feat: use context-based role assignments to implement the permission model

[hiddentao]

Notes:

• All new ACL that allows for context-based role setting and other fun features. Fully tested!
• The transfer lock is complex to do using roles because it would require going into the ERC1155 too to handle approvals etc. So I opted for a flag instead for that one.

[coveralls]

Pull Request Test Coverage Report for Build 13805766124

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 94 of 180 (52.22%) changed or added relevant lines in 9 files are covered.
• 4 unchanged lines in 2 files lost coverage.
• Overall coverage decreased (-3.2%) to 54.758%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
contracts/src/registry/RootRegistry.sol	2	3	66.67%
contracts/src/registry/PermissionedRegistry.sol	2	4	50.0%
contracts/src/registry/NameWrapperRegistry.sol	0	83	0.0%

Files with Coverage Reduction	New Missed Lines	%
contracts/src/registry/RootRegistry.sol	1	75.0%
contracts/src/registry/PermissionedRegistry.sol	3	73.68%

Totals
Change from base Build 13351832110:	-3.2%
Covered Lines:	278
Relevant Lines:	495

---

💛 - Coveralls

[hiddentao]

@Arachnid Given that we only need to transfer two roles to a new registrar (registrar and renew) I felt that it was easier to do that manually whilst keeping the current storage approach in EnhancedAccessControl, i.e. not using a bitmap. Even if we use a Bitmap then keeping the "revoke all assignments of this role within this resource" O(1) feature would still require versioning of assignments, meaning that we'd still be doing a lot of complex storage work in access control.

Plus, role transfers only work across a particular context. There's no way to transfer all of a user's roles in all contexts. I suppose if we implement hierarchical contexts of some sort we could perhaps do this. But again, this complicates the access control storage.

Happy to discuss this further over calls.

[Arachnid]

Can we simply say that the upper 128 bits are admin roles and the lower 128 bits are user roles, and thus remove the need to map them explicitly?

[hiddentao]

I think it's possible that a role can be a role as well as an admin role - e.g registrar can be admin roles for setting the renewer admin role, even though registrars are themselves roles.

[Arachnid]

I don't think there's in harm in representing those with separate bits, though? If they're typically used together, the inheriting contract can simply grant or revoke both bits together.

[Arachnid]

Is this necessary? If a role for a given resource has no admins, it's locked implicitly.

[hiddentao]

The issue is that the DEFAULT_ADMIN_ROLE can always revoke a role, thus I figured we needed an explicit locking mechanism to prevent that.

[Arachnid]

With the admin-bit-for-each-role I suggested above, there is no DEFAULT_ADMIN_ROLE - only individual admins for each role.

[Arachnid]

Suggested change

	function grantRole(bytes32 resource, uint256 role, address account) public virtual canGrantRole(resource, role) returns (bool) {
	function grantRoles(bytes32 resource, uint256 role, address account) public virtual canGrantRole(resource, role) returns (bool) {

[hiddentao]

This isn't as straightforward since we need to check that the caller has the admin role for the given role - and we don't want to be looping through and checking the caller is an admin for every role passed in.

The alternative is to be able to set an admin for a bitmap of roles, but then that semantically doesn't make any sense.

Hence why granting/revoking one role at a time makes the most sense.

[Arachnid]

If we do the admin-role-per-role I suggested above, this is doable with simple bitmasking. Eg:

uint256 caller_roles = getRoles(resource, msg.sender);
uint256 caller_admin_roles = (caller_roles & 0xffffffffffffffffffffffffffffffff) | (caller_roles >> 128);
role &= caller_admin_roles;

This will take the role input and mask out any roles the caller doesn't have permission to grant.

[Arachnid]

Suggested change

	function revokeRole(bytes32 resource, uint256 role, address account) public virtual canGrantRole(resource, role) returns (bool) {
	function revokeRoles(bytes32 resource, uint256 role, address account) public virtual canGrantRole(resource, role) returns (bool) {

[hiddentao]

This isn't as straightforward since we need to check that the caller has the admin role for the given role - and we don't want to be looping through and checking the caller is an admin for every role passed in.

The alternative is to be able to set an admin for a bitmap of roles, but then that semantically doesn't make any sense.

Hence why granting/revoking one role at a time makes the most sense.

[Arachnid]

I think we should omit this; if an account is an admin for the role, they can revoke both the role and their own admin status, but having this makes it impossible to 'lock open' a permission.

[hiddentao]

I don't really understand what you mean by "lock open" here.

[Arachnid]

Revoke all admin access over a role, without revoking the role itself for everyone - meaning it can still be done, but the set of accounts that can do it can't be changed any longer.