-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathAuthorizationModule.sol
119 lines (104 loc) · 4.81 KB
/
AuthorizationModule.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
//SPDX-License-Identifier: MPL-2.0
pragma solidity ^0.8.20;
import "@openzeppelin/contracts-upgradeable/access/AccessControlUpgradeable.sol";
import "../../libraries/Errors.sol";
import "../../interfaces/engine/IAuthorizationEngine.sol";
abstract contract AuthorizationModule is AccessControlUpgradeable {
/* ============ Events ============ */
/**
* @dev Emitted when a rule engine is set.
*/
event AuthorizationEngine(IAuthorizationEngine indexed newAuthorizationEngine);
/* ============ ERC-7201 ============ */
// keccak256(abi.encode(uint256(keccak256("CMTAT.storage.AuthorizationModule")) - 1)) & ~bytes32(uint256(0xff))
bytes32 private constant AuthorizationModuleStorageLocation = 0x59b7f077fa4ad020f9053fd2197fef0113b19f0b11dcfe516e88cbc0e9226d00;
/* ==== ERC-7201 State Variables === */
struct AuthorizationModuleStorage {
IAuthorizationEngine _authorizationEngine;
}
/* ============ Initializer Function ============ */
/**
* @dev
*
* - The grant to the admin role is done by AccessControlDefaultAdminRules
* - The control of the zero address is done by AccessControlDefaultAdminRules
*
*/
function __AuthorizationModule_init_unchained(address admin, IAuthorizationEngine authorizationEngine_)
internal onlyInitializing {
if(admin == address(0)){
revert Errors.CMTAT_AuthorizationModule_AddressZeroNotAllowed();
}
_grantRole(DEFAULT_ADMIN_ROLE, admin);
if (address(authorizationEngine_) != address (0)) {
AuthorizationModuleStorage storage $ = _getAuthorizationModuleStorage();
$._authorizationEngine = authorizationEngine_;
emit AuthorizationEngine(authorizationEngine_);
}
}
/*//////////////////////////////////////////////////////////////
PUBLIC/EXTERNAL FUNCTIONS
//////////////////////////////////////////////////////////////*/
function authorizationEngine() public view virtual returns (IAuthorizationEngine) {
AuthorizationModuleStorage storage $ = _getAuthorizationModuleStorage();
return $._authorizationEngine;
}
/*
* @notice set an authorizationEngine if not already set
* @dev once an AuthorizationEngine is set, it is not possible to unset it
*/
function setAuthorizationEngine(
IAuthorizationEngine authorizationEngine_
) external onlyRole(DEFAULT_ADMIN_ROLE) {
AuthorizationModuleStorage storage $ = _getAuthorizationModuleStorage();
if (address($._authorizationEngine) != address (0)){
revert Errors.CMTAT_AuthorizationModule_AuthorizationEngineAlreadySet();
}
$._authorizationEngine = authorizationEngine_;
emit AuthorizationEngine(authorizationEngine_);
}
function grantRole(bytes32 role, address account) public override onlyRole(getRoleAdmin(role)) {
AuthorizationModuleStorage storage $ = _getAuthorizationModuleStorage();
if (address($._authorizationEngine) != address (0)) {
bool result = $._authorizationEngine.operateOnGrantRole(role, account);
if(!result) {
// Operation rejected by the authorizationEngine
revert Errors.CMTAT_AuthorizationModule_InvalidAuthorization();
}
}
return AccessControlUpgradeable.grantRole(role, account);
}
function revokeRole(bytes32 role, address account) public override onlyRole(getRoleAdmin(role)) {
AuthorizationModuleStorage storage $ = _getAuthorizationModuleStorage();
if (address($._authorizationEngine) != address (0)) {
bool result = $._authorizationEngine.operateOnRevokeRole(role, account);
if(!result) {
// Operation rejected by the authorizationEngine
revert Errors.CMTAT_AuthorizationModule_InvalidAuthorization();
}
}
return AccessControlUpgradeable.revokeRole(role, account);
}
/**
* @dev Returns `true` if `account` has been granted `role`.
*/
function hasRole(
bytes32 role,
address account
) public view virtual override(AccessControlUpgradeable) returns (bool) {
// The Default Admin has all roles
if (AccessControlUpgradeable.hasRole(DEFAULT_ADMIN_ROLE, account)) {
return true;
}
return AccessControlUpgradeable.hasRole(role, account);
}
/*//////////////////////////////////////////////////////////////
INTERNAL/PRIVATE FUNCTIONS
//////////////////////////////////////////////////////////////*/
/* ============ ERC-7201 ============ */
function _getAuthorizationModuleStorage() private pure returns (AuthorizationModuleStorage storage $) {
assembly {
$.slot := AuthorizationModuleStorageLocation
}
}
}