deploying executor and always true condition (#616)

* deploying executor and always true condition * condition restrictions (#617) * condition restrictions * fix isGranted (#618) --------- Co-authored-by: Rekard0 <[email protected]> * remove alwaystruecondition deployment * remove .only * fix broken imports (#620) * uncomment --------- Co-authored-by: Rekard0 <[email protected]>
aragon · Nov 5, 2024 · 5e34b7b · 5e34b7b
1 parent b0ca2fb
commit 5e34b7b
Show file tree

Hide file tree

Showing 21 changed files with 189 additions and 46 deletions.
diff --git a/packages/contracts-ethers/npm/events/DAO.ts b/packages/contracts-ethers/npm/events/DAO.ts
@@ -12,7 +12,7 @@ export {
   TrustedForwarderSetEvent,
   NativeTokenDepositedEvent,
   StandardCallbackRegisteredEvent,
-} from '../../types/core/dao/DAO';
+} from '../../types/src/core/dao/DAO';
 
 export type EventName =
   | 'Granted'

diff --git a/packages/contracts-ethers/npm/events/DAORegistry.ts b/packages/contracts-ethers/npm/events/DAORegistry.ts
@@ -4,7 +4,7 @@ export {
   BeaconUpgradedEvent,
   DAORegisteredEvent,
   InitializedEvent,
-} from '../../types/framework/dao/DAORegistry';
+} from '../../types/src/framework/dao/DAORegistry';
 
 export type EventName =
   | 'Upgraded'

diff --git a/packages/contracts-ethers/npm/events/PluginRepo.ts b/packages/contracts-ethers/npm/events/PluginRepo.ts
@@ -7,7 +7,7 @@ export {
   BeaconUpgradedEvent,
   VersionCreatedEvent,
   ReleaseMetadataUpdatedEvent,
-} from '../../types/framework/plugin/repo/PluginRepo';
+} from '../../types/src/framework/plugin/repo/PluginRepo';
 
 export type EventName =
   | 'Granted'

diff --git a/packages/contracts-ethers/npm/events/PluginRepoRegistry.ts b/packages/contracts-ethers/npm/events/PluginRepoRegistry.ts
@@ -4,7 +4,7 @@ export {
   AdminChangedEvent,
   BeaconUpgradedEvent,
   PluginRepoRegisteredEvent,
-} from '../../types/framework/plugin/repo/PluginRepoRegistry';
+} from '../../types/src/framework/plugin/repo/PluginRepoRegistry';
 
 export type EventName =
   | 'Upgraded'

diff --git a/packages/contracts-ethers/npm/events/PluginSetupProcessor.ts b/packages/contracts-ethers/npm/events/PluginSetupProcessor.ts
@@ -5,7 +5,7 @@ export {
   InstallationPreparedEvent,
   UninstallationAppliedEvent,
   UninstallationPreparedEvent,
-} from '../../types/framework/plugin/setup/PluginSetupProcessor';
+} from '../../types/src/framework/plugin/setup/PluginSetupProcessor';
 
 export type EventName =
   | 'UpdateApplied'

diff --git a/packages/contracts-ethers/npm/structs/DAO.ts b/packages/contracts-ethers/npm/structs/DAO.ts
@@ -1,6 +1,5 @@
-import {IDAO, PermissionLib} from '../../types/core/dao/DAO';
+import {PermissionLib} from '../../types/src/core/dao/DAO';
 
