Contract Source Code:
File 1 of 1 : ACL
//File: contracts/acl/IACL.sol
pragma solidity ^0.4.18;
interface IACL {
function initialize(address permissionsCreator) public;
function hasPermission(address who, address where, bytes32 what, bytes how) public view returns (bool);
}
//File: contracts/kernel/IKernel.sol
pragma solidity ^0.4.18;
interface IKernel {
event SetApp(bytes32 indexed namespace, bytes32 indexed name, bytes32 indexed id, address app);
function acl() public view returns (IACL);
function hasPermission(address who, address where, bytes32 what, bytes how) public view returns (bool);
function setApp(bytes32 namespace, bytes32 name, address app) public returns (bytes32 id);
function getApp(bytes32 id) public view returns (address);
}
//File: contracts/apps/AppStorage.sol
pragma solidity ^0.4.18;
contract AppStorage {
IKernel public kernel;
bytes32 public appId;
address internal pinnedCode; // used by Proxy Pinned
uint256 internal initializationBlock; // used by Initializable
uint256[95] private storageOffset; // forces App storage to start at after 100 slots
uint256 private offset;
}
//File: contracts/common/Initializable.sol
pragma solidity ^0.4.18;
contract Initializable is AppStorage {
modifier onlyInit {
require(initializationBlock == 0);
_;
}
/**
* @return Block number in which the contract was initialized
*/
function getInitializationBlock() public view returns (uint256) {
return initializationBlock;
}
/**
* @dev Function to be called by top level contract after initialization has finished.
*/
function initialized() internal onlyInit {
initializationBlock = getBlockNumber();
}
/**
* @dev Returns the current block number.
* Using a function rather than `block.number` allows us to easily mock the block number in
* tests.
*/
function getBlockNumber() internal view returns (uint256) {
return block.number;
}
}
//File: contracts/evmscript/IEVMScriptExecutor.sol
pragma solidity ^0.4.18;
interface IEVMScriptExecutor {
function execScript(bytes script, bytes input, address[] blacklist) external returns (bytes);
}
//File: contracts/evmscript/IEVMScriptRegistry.sol
pragma solidity 0.4.18;
contract EVMScriptRegistryConstants {
bytes32 constant public EVMSCRIPT_REGISTRY_APP_ID = keccak256("evmreg.aragonpm.eth");
bytes32 constant public EVMSCRIPT_REGISTRY_APP = keccak256(keccak256("app"), EVMSCRIPT_REGISTRY_APP_ID);
}
interface IEVMScriptRegistry {
function addScriptExecutor(address executor) external returns (uint id);
function disableScriptExecutor(uint256 executorId) external;
function getScriptExecutor(bytes script) public view returns (address);
}
//File: contracts/evmscript/ScriptHelpers.sol
pragma solidity 0.4.18;
library ScriptHelpers {
// To test with JS and compare with actual encoder. Maintaining for reference.
// t = function() { return IEVMScriptExecutor.at('0x4bcdd59d6c77774ee7317fc1095f69ec84421e49').contract.execScript.getData(...[].slice.call(arguments)).slice(10).match(/.{1,64}/g) }
// run = function() { return ScriptHelpers.new().then(sh => { sh.abiEncode.call(...[].slice.call(arguments)).then(a => console.log(a.slice(2).match(/.{1,64}/g)) ) }) }
// This is truly not beautiful but lets no daydream to the day solidity gets reflection features
function abiEncode(bytes _a, bytes _b, address[] _c) public pure returns (bytes d) {
return encode(_a, _b, _c);
}
function encode(bytes memory _a, bytes memory _b, address[] memory _c) internal pure returns (bytes memory d) {
// A is positioned after the 3 position words
