in advance
There was a problem hiding this comment.
In theory yes, this could happen, but splitting up the process might not be ideal too, as the process of determining the Id of the role win addition to then adding the access permissions separately would be a very manual process.
If gas is a general problem one could instead use the createRole and addAccessPermission functions independently anyway
There was a problem hiding this comment.
So I would keep it as is
There was a problem hiding this comment.
I had in mind sth more like "giving the user a clear error msg instead of the tx just failing". But I agree it's secondary. Let's just keep it.
This is it:
The final PR to get the Authorizer fully rolling.
The PR itself is the followup PR to the Authorizer Audit that adjusts the Versioning of all Contracts that were affected by the Authorizer update itself and some minor Documentation changes.
This PR is enormous. In size as well as depth. Thats why I want as many eyes on this as possible:
@0xNuggan and @marvinkruse are the main reviewers on all the version changes that are happening.
There are a lot of them and I personally think that the implications of these changes is where the heart of this PR lies.
Take a look at the changes that tackle the explicit Interface Checks.
Looking up -> ).supports <- and -> ERC165Checker <- references should work best on this
@0xNuggan I had some talks with @marvinkruse about the implications on the Factory/Governor/existing Workflow side already, but I think it is healthy for you to also look into this, so ask as many questions as you can, so we can build up some understandings on the topic itself. @fabianschu if you have the time this would be something where I would appreciate your input.
@fabianschu and @Zitzak it would be very cool if you could take a look at how the new Authorization system will work.
The RoleAuthroizer E2E tests should be the easiest to get a grip on this in my opinion, including the RoleAuthorizer itself of course.