Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add named return parameters and _checkSelector function to AccessManager #4624

Merged

Conversation

ernestognw
Copy link
Member

@ernestognw ernestognw commented Sep 25, 2023

Improvements after #4613

The _checkSelector function is added to keep consistency of the way the calldata selector is consumed.

PR Checklist

@ernestognw ernestognw requested review from frangio and Amxx September 25, 2023 22:22
@changeset-bot
Copy link

changeset-bot bot commented Sep 25, 2023

⚠️ No Changeset found

Latest commit: 44f5b13

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Comment on lines 442 to 444
if (roleId == PUBLIC_ROLE) {
revert AccessManagerLockedRole(roleId);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self and others: this is removed because the public role is not grantable according to the logic of _grantRole.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that the public role is indeed not grantable, does it make sens to set the grant delay ? IMO it send the wrong signal that you can set a delay, and emit the corresponding event, when you know the delay will never be enforced.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps documentation is fine for the case of granting a delay to the PUBLIC_ROLE, I wouldn't add an extra check for a case that is low likely to happen

Copy link
Contributor

@frangio frangio Sep 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO it send the wrong signal that you can set a delay, and emit the corresponding event, when you know the delay will never be enforced

This is an interesting point, but this is the grant delay for a role that every account automatically has. Observing RoleGrantDelayChanged for such a role should provide no information. I can't think of any incorrect conclusion someone could draw from this event.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't think of any incorrect conclusion someone could draw from this event.

I can imagine someone thinking that new user (if that means anything) are in the grant role with a delay. For example that when a create a new seedphrase/private key (or when I create a new account smart contract) I'll get in the public group after a delay.

Sure that makes no sens, but I'm pretty sure some people out these will believe that.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that in _setRoleAdmin and _setRoleGuardian we don't allow setting the admin/guardian for the PUBLIC_ROLE. I'm not sure why that would be forbiden, but setting the grantDelay would be authorized.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After a sync we agreed to keep the initial PUBLIC_ROLE check in _setGrantDelay and make no changes to other functions. I'm reverting this change and pushing an update.

ernestognw added a commit to ernestognw/openzeppelin-contracts that referenced this pull request Sep 26, 2023
@ernestognw ernestognw requested review from frangio and Amxx September 26, 2023 21:37
Amxx
Amxx previously approved these changes Sep 27, 2023
Copy link
Collaborator

@Amxx Amxx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, with a minor comment.

Amxx
Amxx previously approved these changes Sep 27, 2023
@frangio
Copy link
Contributor

frangio commented Sep 28, 2023

What do we do with:

@Amxx
Copy link
Collaborator

Amxx commented Sep 28, 2023

In AccessManaged, we could do

function _checkCanCall(address caller, bytes calldata data) internal virtual {
  if (data.length < 4) {
    revert AccessManagedUnauthorized(caller);
  }
  (bool immediate, uint32 delay) = AuthorityUtils.canCallWithDelay(
  ...
}

@Amxx
Copy link
Collaborator

Amxx commented Sep 28, 2023

In the governor whe should definitelly not revert. We don't know where the proposed call is going. Could be calling a fallback function, or a custom contract that doesn't use 4 bytes selectors.

Maybe we should do

        for (uint256 i = 0; i < targets.length; ++i) {
            if (calldatas[i].length >= 4) {
              address target = targets[i];
              bytes4 selector = bytes4(calldatas[i]);
              (bool immediate, uint32 delay) = AuthorityUtils.canCallWithDelay(
                  address(_manager),
                  address(this),
                  target,
                  selector
              );
              if ((immediate || delay > 0) && !isAccessManagerIgnored(target, selector)) {
                  _setManagerData(plan, i, !immediate, 0);
                  // downcast is safe because both arguments are uint32
                  neededDelay = uint32(Math.max(delay, neededDelay));
              }
          }
        }

@frangio
Copy link
Contributor

frangio commented Sep 28, 2023

My opinion is:

  • AccessManaged: Panic. This is dev error, they used the modifier on the fallback function or something like that
  • GovernorTimelockAccess: Add if (calldatas[i].length < 4) continue;. Not doing this is arguably a bug?

@Amxx
Copy link
Collaborator

Amxx commented Sep 28, 2023

GovernorTimelockAccess: Add if (calldatas[i].length < 4) continue;. Not doing this is arguably a bug?

yes

@ernestognw
Copy link
Member Author

ernestognw commented Sep 28, 2023

In AccessManaged there's no way of getting less than 4 bytes calldata, so I agree with Fran.

For the case of GovernorTimelockAccess that's definitely a bug. However, I'm not sure if if (calldatas[i].length < 4) continue; is the best idea because it will just ignore the operation while the proposalId will include such operation in the hash and will still attempted to execute

I'd rather panic as well.

@frangio
Copy link
Contributor

frangio commented Sep 28, 2023

The operation will not be ignored, as far as I can tell. We would just never ask the AccessManager about that operation, and it would be executed directly on the target.

This was referenced Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants