feat(Upgradable)!: use Acl for authorization (#85)

* feat(Upgradable)!: use Acl for authorization

Previously authorization was based on `Ownable`.

* test: update test/demo contracts

* test: adapt tests to Acl based auth

* test: extend coverage

* test: use Acl plugin without `__acl` field

* docs: update and extend

* fix: make clippy happy

* docs: example contract

* chore: avoid unchecked method in example contract

Author: mooori

README.md

@@ -61,13 +61,13 @@ Documentation of all methods provided by `Pausable` is available in the [definit
 
 ### [Upgradable](/near-plugins/src/upgradable.rs)
 
-Allows a contract to be upgraded by the owner without requiring a full access key. Optionally a staging duration can be set, which defines the minimum duration that must pass before staged code can be deployed. The staging duration is a safety mechanism to protect users that interact with the contract, giving them time to opt-out before an unfavorable update is deployed.
+Allows a contract to be upgraded without requiring a full access key. Optionally a staging duration can be set, which defines the minimum duration that must pass before staged code can be deployed. The staging duration is a safety mechanism to protect users that interact with the contract, giving them time to opt-out before an unfavorable update is deployed.
 
-Using the `Upgradable` plugin requires a contract to be `Ownable`.
+Using the `Upgradable` plugin requires a contract to be `AccessControllable` to handle authorization for calling `Upgradable` methods to stage or deploy updates (listed below). 
 
-To upgrade the contract first call `up_stage_code` passing the binary as first argument serialized as borsh. Then call `up_deploy_code`. Both functions must be called by the owner of the contract.
+To upgrade the contract, first call `up_stage_code` passing the binary as first argument serialized as borsh. Then call `up_deploy_code`.
 
-To set a staging duration, call `up_stage_init_staging_duration`. After initialization the staging duration can be updated by calling `up_stage_update_staging_duration` followed by `up_apply_update_staging_duration`. Updating the staging duration is itself subject to a delay: at least the currently set staging duration must pass before a staged update can be applied. The functions mentioned in this paragraph must be called by the owner of the contract.
+To set a staging duration, call `up_init_staging_duration`. After initialization the staging duration can be updated by calling `up_stage_update_staging_duration` followed by `up_apply_update_staging_duration`. Updating the staging duration is itself subject to a delay: at least the currently set staging duration must pass before a staged update can be applied.
 
 [This contract](/near-plugins-derive/tests/contracts/upgradable/src/lib.rs) provides an example of using `Upgradable`. It is compiled, deployed on chain and interacted with in [integration tests](/near-plugins-derive/tests/upgradable.rs).
 

near-plugins-derive/src/upgradable.rs

@@ -1,13 +1,67 @@
 use crate::utils::cratename;
-use darling::FromDeriveInput;
+use darling::util::PathList;
+use darling::{FromDeriveInput, FromMeta};
 use proc_macro::{self, TokenStream};
 use quote::quote;
 use syn::{parse_macro_input, DeriveInput};
 
 #[derive(FromDeriveInput, Default)]
 #[darling(default, attributes(upgradable), forward_attrs(allow, doc, cfg))]
 struct Opts {
+    /// Storage prefix under which this plugin stores its state. If it is `None` the default value
+    /// will be used.
     storage_prefix: Option<String>,
+    /// Roles which are permitted to call protected methods.
+    access_control_roles: AccessControlRoles,
+}
+
+/// Specifies which `AccessControlRole`s may call protected methods.
+///
+/// All field names need to be passed to calls of `check_roles_specified_for!`.
+#[derive(Default, FromMeta, Debug)]
+#[darling(default)]
+struct AccessControlRoles {
+    /// Grantess of these roles may successfully call `Upgradable::up_stage_code`.
+    code_stagers: PathList,
+    /// Grantess of these roles may successfully call `Upgradable::up_deploy_code`.
+    code_deployers: PathList,
+    /// Grantess of these roles may successfully call `Upgradable::up_init_staging_duration`.
+    duration_initializers: PathList,
+    /// Grantess of these roles may successfully call `Upgradable::up_stage_update_staging_duration`.
+    duration_update_stagers: PathList,
+    /// Grantess of these roles may successfully call `Upgradable::up_apply_update_staging_duration`.
+    duration_update_appliers: PathList,
+}
+
+impl AccessControlRoles {
+    /// Validates the roles provided by the plugin user and panics if they are invalid.
+    fn validate(&self) {
+        // Ensure at least one role is provided for every field of `AccessControlRoles`.
+        let mut missing_roles = vec![];
+
+        macro_rules! check_roles_specified_for {
+            ($($field_name:ident),+) => (
+                $(
+                if self.$field_name.len() == 0 {
+                    missing_roles.push(stringify!($field_name));
+                }
+                )+
+            )
+        }
+
+        check_roles_specified_for!(
+            code_stagers,
+            code_deployers,
+            duration_initializers,
+            duration_update_stagers,
+            duration_update_appliers
+        );
+        assert!(
+            missing_roles.is_empty(),
+            "Specify access_control_roles for: {:?}",
+            missing_roles,
+        );
+    }
 }
 