-export type ActionStruct = IDAO.ActionStruct;
 export type MultiTargetPermissionStruct =
   PermissionLib.MultiTargetPermissionStruct;
 export type SingleTargetPermissionStruct =

diff --git a/packages/contracts-ethers/npm/structs/DAOFactory.ts b/packages/contracts-ethers/npm/structs/DAOFactory.ts
@@ -1,4 +1,4 @@
-import {DAOFactory} from '../../types/framework/dao/DAOFactory';
+import {DAOFactory} from '../../types/src/framework/dao/DAOFactory';
 
 export type DAOSettingsStruct = DAOFactory.DAOSettingsStruct;
 export type PluginSettingsStruct = DAOFactory.PluginSettingsStruct;
diff --git a/packages/contracts-ethers/npm/structs/PluginRepo.ts b/packages/contracts-ethers/npm/structs/PluginRepo.ts
@@ -1,4 +1,4 @@
-import {PluginRepo} from '../../types/framework/plugin/repo/PluginRepo';
+import {PluginRepo} from '../../types/src/framework/plugin/repo/PluginRepo';
 
 export type TagStruct = PluginRepo.TagStruct;
 export type VersionStruct = PluginRepo.VersionStruct;
diff --git a/packages/contracts-ethers/npm/structs/PluginSetupProcessor.ts b/packages/contracts-ethers/npm/structs/PluginSetupProcessor.ts
@@ -2,7 +2,7 @@ import {
   PluginSetupProcessor,
   PluginSetupRefStruct as PluginSetupRefStruct_,
   PluginSetupRefStructOutput as PluginSetupRefStructOutput_,
-} from '../../types/framework/plugin/setup/PluginSetupProcessor';
+} from '../../types/src/framework/plugin/setup/PluginSetupProcessor';
 
 export type ApplyInstallationParamsStruct =
   PluginSetupProcessor.ApplyInstallationParamsStruct;

diff --git a/packages/contracts-ethers/npm/structs/index.ts b/packages/contracts-ethers/npm/structs/index.ts
@@ -1,4 +1,4 @@
-export * as DAOStructs from './DAO';
+// export * as DAOStructs from './DAO';
 export * as DAOFactoryStructs from './DAOFactory';
 export * as PluginRepoStructs from './PluginRepo';
 export * as PluginSetupProcessorStructs from './PluginSetupProcessor';
diff --git a/packages/contracts/deploy/new/10_framework/52_global_executor.ts b/packages/contracts/deploy/new/10_framework/52_global_executor.ts
@@ -0,0 +1,22 @@
+import executorArtifact from '../../../artifacts/@aragon/osx-commons-contracts/src/executors/Executor.sol/Executor.json';
+import {DeployFunction} from 'hardhat-deploy/types';
+import {HardhatRuntimeEnvironment} from 'hardhat/types';
+
+const func: DeployFunction = async function (hre: HardhatRuntimeEnvironment) {
+  const {deployments, ethers} = hre;
+  const {deploy} = deployments;
+  const [deployer] = await ethers.getSigners();
+
+  await deploy('GlobalExecutor', {
+    contract: executorArtifact,
+    from: deployer.address,
+    args: [],
+    log: true,
+  });
+
+  hre.aragonToVerifyContracts.push({
+    ...(await deployments.get('GlobalExecutor')),
+  });
+};
+export default func;
+func.tags = ['New', 'GlobalExecutor'];
diff --git a/packages/contracts/deploy/verification/99_conclude/00_save-contract-addresses.ts b/packages/contracts/deploy/verification/99_conclude/00_save-contract-addresses.ts
@@ -48,5 +48,5 @@ const func: DeployFunction = async function (hre: HardhatRuntimeEnvironment) {
   );
 };
 export default func;
-func.tags = ['New', 'Conclude'];
+func.tags = ['New', 'Conclude', 'ConcludeEnd'];
 func.runAtTheEnd = true;
diff --git a/packages/contracts/deploy/verification/99_conclude/10_verify-contracts.ts b/packages/contracts/deploy/verification/99_conclude/10_verify-contracts.ts
@@ -27,7 +27,7 @@ const func: DeployFunction = async function (hre: HardhatRuntimeEnvironment) {
   }
 };
 export default func;
-func.tags = ['New', 'Verify'];
+func.tags = ['New', 'Verify', 'VerifyEnd'];
 func.runAtTheEnd = true;
 func.skip = (hre: HardhatRuntimeEnvironment) =>
   Promise.resolve(isLocal(hre.network));
diff --git a/packages/contracts/src/core/dao/DAO.sol b/packages/contracts/src/core/dao/DAO.sol
@@ -17,14 +17,16 @@ import {IProtocolVersion} from "@aragon/osx-commons-contracts/src/utils/versioni
 import {ProtocolVersion} from "@aragon/osx-commons-contracts/src/utils/versioning/ProtocolVersion.sol";
 import {VersionComparisonLib} from "@aragon/osx-commons-contracts/src/utils/versioning/VersionComparisonLib.sol";
 import {hasBit, flipBit} from "@aragon/osx-commons-contracts/src/utils/math/BitMap.sol";
+import {Action} from "@aragon/osx-commons-contracts/src/executors/Executor.sol";
+import {IExecutor} from "@aragon/osx-commons-contracts/src/executors/IExecutor.sol";
 import {IDAO} from "@aragon/osx-commons-contracts/src/dao/IDAO.sol";
 