uint256 aPosition = 0x60;
uint256 bPosition = aPosition + 32 * abiLength(_a);
uint256 cPosition = bPosition + 32 * abiLength(_b);
uint256 length = cPosition + 32 * abiLength(_c);
d = new bytes(length);
assembly {
// Store positions
mstore(add(d, 0x20), aPosition)
mstore(add(d, 0x40), bPosition)
mstore(add(d, 0x60), cPosition)
}
// Copy memory to correct position
copy(d, getPtr(_a), aPosition, _a.length);
copy(d, getPtr(_b), bPosition, _b.length);
copy(d, getPtr(_c), cPosition, _c.length * 32); // 1 word per address
}
function abiLength(bytes memory _a) internal pure returns (uint256) {
// 1 for length +
// memory words + 1 if not divisible for 32 to offset word
return 1 + (_a.length / 32) + (_a.length % 32 > 0 ? 1 : 0);
}
function abiLength(address[] _a) internal pure returns (uint256) {
// 1 for length + 1 per item
return 1 + _a.length;
}
function copy(bytes _d, uint256 _src, uint256 _pos, uint256 _length) internal pure {
uint dest;
assembly {
dest := add(add(_d, 0x20), _pos)
}
memcpy(dest, _src, _length + 32);
}
function getPtr(bytes memory _x) internal pure returns (uint256 ptr) {
assembly {
ptr := _x
}
}
function getPtr(address[] memory _x) internal pure returns (uint256 ptr) {
assembly {
ptr := _x
}
}
function getSpecId(bytes _script) internal pure returns (uint32) {
return uint32At(_script, 0);
}
function uint256At(bytes _data, uint256 _location) internal pure returns (uint256 result) {
assembly {
result := mload(add(_data, add(0x20, _location)))
}
}
function addressAt(bytes _data, uint256 _location) internal pure returns (address result) {
uint256 word = uint256At(_data, _location);
assembly {
result := div(and(word, 0xffffffffffffffffffffffffffffffffffffffff000000000000000000000000),
0x1000000000000000000000000)
}
}
function uint32At(bytes _data, uint256 _location) internal pure returns (uint32 result) {
uint256 word = uint256At(_data, _location);
assembly {
result := div(and(word, 0xffffffff00000000000000000000000000000000000000000000000000000000),
0x100000000000000000000000000000000000000000000000000000000)
}
}
function locationOf(bytes _data, uint256 _location) internal pure returns (uint256 result) {
assembly {
result := add(_data, add(0x20, _location))
}
}
function toBytes(bytes4 _sig) internal pure returns (bytes) {
bytes memory payload = new bytes(4);
payload[0] = bytes1(_sig);
payload[1] = bytes1(_sig << 8);
payload[2] = bytes1(_sig << 16);
payload[3] = bytes1(_sig << 24);
return payload;
}
function memcpy(uint _dest, uint _src, uint _len) public pure {
uint256 src = _src;
uint256 dest = _dest;
uint256 len = _len;
// Copy word-length chunks while possible
for (; len >= 32; len -= 32) {
assembly {
mstore(dest, mload(src))
}
dest += 32;
src += 32;
}
// Copy remaining bytes
uint mask = 256 ** (32 - len) - 1;
assembly {
let srcpart := and(mload(src), not(mask))
let destpart := and(mload(dest), mask)
mstore(dest, or(destpart, srcpart))
}
}
}
//File: contracts/evmscript/EVMScriptRunner.sol
pragma solidity ^0.4.18;
contract EVMScriptRunner is AppStorage, EVMScriptRegistryConstants {
using ScriptHelpers for bytes;
function runScript(bytes _script, bytes _input, address[] _blacklist) protectState internal returns (bytes output) {
// TODO: Too much data flying around, maybe extracting spec id here is cheaper
address executorAddr = getExecutor(_script);
require(executorAddr != address(0));
bytes memory calldataArgs = _script.encode(_input, _blacklist);
bytes4 sig = IEVMScriptExecutor(0).execScript.selector;