 const DEFAULT_STORAGE_PREFIX: &str = "__up__";
@@ -23,6 +77,16 @@ pub fn derive_upgradable(input: TokenStream) -> TokenStream {
     let storage_prefix = opts
         .storage_prefix
         .unwrap_or_else(|| DEFAULT_STORAGE_PREFIX.to_string());
+    let acl_roles = opts.access_control_roles;
+    acl_roles.validate();
+
+    // To use fields of a struct inside `quote!`, they must be lifted into variables, see
+    // https://github.com/dtolnay/quote/pull/88#pullrequestreview-180577592
+    let acl_roles_code_stagers = acl_roles.code_stagers;
+    let acl_roles_code_deployers = acl_roles.code_deployers;
+    let acl_roles_duration_initializers = acl_roles.duration_initializers;
+    let acl_roles_duration_update_stagers = acl_roles.duration_update_stagers;
+    let acl_roles_duration_update_appliers = acl_roles.duration_update_appliers;
 
     let output = quote! {
         /// Used to make storage prefixes unique. Not to be used directly,
@@ -93,7 +157,7 @@ pub fn derive_upgradable(input: TokenStream) -> TokenStream {
                 }
             }
 
-            #[#cratename::only(owner)]
+            #[#cratename::access_control_any(roles(#(#acl_roles_code_stagers),*))]
             fn up_stage_code(&mut self, #[serializer(borsh)] code: Vec<u8>) {
                 if code.is_empty() {
                     near_sdk::env::storage_remove(self.up_storage_key(__UpgradableStorageKey::Code).as_ref());
@@ -115,7 +179,7 @@ pub fn derive_upgradable(input: TokenStream) -> TokenStream {
                     .map(|code| std::convert::TryInto::try_into(near_sdk::env::sha256(code.as_ref())).unwrap())
             }
 
-            #[#cratename::only(owner)]
+            #[#cratename::access_control_any(roles(#(#acl_roles_code_deployers),*))]
             fn up_deploy_code(&mut self) -> near_sdk::Promise {
                 let staging_timestamp = self.up_get_timestamp(__UpgradableStorageKey::StagingTimestamp)
                     .unwrap_or_else(|| ::near_sdk::env::panic_str("Upgradable: staging timestamp isn't set"));
@@ -134,13 +198,13 @@ pub fn derive_upgradable(input: TokenStream) -> TokenStream {
                     .deploy_contract(self.up_staged_code().unwrap_or_else(|| ::near_sdk::env::panic_str("Upgradable: No staged code")))
             }
 
-            #[#cratename::only(owner)]
+            #[#cratename::access_control_any(roles(#(#acl_roles_duration_initializers),*))]
             fn up_init_staging_duration(&mut self, staging_duration: near_sdk::Duration) {
                 near_sdk::require!(self.up_get_duration(__UpgradableStorageKey::StagingDuration).is_none(), "Upgradable: staging duration was already initialized");
                 self.up_set_staging_duration_unchecked(staging_duration);
             }
 
-            #[#cratename::only(owner)]
+            #[#cratename::access_control_any(roles(#(#acl_roles_duration_update_stagers),*))]
             fn up_stage_update_staging_duration(&mut self, staging_duration: near_sdk::Duration) {
                 let current_staging_duration = self.up_get_duration(__UpgradableStorageKey::StagingDuration)
                     .unwrap_or_else(|| ::near_sdk::env::panic_str("Upgradable: staging duration isn't initialized"));
@@ -150,7 +214,7 @@ pub fn derive_upgradable(input: TokenStream) -> TokenStream {
                 self.up_set_timestamp(__UpgradableStorageKey::NewStagingDurationTimestamp, staging_duration_timestamp);
             }
 