 import {PermissionManager} from "../permission/PermissionManager.sol";
 import {CallbackHandler} from "../utils/CallbackHandler.sol";
 import {IEIP4824} from "./IEIP4824.sol";
 
 /// @title DAO
-/// @author Aragon X - 2021-2023
+/// @author Aragon X - 2021-2024
 /// @notice This contract is the entry point to the Aragon DAO framework and provides our users a simple and easy to use public interface.
 /// @dev Public API of the Aragon DAO framework.
 /// @custom:security-contact [email protected]
@@ -34,6 +36,7 @@ contract DAO is
     IERC1271,
     ERC165StorageUpgradeable,
     IDAO,
+    IExecutor,
     UUPSUpgradeable,
     ProtocolVersion,
     PermissionManager,
@@ -117,6 +120,9 @@ contract DAO is
     /// @notice Thrown when a function is removed but left to not corrupt the interface ID.
     error FunctionRemoved();
 
+    /// @notice Thrown when initialize is called after it has already been executed.
+    error AlreadyInitialized();
+
     /// @notice Emitted when a new DAO URI is set.
     /// @param daoURI The new URI.
     event NewURI(string daoURI);
@@ -134,6 +140,15 @@ contract DAO is
         _reentrancyStatus = _NOT_ENTERED;
     }
 
+    /// @notice This ensures that the initialize function cannot be called during the upgrade process.
+    modifier onlyCallAtInitialization() {
+        if (_getInitializedVersion() != 0) {
+            revert AlreadyInitialized();
+        }
+
+        _;
+    }
+
     /// @notice Disables the initializers on the implementation contract to prevent it from being left uninitialized.
     /// @custom:oz-upgrades-unsafe-allow constructor
     constructor() {
@@ -155,10 +170,14 @@ contract DAO is
         address _initialOwner,
         address _trustedForwarder,
         string calldata daoURI_
-    ) external reinitializer(3) {
+    ) external onlyCallAtInitialization reinitializer(3) {
         _reentrancyStatus = _NOT_ENTERED; // added in v1.3.0
 
+        // In addition to the current interfaceId, also support previous version of the interfaceId.
+        _registerInterface(type(IDAO).interfaceId ^ IExecutor.execute.selector);
+
         _registerInterface(type(IDAO).interfaceId);
+        _registerInterface(type(IExecutor).interfaceId);
         _registerInterface(type(IERC1271).interfaceId);
         _registerInterface(type(IEIP4824).interfaceId);
         _registerInterface(type(IProtocolVersion).interfaceId); // added in v1.3.0
@@ -198,6 +217,9 @@ contract DAO is
                 _who: address(this),
                 _permissionId: keccak256("SET_SIGNATURE_VALIDATOR_PERMISSION")
             });
+
+            _registerInterface(type(IDAO).interfaceId);
+            _registerInterface(type(IExecutor).interfaceId);
         }
     }
 
@@ -246,7 +268,7 @@ contract DAO is
         _setMetadata(_metadata);
     }
 
-    /// @inheritdoc IDAO
+    /// @inheritdoc IExecutor
     function execute(
         bytes32 _callId,
         Action[] calldata _actions,

diff --git a/packages/contracts/src/core/permission/PermissionManager.sol b/packages/contracts/src/core/permission/PermissionManager.sol
@@ -191,6 +191,12 @@ abstract contract PermissionManager is Initializable {
             PermissionLib.MultiTargetPermission memory item = _items[i];
 
             if (item.operation == PermissionLib.Operation.Grant) {
+                // Ensure a non-zero condition isn't passed, as `_grant` can't handle conditions.
+                // This avoids the false impression that a conditional grant occurred,
+                // since the transaction would still succeed without conditions.
+                if (item.condition != address(0)) {
+                    revert GrantWithConditionNotSupported();
+                }
                 _grant({_where: item.where, _who: item.who, _permissionId: item.permissionId});
             } else if (item.operation == PermissionLib.Operation.Revoke) {
                 _revoke({_where: item.where, _who: item.who, _permissionId: item.permissionId});
@@ -246,13 +252,15 @@ abstract contract PermissionManager is Initializable {
             // If this permission is not set, continue.
         }
 
-        // Generic caller (`_who: ANY_ADDR`) condition check
+        // Generic caller (`_who: ANY_ADDR`)
         {
-            // This permission can only be granted in conjunction with a condition via the `grantWithCondition` function.
             address genericCallerPermission = permissionsHashed[
                 permissionHash({_where: _where, _who: ANY_ADDR, _permissionId: _permissionId})
             ];
 
+            // If the permission was granted directly to (`_who: ANY_ADDR`), return `true`.
+            if (genericCallerPermission == ALLOW_FLAG) return true;
+
             // If the permission was granted with a condition, check the condition and return the result.
             if (genericCallerPermission != UNSET_FLAG) {
                 return
@@ -336,10 +344,19 @@ abstract contract PermissionManager is Initializable {
     /// @param _permissionId The permission identifier.
     /// @dev Note, that granting permissions with `_who` or `_where` equal to `ANY_ADDR` does not replace other permissions with specific `_who` and `_where` addresses that exist in parallel.
     function _grant(address _where, address _who, bytes32 _permissionId) internal virtual {
-        if (_where == ANY_ADDR || _who == ANY_ADDR) {
+        if (_where == ANY_ADDR) {
             revert PermissionsForAnyAddressDisallowed();
         }
 
+        if (_who == ANY_ADDR) {
+            if (
+                _permissionId == ROOT_PERMISSION_ID ||
+                isPermissionRestrictedForAnyAddr(_permissionId)
+            ) {
+                revert PermissionsForAnyAddressDisallowed();
+            }
+        }
+
         bytes32 permHash = permissionHash({
             _where: _where,
             _who: _who,

diff --git a/packages/contracts/src/framework/plugin/setup/PluginSetupProcessor.sol b/packages/contracts/src/framework/plugin/setup/PluginSetupProcessor.sol
@@ -7,7 +7,7 @@ import {ERC165Checker} from "@openzeppelin/contracts/utils/introspection/ERC165C
 import {ProtocolVersion} from "@aragon/osx-commons-contracts/src/utils/versioning/ProtocolVersion.sol";
 import {IPluginSetup} from "@aragon/osx-commons-contracts/src/plugin/setup/IPluginSetup.sol";
 import {PluginSetup} from "@aragon/osx-commons-contracts/src/plugin/setup/PluginSetup.sol";
-import {DAO, IDAO} from "../../../core/dao/DAO.sol";
+import {DAO} from "../../../core/dao/DAO.sol";
 import {PermissionLib} from "@aragon/osx-commons-contracts/src/permission/PermissionLib.sol";
 import {PluginUUPSUpgradeable} from "@aragon/osx-commons-contracts/src/plugin/PluginUUPSUpgradeable.sol";
 import {IPlugin} from "@aragon/osx-commons-contracts/src/plugin/IPlugin.sol";