require(executorAddr.delegatecall(sig, calldataArgs));
return returnedDataDecoded();
}
function getExecutor(bytes _script) public view returns (IEVMScriptExecutor) {
return IEVMScriptExecutor(getExecutorRegistry().getScriptExecutor(_script));
}
// TODO: Internal
function getExecutorRegistry() internal view returns (IEVMScriptRegistry) {
address registryAddr = kernel.getApp(EVMSCRIPT_REGISTRY_APP);
return IEVMScriptRegistry(registryAddr);
}
/**
* @dev copies and returns last's call data. Needs to ABI decode first
*/
function returnedDataDecoded() internal view returns (bytes ret) {
assembly {
let size := returndatasize
switch size
case 0 {}
default {
ret := mload(0x40) // free mem ptr get
mstore(0x40, add(ret, add(size, 0x20))) // free mem ptr set
returndatacopy(ret, 0x20, sub(size, 0x20)) // copy return data
}
}
return ret;
}
modifier protectState {
address preKernel = kernel;
bytes32 preAppId = appId;
_; // exec
require(kernel == preKernel);
require(appId == preAppId);
}
}
//File: contracts/acl/ACLSyntaxSugar.sol
pragma solidity 0.4.18;
contract ACLSyntaxSugar {
function arr() internal pure returns (uint256[] r) {}
function arr(bytes32 _a) internal pure returns (uint256[] r) {
return arr(uint256(_a));
}
function arr(bytes32 _a, bytes32 _b) internal pure returns (uint256[] r) {
return arr(uint256(_a), uint256(_b));
}
function arr(address _a) internal pure returns (uint256[] r) {
return arr(uint256(_a));
}
function arr(address _a, address _b) internal pure returns (uint256[] r) {
return arr(uint256(_a), uint256(_b));
}
function arr(address _a, uint256 _b, uint256 _c) internal pure returns (uint256[] r) {
return arr(uint256(_a), _b, _c);
}
function arr(address _a, uint256 _b) internal pure returns (uint256[] r) {
return arr(uint256(_a), uint256(_b));
}
function arr(address _a, address _b, uint256 _c, uint256 _d, uint256 _e) internal pure returns (uint256[] r) {
return arr(uint256(_a), uint256(_b), _c, _d, _e);
}
function arr(address _a, address _b, address _c) internal pure returns (uint256[] r) {
return arr(uint256(_a), uint256(_b), uint256(_c));
}
function arr(address _a, address _b, uint256 _c) internal pure returns (uint256[] r) {
return arr(uint256(_a), uint256(_b), uint256(_c));
}
function arr(uint256 _a) internal pure returns (uint256[] r) {
r = new uint256[](1);
r[0] = _a;
}
function arr(uint256 _a, uint256 _b) internal pure returns (uint256[] r) {
r = new uint256[](2);
r[0] = _a;
r[1] = _b;
}
function arr(uint256 _a, uint256 _b, uint256 _c) internal pure returns (uint256[] r) {
r = new uint256[](3);
r[0] = _a;
r[1] = _b;
r[2] = _c;
}
function arr(uint256 _a, uint256 _b, uint256 _c, uint256 _d) internal pure returns (uint256[] r) {
r = new uint256[](4);
r[0] = _a;
r[1] = _b;
r[2] = _c;
r[3] = _d;
}
function arr(uint256 _a, uint256 _b, uint256 _c, uint256 _d, uint256 _e) internal pure returns (uint256[] r) {
r = new uint256[](5);
r[0] = _a;
r[1] = _b;
r[2] = _c;
r[3] = _d;
r[4] = _e;
}
}
contract ACLHelpers {
function decodeParamOp(uint256 _x) internal pure returns (uint8 b) {
return uint8(_x >> (8 * 30));
}
function decodeParamId(uint256 _x) internal pure returns (uint8 b) {
return uint8(_x >> (8 * 31));
}
function decodeParamsList(uint256 _x) internal pure returns (uint32 a, uint32 b, uint32 c) {
a = uint32(_x);
b = uint32(_x >> (8 * 4));
c = uint32(_x >> (8 * 8));
}
}
//File: contracts/apps/AragonApp.sol
pragma solidity ^0.4.18;
contract AragonApp is AppStorage, Initializable, ACLSyntaxSugar, EVMScriptRunner {
