feat: Protected SetRoleHolders Guard #507
Conversation
| /// @inheritdoc ILlamaActionGuard | ||
| /// @dev Performs a validation check at action creation time that the action creator is authorized to set the role. | ||
| function validateActionCreation(ActionInfo calldata actionInfo) external view { | ||
| if (BYPASS_PROTECTION_ROLE == 0 || actionInfo.creatorRole != BYPASS_PROTECTION_ROLE) { |
There was a problem hiding this comment.
If BYPASS_PROTECTION_ROLE is 0 it'll always enter this if scope right? How is that bypassing it?
There was a problem hiding this comment.
it's clear that this is not true and when it's equal to 0 the bypass role is disabled
There was a problem hiding this comment.
Wait why is that? If BYPASS_PROTECTION_ROLE == 0, your if condition is satisfied, so you always enter the if scope. But the idea is to bypass it right?
so shouldn't the condition be if (BYPASS_PROTECTION_ROLE != 0 && actionInfo.creatorRole != BYPASS_PROTECTION_ROLE) ?
| function validateActionCreation(ActionInfo calldata actionInfo) external view { | ||
| if (BYPASS_PROTECTION_ROLE == 0 || actionInfo.creatorRole != BYPASS_PROTECTION_ROLE) { | ||
| RoleHolderData[] memory roleHolderData = abi.decode(actionInfo.data[4:], (RoleHolderData[])); | ||
| for (uint256 i = 0; i < roleHolderData.length; i++) { |
There was a problem hiding this comment.
Two things to save gas (since we're on v0.8.19):
- Define length outside the loop
- Use
LlamaUtils.uncheckedIncrement(i)for the index increment.
|
|
||
| /// @notice BYPASS_PROTECTION_ROLE can be set to 0 to disable this feature. | ||
| /// This also means the all holders role cannot be set as the BYPASS_PROTECTION_ROLE. | ||
| uint8 public immutable BYPASS_PROTECTION_ROLE; |
There was a problem hiding this comment.
What's the idea behind a Bypass Protection Role? To allow some role to bypass the action creation check? Why just 1 role in that case (and why not multiple achievable through another mapping)?
There was a problem hiding this comment.
I'd assume there would be cases where multiple roles will want to bypass the check.
There was a problem hiding this comment.
Yeah I don't really see the point of this either. If the concern setRoleHolders gets bricked then the guard can be disabled. setRoleHolder can also be used if needed. I think it would simplify things not to have it.
There was a problem hiding this comment.
the idea is to provide a better UX. if there is a core team role that can set every role, they shouldn't need to iteratively update the permissions mapping and update it every time a new role is created.
There was a problem hiding this comment.
It makes me think the whole design of this is wrong then. We should either make one of the following two assumptions:
- If this guard is enabled, all roles should default to not having any
setRoleHoldersaccess and any access to this function must be updated here. - If this guard is enabled, all roles should default to having normal
setRoleHoldersaccess and any restrictions to this function must be updated here.
This conversations makes me think we should go with 2. Having a dedicated bypass role is an extension to the Llama role system that just increases complexity.
Think about explaining this process to a smart crypto-native friend:
LlamaCore::executeAction runs the guard -> LlamaExecutor::execute -> LlamaGovernanceScript::setRoleHolders -> LlamaPolicy::setRoleHolder
It's already complicated enough.
| event AuthorizedSetRoleHolder(uint8 indexed setterRole, uint8 indexed targetRole, bool isAuthorized); | ||
|
|
||
| /// @notice BYPASS_PROTECTION_ROLE can be set to 0 to disable this feature. | ||
| /// This also means the all holders role cannot be set as the BYPASS_PROTECTION_ROLE. |
There was a problem hiding this comment.
Some about this screams icky to me. If the ALL HOLDERS ROLE ever held permission to call setRoleHolders on the Gov Script, it would always bypass the check? (Far fetched I know, but we should account for all possibilities.).
There was a problem hiding this comment.
no, that is not true at all. if you read the code, or the comment, it's clear that it would never bypass the check and setting BYPASS_PROTECTION_ROLE to 0 (default value) disables the bypass role entirely.
| /// @dev Performs a validation check at action creation time that the action creator is authorized to set the role. | ||
| function validateActionCreation(ActionInfo calldata actionInfo) external view { | ||
| if (BYPASS_PROTECTION_ROLE == 0 || actionInfo.creatorRole != BYPASS_PROTECTION_ROLE) { | ||
| RoleHolderData[] memory roleHolderData = abi.decode(actionInfo.data[4:], (RoleHolderData[])); |
There was a problem hiding this comment.
Took me a second to figure out what's going on here. Might be worth it to leave a comment saying that you're slicing the bytes array to get the function calldata from the data field.
| error UnauthorizedSetRoleHolder(uint8 setterRole, uint8 targetRole); | ||
|
|
||
| /// @dev Emitted when the authorizedSetRoleHolder mapping is updated. | ||
| event AuthorizedSetRoleHolder(uint8 indexed setterRole, uint8 indexed targetRole, bool isAuthorized); |
There was a problem hiding this comment.
Could call it actionCreatorRole rather than setterRole which seems to be a bit more accurate.
| /// @param setterRole The role that is is being authorized or unauthorized to set the targetRole. | ||
| /// @param targetRole The role that the setterRole is being authorized or unauthorized to set. | ||
| /// @param isAuthorized Whether the setterRole is authorized to set the targetRole. | ||
| function setAuthorizedSetRoleHolder(uint8 setterRole, uint8 targetRole, bool isAuthorized) external { |
There was a problem hiding this comment.