-            #[#cratename::only(owner)]
+            #[#cratename::access_control_any(roles(#(#acl_roles_duration_update_appliers),*))]
             fn up_apply_update_staging_duration(&mut self) {
                 let staging_timestamp = self.up_get_timestamp(__UpgradableStorageKey::NewStagingDurationTimestamp)
                     .unwrap_or_else(|| ::near_sdk::env::panic_str("Upgradable: No staged update"));

near-plugins-derive/tests/contracts/upgradable/src/lib.rs

@@ -1,49 +1,102 @@
-use near_plugins::{Ownable, Upgradable};
+use near_plugins::{access_control, AccessControlRole, AccessControllable, Upgradable};
 use near_sdk::borsh::{self, BorshDeserialize, BorshSerialize};
+use near_sdk::env;
+use near_sdk::serde::{Deserialize, Serialize};
 use near_sdk::{near_bindgen, AccountId, Duration, PanicOnDefault};
 
-/// Deriving `Upgradable` requires the contract to be `Ownable.`
+/// Defines roles for access control of protected methods provided by the `Upgradable` plugin.
+#[derive(AccessControlRole, Deserialize, Serialize, Copy, Clone)]
+#[serde(crate = "near_sdk::serde")]
+pub enum Role {
+    /// May successfully call any of the protected `Upgradable` methods since below it is passed to
+    /// every attribute of `access_control_roles`.
+    ///
+    /// Using this pattern grantees of a single role are authorized to call all `Upgradable`methods.
+    DAO,
+    /// May successfully call `Upgradable::up_stage_code`, but none of the other protected methods,
+    /// since below is passed only to the `code_stagers` attribute.
+    ///
+    /// Using this pattern grantees of a role are authorized to call only one particular protected
+    /// `Upgradable` method.
+    CodeStager,
+    /// May successfully call `Upgradable::up_deploy_code`, but none of the other protected methods,
+    /// since below is passed only to the `code_deployers` attribute.
+    ///
+    /// Using this pattern grantees of a role are authorized to call only one particular protected
+    /// `Upgradable` method.
+    CodeDeployer,
+    /// May successfully call `Upgradable` methods to initialize and update the staging duration
+    /// since below it is passed to the attributes `duration_initializers`,
+    /// `duration_update_stagers`, and `duration_update_appliers`.
+    ///
+    /// Using this pattern grantees of a single role are authorized to call multiple (but not all)
+    /// protected `Upgradable` methods.
+    DurationManager,
+}
+
+/// Deriving `Upgradable` requires the contract to be `AccessControllable`.
+///
+/// Variants of `Role` are passed to `upgradables`'s `access_control_roles` attribute to specify
+/// which roles are authorized to successfully call protected `Upgradable` methods. A protected
+/// method panics if it is called by an account which is not a grantee of at least one of the
+/// whitelisted roles.
+#[access_control(role_type(Role))]
 #[near_bindgen]
-#[derive(Ownable, Upgradable, PanicOnDefault, BorshDeserialize, BorshSerialize)]
+#[derive(Upgradable, PanicOnDefault, BorshDeserialize, BorshSerialize)]
+#[upgradable(access_control_roles(
+    code_stagers(Role::CodeStager, Role::DAO),
+    code_deployers(Role::CodeDeployer, Role::DAO),
+    duration_initializers(Role::DurationManager, Role::DAO),
+    duration_update_stagers(Role::DurationManager, Role::DAO),
+    duration_update_appliers(Role::DurationManager, Role::DAO),
+))]
 pub struct Contract;
 
 #[near_bindgen]
 impl Contract {
-    /// Parameter `owner` allows setting the owner in the constructor if an `AccountId` is provided.
-    /// If `owner` is `None`, no owner will be set in the constructor. After contract initialization
-    /// it is possible to set an owner with `Ownable::owner_set`.
+    /// Makes the contract itself `AccessControllable` super admin to allow it granting and revoking
+    /// permissions. If parameter `dao` is `Some(account_id)`, then `account_id` is granted
+    /// `Role::DAO`. After initialization permissions can be managed using the methods provided by
+    /// `AccessControllable`.
     ///
     /// Parameter `staging_duration` allows initializing the time that is required to pass between
     /// staging and deploying code. This delay provides a safety mechanism to protect users against
     /// unfavorable or malicious code upgrades. If `staging_duration` is `None`, no staging duration
     /// will be set in the constructor. It is possible to set it later using
     /// `Upgradable::up_init_staging_duration`. If no staging duration is set, it defaults to zero,
     /// allowing immediate deployments of staged code.
-    ///
-    /// Since this constructor uses an `*_unchecked` method, it should be combined with code
-    /// deployment in a batch transaction.
     #[init]
-    pub fn new(owner: Option<AccountId>, staging_duration: Option<Duration>) -> Self {
+    pub fn new(dao: Option<AccountId>, staging_duration: Option<Duration>) -> Self {
         let mut contract = Self;
 