modifier auth(bytes32 _role) {
require(canPerform(msg.sender, _role, new uint256[](0)));
_;
}
modifier authP(bytes32 _role, uint256[] params) {
require(canPerform(msg.sender, _role, params));
_;
}
function canPerform(address _sender, bytes32 _role, uint256[] params) public view returns (bool) {
bytes memory how; // no need to init memory as it is never used
if (params.length > 0) {
uint256 byteLength = params.length * 32;
assembly {
how := params // forced casting
mstore(how, byteLength)
}
}
return address(kernel) == 0 || kernel.hasPermission(_sender, address(this), _role, how);
}
}
//File: contracts/acl/ACL.sol
pragma solidity 0.4.18;
interface ACLOracle {
function canPerform(address who, address where, bytes32 what) public view returns (bool);
}
contract ACL is IACL, AragonApp, ACLHelpers {
bytes32 constant public CREATE_PERMISSIONS_ROLE = keccak256("CREATE_PERMISSIONS_ROLE");
// whether a certain entity has a permission
mapping (bytes32 => bytes32) permissions; // 0 for no permission, or parameters id
mapping (bytes32 => Param[]) public permissionParams;
// who is the manager of a permission
mapping (bytes32 => address) permissionManager;
enum Op { NONE, EQ, NEQ, GT, LT, GTE, LTE, NOT, AND, OR, XOR, IF_ELSE, RET } // op types
struct Param {
uint8 id;
uint8 op;
uint240 value; // even though value is an uint240 it can store addresses
// in the case of 32 byte hashes losing 2 bytes precision isn't a huge deal
// op and id take less than 1 byte each so it can be kept in 1 sstore
}
uint8 constant BLOCK_NUMBER_PARAM_ID = 200;
uint8 constant TIMESTAMP_PARAM_ID = 201;
uint8 constant SENDER_PARAM_ID = 202;
uint8 constant ORACLE_PARAM_ID = 203;
uint8 constant LOGIC_OP_PARAM_ID = 204;
uint8 constant PARAM_VALUE_PARAM_ID = 205;
// TODO: Add execution times param type?
bytes32 constant public EMPTY_PARAM_HASH = keccak256(uint256(0));
address constant ANY_ENTITY = address(-1);
modifier onlyPermissionManager(address _app, bytes32 _role) {
require(msg.sender == getPermissionManager(_app, _role));
_;
}
event SetPermission(address indexed entity, address indexed app, bytes32 indexed role, bool allowed);
event ChangePermissionManager(address indexed app, bytes32 indexed role, address indexed manager);
/**
* @dev Initialize can only be called once. It saves the block number in which it was initialized.
* @notice Initializes an ACL instance and sets `_permissionsCreator` as the entity that can create other permissions
* @param _permissionsCreator Entity that will be given permission over createPermission
*/
function initialize(address _permissionsCreator) onlyInit public {
initialized();
require(msg.sender == address(kernel));
_createPermission(_permissionsCreator, this, CREATE_PERMISSIONS_ROLE, _permissionsCreator);
}
/**
* @dev Creates a permission that wasn't previously set. Access is limited by the ACL.
* If a created permission is removed it is possible to reset it with createPermission.
* @notice Create a new permission granting `_entity` the ability to perform actions of role `_role` on `_app` (setting `_manager` as the permission manager)
* @param _entity Address of the whitelisted entity that will be able to perform the role
* @param _app Address of the app in which the role will be allowed (requires app to depend on kernel for ACL)
* @param _role Identifier for the group of actions in app given access to perform
* @param _manager Address of the entity that will be able to grant and revoke the permission further.
