Access Control
In a previous tutorial, we introduced the Ownable module, which serves the purpose of securing access to specific contract features. While it establishes a fundamental security layer, there are numerous scenarios where this level of security is insufficient,
In this article we design and implement a more fine-grained access control layer.
Code
Before we start writing code, we list the functionalities of our access control layer.
- A
Roletype is used across the module. - A
Rolecan be assigned to manyAddresses. - Each
Rolemay have a corresponding admin role. - Only an admin can grant/revoke a
Role. - A
Rolecan be renounced. - A
Rolecannot be renounced on someone's behalf. - Each action triggers an event.
- Unauthorized access stops contract execution.
Project Structure
access-control
├── src
│ ├── access
│ │ ├── access_control.rs
│ │ ├── events.rs
│ │ └── errors.rs
│ └── lib.rs
|── build.rs
|── Cargo.toml
└── Odra.toml
Events and Errors
There are three actions that can be performed concerning a Role: granting, revoking, and altering the admin role. Let us establish standard Odra events for each of these actions.
events.rs
use odra::prelude::*;
use odra::Address;
use super::access_control::Role;
#[odra::event]
pub struct RoleGranted {
pub role: Role,
pub address: Address,
pub sender: Address
}
#[odra::event]
pub struct RoleRevoked {
pub role: Role,
pub address: Address,
pub sender: Address
}
#[odra::event]
pub struct RoleAdminChanged {
pub role: Role,
pub previous_admin_role: Role,
pub new_admin_role: Role
}
- L5-L17 - to describe the grant or revoke actions, our events specify the
Role, andAddresses indicating who receives or loses access and who provides or withdraws it. - L19-L24 - the event describing the admin role change, requires the subject
Role, the previous and the current adminRole.
errors.rs
#[odra::odra_error]
pub enum Error {
MissingRole = 20_000,
RoleRenounceForAnotherAddress = 20_001,
}
Errors definition is straightforward - there are only two invalid states:
- An action is triggered by an unauthorized actor.
- The caller is attempting to resign the Role on someone's behalf.
Module
Now, we are stepping into the most interesting part: the module definition and implementation.
access_control.rs
use super::events::*;
use super::errors::Error;
use odra::prelude::*;
use odra::{Address, Mapping};
pub type Role = [u8; 32];
pub const DEFAULT_ADMIN_ROLE: Role = [0u8; 32];
#[odra::module(events = [RoleAdminChanged, RoleGranted, RoleRevoked])]
pub struct AccessControl {
roles: Mapping<(Role, Address), bool>,
role_admin: Mapping<Role, Role>
}
#[odra::module]
impl AccessControl {
pub fn has_role(&self, role: &Role, address: &Address) -> bool {
self.roles.get_or_default(&(*role, *address))
}
pub fn get_role_admin(&self, role: &Role) -> Role {
let admin_role = self.role_admin.get(role);
if let Some(admin) = admin_role {
admin
} else {
DEFAULT_ADMIN_ROLE
}
}
pub fn grant_role(&mut self, role: &Role, address: &Address) {
self.check_role(&self.get_role_admin(role), &self.env().caller());
self.unchecked_grant_role(role, address);
}
pub fn revoke_role(&mut self, role: &Role, address: &Address) {
self.check_role(&self.get_role_admin(role), &self.env().caller());
self.unchecked_revoke_role(role, address);
}
pub fn renounce_role(&mut self, role: &Role, address: &Address) {
if address != &self.env().caller() {
self.env().revert(Error::RoleRenounceForAnotherAddress);
}
self.unchecked_revoke_role(role, address);
}
}
impl AccessControl {
pub fn check_role(&self, role: &Role, address: &Address) {
if !self.has_role(role, address) {
self.env().revert(Error::MissingRole);
}
}
pub fn set_admin_role(&mut self, role: &Role, admin_role: &Role) {
let previous_admin_role = self.get_role_admin(role);
self.role_admin.set(role, *admin_role);
self.env().emit_event(RoleAdminChanged {
role: *role,
previous_admin_role,
new_admin_role: *admin_role
});
}
pub fn unchecked_grant_role(&mut self, role: &Role, address: &Address) {
if !self.has_role(role, address) {
self.roles.set(&(*role, *address), true);
self.env().emit_event(RoleGranted {
role: *role,
address: *address,
sender: self.env().caller()
});
}
}
pub fn unchecked_revoke_role(&mut self, role: &Role, address: &Address) {
if self.has_role(role, address) {
self.roles.set(&(*role, *address), false);
self.env().emit_event(RoleRevoked {
role: *role,
address: *address,
sender: self.env().caller()
});
}
}
}
- L6 - Firstly, we need the
Roletype. It is simply an alias for a 32-byte array. - L8 - The default role is an array filled with zeros.
- L10-L13 - The storage consists of two mappings:
roles- a nested mapping that stores information about whether a certain Role is granted to a givenAddress.role_admin- eachRolecan have a single adminRole.
- L18-L20 - This is a simple check to determine if a
Rolehas been granted to a givenAddress. It is an exposed entry point and an important building block widely used throughout the entire module. - L49 - This is a non-exported block containing helper functions.
- L50-L54 - The
check_role()function serves as a guard function. Before aRoleis granted or revoked, we must ensure that the caller is allowed to do so. For this purpose, the function reads the roles mapping. If the role has not been granted to the address, the contract reverts withError::MissingRole. - L56-L64 - The
set_admin_role()function simply updates the role_admin mapping and emits theRoleAdminChangedevent. - L66-L86 - The
unchecked_grant_role()andunchecked_revoke_role()functions are mirror functions that update the roles mapping and postRoleGrantedorRoleRevokedevents. If the role is already granted,unchecked_grant_role()has no effect (the opposite check is made in the case of revoking a role). - L22-L29 - The
get_role_admin()entry point reads the role_admin. If there is no admin role for a given role, it returns the default role. - L31-L46 - This is a combination of
check_role()andunchecked_*_role(). Entry points fail on unauthorized access.