-        // Optionally set the owner.
-        if owner.is_some() {
-            contract.owner_set(owner);
+        // Make the contract itself access control super admin, allowing it to grant and revoke
+        // permissions.
+        near_sdk::require!(
+            contract.acl_init_super_admin(env::current_account_id()),
+            "Failed to initialize super admin",
+        );
+
+        // Optionally grant `Role::DAO`.
+        if let Some(account_id) = dao {
+            let res = contract.acl_grant_role(Role::DAO.into(), account_id);
+            assert_eq!(Some(true), res, "Failed to grant role");
         }
 
         // Optionally initialize the staging duration.
         if let Some(staging_duration) = staging_duration {
-            // The owner (set above) might be an account other than the contract itself. In that
-            // case `Upgradable::up_init_staging_duration` would fail, since only the Owner may call
-            // it successfully. Therefore we are using an (internal) unchecked method here.
-            //
-            // Avoid using `*_unchecked` functions in public contract methods that are not protected
-            // by access control. Otherwise there is a risk of unwanted state changes carried out by
-            // malicious users. For this example, we assume the constructor is called in a batch
-            // transaction together with code deployment.
-            contract.up_set_staging_duration_unchecked(staging_duration);
+            // Temporarily grant `Role::DurationManager` to the contract to authorize it for
+            // initializing the staging duration. Granting and revoking the role is possible since
+            // the contract was made super admin above.
+            contract.acl_grant_role(Role::DurationManager.into(), env::current_account_id());
+            contract.up_init_staging_duration(staging_duration);
+            contract.acl_revoke_role(Role::DurationManager.into(), env::current_account_id());
         }
 
         contract
     }
+
+    /// Function to verify the contract was deployed and initialized successfully.
+    pub fn is_set_up(&self) -> bool {
+        true
+    }
 }

near-plugins-derive/tests/contracts/upgradable_2/src/lib.rs

@@ -1,15 +1,35 @@
 //! A simple contract to be deployed via `Upgradable`.
 
-use near_plugins::{Ownable, Upgradable};
+use near_plugins::{access_control, AccessControlRole, AccessControllable, Upgradable};
 use near_sdk::borsh::{self, BorshDeserialize, BorshSerialize};
+use near_sdk::serde::{Deserialize, Serialize};
 use near_sdk::{near_bindgen, PanicOnDefault};
 
+/// Roles correspond to those defined in the initial contract `../upgradable`, to make permissions
+/// granted before the upgrade remain valid.
+#[derive(AccessControlRole, Deserialize, Serialize, Copy, Clone)]
+#[serde(crate = "near_sdk::serde")]
+pub enum Role {
+    DAO,
+    CodeStager,
+    CodeDeployer,
+    DurationManager,
+}
+
 /// The struct is the same as in the initial contract `../upgradable`, so no [state migration] is
 /// required.
 ///
 /// [state migration]: https://docs.near.org/develop/upgrade#migrating-the-state
+#[access_control(role_type(Role))]
 #[near_bindgen]
-#[derive(Ownable, Upgradable, PanicOnDefault, BorshDeserialize, BorshSerialize)]
+#[derive(Upgradable, PanicOnDefault, BorshDeserialize, BorshSerialize)]
+#[upgradable(access_control_roles(
+    code_stagers(Role::CodeStager, Role::DAO),
+    code_deployers(Role::CodeDeployer, Role::DAO),
+    duration_initializers(Role::DurationManager, Role::DAO),
+    duration_update_stagers(Role::DurationManager, Role::DAO),
+    duration_update_appliers(Role::DurationManager, Role::DAO),
+))]
 pub struct Contract;
 
 #[near_bindgen]