*/
function createPermission(address _entity, address _app, bytes32 _role, address _manager) external {
require(hasPermission(msg.sender, address(this), CREATE_PERMISSIONS_ROLE));
_createPermission(_entity, _app, _role, _manager);
}
/**
* @dev Grants permission if allowed. This requires `msg.sender` to be the permission manager
* @notice Grants `_entity` the ability to perform actions of role `_role` on `_app`
* @param _entity Address of the whitelisted entity that will be able to perform the role
* @param _app Address of the app in which the role will be allowed (requires app to depend on kernel for ACL)
* @param _role Identifier for the group of actions in app given access to perform
*/
function grantPermission(address _entity, address _app, bytes32 _role)
external
{
grantPermissionP(_entity, _app, _role, new uint256[](0));
}
/**
* @dev Grants a permission with parameters if allowed. This requires `msg.sender` to be the permission manager
* @notice Grants `_entity` the ability to perform actions of role `_role` on `_app`
* @param _entity Address of the whitelisted entity that will be able to perform the role
* @param _app Address of the app in which the role will be allowed (requires app to depend on kernel for ACL)
* @param _role Identifier for the group of actions in app given access to perform
* @param _params Permission parameters
*/
function grantPermissionP(address _entity, address _app, bytes32 _role, uint256[] _params)
onlyPermissionManager(_app, _role)
public
{
require(!hasPermission(_entity, _app, _role));
bytes32 paramsHash = _params.length > 0 ? _saveParams(_params) : EMPTY_PARAM_HASH;
_setPermission(_entity, _app, _role, paramsHash);
}
/**
* @dev Revokes permission if allowed. This requires `msg.sender` to be the the permission manager
* @notice Revokes `_entity` the ability to perform actions of role `_role` on `_app`
* @param _entity Address of the whitelisted entity to revoke access from
* @param _app Address of the app in which the role will be revoked
* @param _role Identifier for the group of actions in app being revoked
*/
function revokePermission(address _entity, address _app, bytes32 _role)
onlyPermissionManager(_app, _role)
external
{
require(hasPermission(_entity, _app, _role));
_setPermission(_entity, _app, _role, bytes32(0));
}
/**
* @notice Sets `_newManager` as the manager of the permission `_role` in `_app`
* @param _newManager Address for the new manager
* @param _app Address of the app in which the permission management is being transferred
* @param _role Identifier for the group of actions being transferred
*/
function setPermissionManager(address _newManager, address _app, bytes32 _role)
onlyPermissionManager(_app, _role)
external
{
_setPermissionManager(_newManager, _app, _role);
}
/**
* @dev Get manager for permission
* @param _app Address of the app
* @param _role Identifier for a group of actions in app
* @return address of the manager for the permission
*/
function getPermissionManager(address _app, bytes32 _role) public view returns (address) {
return permissionManager[roleHash(_app, _role)];
}
/**
* @dev Function called by apps to check ACL on kernel or to check permission statu
* @param _who Sender of the original call
* @param _where Address of the app
* @param _where Identifier for a group of actions in app
* @param _how Permission parameters
* @return boolean indicating whether the ACL allows the role or not
*/
function hasPermission(address _who, address _where, bytes32 _what, bytes memory _how) public view returns (bool) {
uint256[] memory how;
uint256 intsLength = _how.length / 32;
assembly {
how := _how // forced casting
mstore(how, intsLength)
}
// _how is invalid from this point fwd
return hasPermission(_who, _where, _what, how);
}
function hasPermission(address _who, address _where, bytes32 _what, uint256[] memory _how) public view returns (bool) {
bytes32 whoParams = permissions[permissionHash(_who, _where, _what)];
if (whoParams != bytes32(0) && evalParams(whoParams, _who, _where, _what, _how)) {
return true;
}
bytes32 anyParams = permissions[permissionHash(ANY_ENTITY, _where, _what)];
if (anyParams != bytes32(0) && evalParams(anyParams, ANY_ENTITY, _where, _what, _how)) {
return true;
}
return false;
}
function hasPermission(address _who, address _where, bytes32 _what) public view returns (bool) {
uint256[] memory empty = new uint256[](0);
return hasPermission(_who, _where, _what, empty);
}
/**
* @dev Internal createPermission for access inside the kernel (on instantiation)
*/
