Skip to content

Commit

Permalink
condition restrictions (#617)
Browse files Browse the repository at this point in the history
* condition restrictions

* fix isGranted (#618)

---------

Co-authored-by: Rekard0 <[email protected]>
  • Loading branch information
novaknole and Rekard0 authored Oct 30, 2024
1 parent dc79242 commit c951efe
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 22 deletions.
23 changes: 20 additions & 3 deletions packages/contracts/src/core/permission/PermissionManager.sol
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,12 @@ abstract contract PermissionManager is Initializable {
PermissionLib.MultiTargetPermission memory item = _items[i];

if (item.operation == PermissionLib.Operation.Grant) {
// Ensure a non-zero condition isn't passed, as `_grant` can't handle conditions.
// This avoids the false impression that a conditional grant occurred,
// since the transaction would still succeed without conditions.
if (item.condition != address(0)) {
revert GrantWithConditionNotSupported();
}
_grant({_where: item.where, _who: item.who, _permissionId: item.permissionId});
} else if (item.operation == PermissionLib.Operation.Revoke) {
_revoke({_where: item.where, _who: item.who, _permissionId: item.permissionId});
Expand Down Expand Up @@ -246,13 +252,15 @@ abstract contract PermissionManager is Initializable {
// If this permission is not set, continue.
}

// Generic caller (`_who: ANY_ADDR`) condition check
// Generic caller (`_who: ANY_ADDR`)
{
// This permission can only be granted in conjunction with a condition via the `grantWithCondition` function.
address genericCallerPermission = permissionsHashed[
permissionHash({_where: _where, _who: ANY_ADDR, _permissionId: _permissionId})
];

// If the permission was granted directly to (`_who: ANY_ADDR`), return `true`.
if (genericCallerPermission == ALLOW_FLAG) return true;

// If the permission was granted with a condition, check the condition and return the result.
if (genericCallerPermission != UNSET_FLAG) {
return
Expand Down Expand Up @@ -336,10 +344,19 @@ abstract contract PermissionManager is Initializable {
/// @param _permissionId The permission identifier.
/// @dev Note, that granting permissions with `_who` or `_where` equal to `ANY_ADDR` does not replace other permissions with specific `_who` and `_where` addresses that exist in parallel.
function _grant(address _where, address _who, bytes32 _permissionId) internal virtual {
if (_where == ANY_ADDR || _who == ANY_ADDR) {
if (_where == ANY_ADDR) {
revert PermissionsForAnyAddressDisallowed();
}

if (_who == ANY_ADDR) {
if (
_permissionId == ROOT_PERMISSION_ID ||
isPermissionRestrictedForAnyAddr(_permissionId)
) {
revert PermissionsForAnyAddressDisallowed();
}
}

bytes32 permHash = permissionHash({
_where: _where,
_who: _who,
Expand Down
2 changes: 1 addition & 1 deletion packages/contracts/test/core/dao/dao.ts
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ const EVENTS = {
export const VALID_ERC1271_SIGNATURE = '0x1626ba7e';
export const INVALID_ERC1271_SIGNATURE = '0xffffffff';

describe.only('DAO', function () {
describe('DAO', function () {
let signers: SignerWithAddress[];
let ownerAddress: string;
let dao: DAO;
Expand Down
65 changes: 47 additions & 18 deletions packages/contracts/test/core/permission/permission-manager.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ interface SingleTargetPermission {
permissionId: string;
}

describe('Core: PermissionManager', function () {
describe.only('Core: PermissionManager', function () {
let pm: PermissionManagerTest;
let signers: SignerWithAddress[];
let ownerSigner: SignerWithAddress;
Expand Down Expand Up @@ -94,28 +94,24 @@ describe('Core: PermissionManager', function () {
).to.be.revertedWithCustomError(pm, 'PermissionsForAnyAddressDisallowed');
});

it('reverts if permissionId is restricted and `_who == ANY_ADDR` or `_where == ANY_ADDR`', async () => {
for (let i = 0; i < RESTRICTED_PERMISSIONS_FOR_ANY_ADDR.length; i++) {
await expect(
pm.grant(pm.address, ANY_ADDR, RESTRICTED_PERMISSIONS_FOR_ANY_ADDR[i])
).to.be.revertedWithCustomError(
pm,
'PermissionsForAnyAddressDisallowed'
);
await expect(
pm.grant(ANY_ADDR, pm.address, RESTRICTED_PERMISSIONS_FOR_ANY_ADDR[i])
).to.be.revertedWithCustomError(
pm,
'PermissionsForAnyAddressDisallowed'
);
}
it('reverts if permissionId is restricted and `_who == ANY_ADDR`', async () => {
await expect(
pm.grant(pm.address, ANY_ADDR, RESTRICTED_PERMISSIONS_FOR_ANY_ADDR[0])
).to.be.revertedWithCustomError(pm, 'PermissionsForAnyAddressDisallowed');
});

it('reverts if permissionId is not restricted and`_who == ANY_ADDR` or `_where == ANY_ADDR`', async () => {
it('succeeds if permissionId is not restricted and `_who == ANY_ADDR`', async () => {
await expect(pm.grant(pm.address, ANY_ADDR, ADMIN_PERMISSION_ID)).to.not
.be.reverted;
});

it('reverts if permissionId is restricted and `_where == ANY_ADDR`', async () => {
await expect(
pm.grant(pm.address, ANY_ADDR, ADMIN_PERMISSION_ID)
pm.grant(ANY_ADDR, pm.address, RESTRICTED_PERMISSIONS_FOR_ANY_ADDR[0])
).to.be.revertedWithCustomError(pm, 'PermissionsForAnyAddressDisallowed');
});

it('reverts if permissionId is not restricted and `_where == ANY_ADDR`', async () => {
await expect(
pm.grant(ANY_ADDR, pm.address, ADMIN_PERMISSION_ID)
).to.be.revertedWithCustomError(pm, 'PermissionsForAnyAddressDisallowed');
Expand Down Expand Up @@ -504,6 +500,28 @@ describe('Core: PermissionManager', function () {
}
});

it('should revert if non-zero condition is used with `grant` operation type', async () => {
const signers = await ethers.getSigners();

const conditionMock = await new PermissionConditionMock__factory(
signers[0]
).deploy();

const bulkItems: MultiTargetPermission[] = [
{
operation: Operation.Grant,
where: signers[1].address,
who: signers[0].address,
condition: conditionMock.address,
permissionId: ADMIN_PERMISSION_ID,
},
];

await expect(
pm.applyMultiTargetPermissions(bulkItems)
).to.be.revertedWithCustomError(pm, 'GrantWithConditionNotSupported');
});

it('should grant with condition', async () => {
const signers = await ethers.getSigners();

Expand Down Expand Up @@ -1083,6 +1101,17 @@ describe('Core: PermissionManager', function () {
)
).to.be.true;
});

it('returns `true` if the permission is granted to `_who == ANY_ADDR`', async () => {
await pm.grant(pm.address, ANY_ADDR, ADMIN_PERMISSION_ID);
const isGranted = await pm.callStatic.isGranted(
pm.address,
otherSigner.address,
ADMIN_PERMISSION_ID,
[]
);
expect(isGranted).to.be.equal(true);
});
});

describe('_hasPermission', () => {
Expand Down

0 comments on commit c951efe

Please sign in to comment.