Could call it actionCreatorRole rather than setterRole which seems to be a bit more accurate.
| address public immutable EXECUTOR; | ||
|
|
||
| /// @notice A mapping to keep track of which roles the setterRole is authorized to set. | ||
| mapping(uint8 => mapping(uint8 => bool)) public authorizedSetRoleHolder; |
There was a problem hiding this comment.
Can we do named mappings here?
| /// @dev Throws if called by any account other than the EXECUTOR. | ||
| error OnlyLlamaExecutor(); | ||
| /// @dev Throws if the setterRole is not authorized to set the targetRole. | ||
| error UnauthorizedSetRoleHolder(uint8 setterRole, uint8 targetRole); |
There was a problem hiding this comment.
Could call it actionCreatorRole rather than setterRole which seems to be a bit more accurate.
|
|
||
| /// @title Protected Set Role Holder Guard | ||
| /// @author Llama ([email protected]) | ||
| /// @notice A guard that protects against unauthorized calls to setRoleHolders on the LlamaGovernanceScript. |
There was a problem hiding this comment.
We should be more descriptive here. Unauthorized callers can never call setRoleHolders. It's more about defining which roles can add policyholders to other roles
| import {ActionInfo, RoleHolderData} from "src/lib/Structs.sol"; | ||
| import {ILlamaActionGuard} from "src/interfaces/ILlamaActionGuard.sol"; |
There was a problem hiding this comment.
The order here should be flipped.
| /// @dev Throws if called by any account other than the EXECUTOR. | ||
| error OnlyLlamaExecutor(); | ||
| /// @dev Throws if the setterRole is not authorized to set the targetRole. |
There was a problem hiding this comment.
And setterRole and targetRole should be in backticks
| /// @inheritdoc ILlamaActionGuard | ||
| /// @dev Performs a validation check at action creation time that the action creator is authorized to set the role. |
There was a problem hiding this comment.
We shouldn't inheritdoc here right? We should just write proper natspec for these params and what the function does
There was a problem hiding this comment.
I don't see why not to inherit doc, or why this isn't "proper". The inherit doc already describes the params. I changed the additional comment to @notice instead of dev which defines what the function is doing.
|
|
||
| /// @title Protected Set Role Holder Guard Factory | ||
| /// @author Llama ([email protected]) | ||
| /// @notice A factory contract that deploys `ProtectedSetRoleHoldersGuard` contracts. |
There was a problem hiding this comment.
Let's put some more thought into what helpful documentation what would look like here.
Just be reading this, a Llama instance policyholder should know the purpose of this guard.
There was a problem hiding this comment.
I think SetRoleHolderGuard is a suitable name. It's a lot shorter and the Protected adjective doesn't do much. The purpose of every guard is to protect something.
There was a problem hiding this comment.
Should be SetRoleHoldersGuard IMO. Since this is protecting setRoleHolders and not setRoleHolder.
There was a problem hiding this comment.
There was a problem hiding this comment.
I don't know why but this link doesn't seem to take me to anything useful. can you paste what you'd like me to see here or send a screenshot
|
|
||
| /// @dev Thrown if called by any account other than the EXECUTOR. | ||
| error OnlyLlamaExecutor(); | ||
| /// @dev Throw if the `actionCreatorRole` is not authorized to set the `targetRole`. |
There was a problem hiding this comment.
Should be an empty line here
|
|
||
| /// @dev Thrown if called by any account other than the EXECUTOR. | ||
| error OnlyLlamaExecutor(); | ||
| /// @dev Throw if the `actionCreatorRole` is not authorized to set the `targetRole`. |
There was a problem hiding this comment.
Should be Thrown not Throw
There was a problem hiding this comment.
Small nit. But if we have a factory and a guard. We should move both files into a set-role-holders/ directory withing src/guards. We can then just keep adding directories for other guards we might build in the future.
| event ProtectedSetRoleHoldersGuardDeployed( | ||
| address indexed guard, uint8 indexed bypassProtectionRole, address indexed executor | ||
| ); |
There was a problem hiding this comment.
I would make this event:
event ProtectedSetRoleHoldersGuardCreated(address indexed deployer, address indexed executor, address guard, uint8 bypassProtectionRole);
There was a problem hiding this comment.
- For factory deploys always have the deployer/caller of the deploy as the first indexed event parameter.
- The only things you ever need to do
indexedon is things that data consumers would want to filter by. In this case the deployer and executor. The guard is already unique so there's no need to index it. And There's no point filtering on bypassProtectionRole since it could be different roles for different instances. - We seem to be following
*Createdinstead of*Deployedfor all our factory events. Let's stick to the same.
| import {LlamaUtils} from "src/lib/LlamaUtils.sol"; | ||
| import {ActionInfo, RoleHolderData} from "src/lib/Structs.sol"; | ||
|
|
||
| /// @title Protected Set Role Holder Guard |
There was a problem hiding this comment.
Should this be "Set Role Holders Guard" to reflect the contract name?
Motivation:
To enable a common usecase with Llama where some roles are allowed to call
setRoleHolders, but should only be able to set specific roles. TheProtectedSetRoleHoldersGuardprovides a check on action creation that the action creator has authorization to set the role they are trying to set.Modifications:
ProtectedSetRoleHoldersGuardcontract that inherits theILlamaActionGuardinterfacesrc/guardsProtectedSetRoleHoldersGuardin a new dirtests/guards/Result:
Llama users can unlock new usecases by using the protected
setRoleHolders