function _createPermission(address _entity, address _app, bytes32 _role, address _manager) internal {
// only allow permission creation (or re-creation) when there is no manager
require(getPermissionManager(_app, _role) == address(0));
_setPermission(_entity, _app, _role, EMPTY_PARAM_HASH);
_setPermissionManager(_manager, _app, _role);
}
/**
* @dev Internal function called to actually save the permission
*/
function _setPermission(address _entity, address _app, bytes32 _role, bytes32 _paramsHash) internal {
permissions[permissionHash(_entity, _app, _role)] = _paramsHash;
SetPermission(_entity, _app, _role, _paramsHash != bytes32(0));
}
function _saveParams(uint256[] _encodedParams) internal returns (bytes32) {
bytes32 paramHash = keccak256(_encodedParams);
Param[] storage params = permissionParams[paramHash];
if (params.length == 0) { // params not saved before
for (uint256 i = 0; i < _encodedParams.length; i++) {
uint256 encodedParam = _encodedParams[i];
Param memory param = Param(decodeParamId(encodedParam), decodeParamOp(encodedParam), uint240(encodedParam));
params.push(param);
}
}
return paramHash;
}
function evalParams(
bytes32 _paramsHash,
address _who,
address _where,
bytes32 _what,
uint256[] _how
) internal view returns (bool)
{
if (_paramsHash == EMPTY_PARAM_HASH) {
return true;
}
return evalParam(_paramsHash, 0, _who, _where, _what, _how);
}
function evalParam(
bytes32 _paramsHash,
uint32 _paramId,
address _who,
address _where,
bytes32 _what,
uint256[] _how
) internal view returns (bool)
{
if (_paramId >= permissionParams[_paramsHash].length) {
return false; // out of bounds
}
Param memory param = permissionParams[_paramsHash][_paramId];
if (param.id == LOGIC_OP_PARAM_ID) {
return evalLogic(param, _paramsHash, _who, _where, _what, _how);
}
uint256 value;
uint256 comparedTo = uint256(param.value);
// get value
if (param.id == ORACLE_PARAM_ID) {
value = ACLOracle(param.value).canPerform(_who, _where, _what) ? 1 : 0;
comparedTo = 1;
} else if (param.id == BLOCK_NUMBER_PARAM_ID) {
value = blockN();
} else if (param.id == TIMESTAMP_PARAM_ID) {
value = time();
} else if (param.id == SENDER_PARAM_ID) {
value = uint256(msg.sender);
} else if (param.id == PARAM_VALUE_PARAM_ID) {
value = uint256(param.value);
} else {
if (param.id >= _how.length) {
return false;
}
value = uint256(uint240(_how[param.id])); // force lost precision
}
if (Op(param.op) == Op.RET) {
return uint256(value) > 0;
}
return compare(value, Op(param.op), comparedTo);
}
function evalLogic(Param _param, bytes32 _paramsHash, address _who, address _where, bytes32 _what, uint256[] _how) internal view returns (bool) {
if (Op(_param.op) == Op.IF_ELSE) {
var (condition, success, failure) = decodeParamsList(uint256(_param.value));
bool result = evalParam(_paramsHash, condition, _who, _where, _what, _how);
return evalParam(_paramsHash, result ? success : failure, _who, _where, _what, _how);
}
var (v1, v2,) = decodeParamsList(uint256(_param.value));
bool r1 = evalParam(_paramsHash, v1, _who, _where, _what, _how);
if (Op(_param.op) == Op.NOT) {
return !r1;
}
if (r1 && Op(_param.op) == Op.OR) {
return true;
}
if (!r1 && Op(_param.op) == Op.AND) {
return false;
}
bool r2 = evalParam(_paramsHash, v2, _who, _where, _what, _how);
if (Op(_param.op) == Op.XOR) {
return (r1 && !r2) || (!r1 && r2);
}
return r2; // both or and and depend on result of r2 after checks
}
function compare(uint256 _a, Op _op, uint256 _b) internal pure returns (bool) {
if (_op == Op.EQ) return _a == _b; // solium-disable-line lbrace
if (_op == Op.NEQ) return _a != _b; // solium-disable-line lbrace
if (_op == Op.GT) return _a > _b; // solium-disable-line lbrace
if (_op == Op.LT) return _a < _b; // solium-disable-line lbrace
if (_op == Op.GTE) return _a >= _b; // solium-disable-line lbrace
if (_op == Op.LTE) return _a <= _b; // solium-disable-line lbrace
return false;
}
/**
* @dev Internal function that sets management
*/
function _setPermissionManager(address _newManager, address _app, bytes32 _role) internal {
permissionManager[roleHash(_app, _role)] = _newManager;
ChangePermissionManager(_app, _role, _newManager);
}
function roleHash(address _where, bytes32 _what) pure internal returns (bytes32) {
return keccak256(uint256(1), _where, _what);
}
function permissionHash(address _who, address _where, bytes32 _what) pure internal returns (bytes32) {
return keccak256(uint256(2), _who, _where, _what);
}
function time() internal view returns (uint64) { return uint64(block.timestamp); } // solium-disable-line security/no-block-members
function blockN() internal view returns (uint256) { return block.number; }
}