ManagedAllowList
#255
ManagedAllowList
#255
Conversation
piotr-roslaniec
force-pushed
the
managed-allow-list
branch
4 times, most recently
from
75a4eb9
to
639e38a
Compare
wip: change of plans was a mistakerino
piotr-roslaniec
force-pushed
the
managed-allow-list
branch
from
639e38a
to
91f5f21
Compare
piotr-roslaniec
force-pushed
the
managed-allow-list
branch
from
91f5f21
to
e3d996f
Compare
piotr-roslaniec
force-pushed
the
managed-allow-list
branch
from
377caca
to
d684c6c
Compare
piotr-roslaniec
force-pushed
the
managed-allow-list
branch
from
6fce84b
to
8cef8bb
Compare
| // If we want to authorize an address, we need to check if the authorization cap has been exceeded | ||
| // If we want to deauthorize an address, we don't need to check the authorization cap | ||
| require( | ||
| !value || |
There was a problem hiding this comment.
can we extract check of value before loop?
There was a problem hiding this comment.
Yes. But I'm not sure about the business logic here. Should deauthorizations count towards billable authActions? I'm going to assume yes for the time being and remove the require on value. CC: @cygnusv
piotr-roslaniec
force-pushed
the
managed-allow-list
branch
from
b8c8ba6
to
dbe1ea2
Compare
piotr-roslaniec
force-pushed
the
managed-allow-list
branch
from
54d150c
to
98dc648
Compare
|
Requesting review from @arjunhassard and @cygnusv to make sure this matches business logic as outlined in #257 |
There was a problem hiding this comment.
Thanks for this @piotr-roslaniec! I think this is a great starting point also for the Subscription stuff laid out in #264
| } | ||
|
|
||
| /** | ||
| * @notice Calculates the available amount of fees that can be withdrawn be the beneficiary |
There was a problem hiding this comment.
| * @notice Calculates the available amount of fees that can be withdrawn be the beneficiary | |
| * @notice Calculates the available amount of fees that can be withdrawn by the beneficiary |
| * @param encryptor The address of the encryptor | ||
| * @return The key used to lookup authorizations | ||
| */ | ||
| function lookupKey(uint32 ritualId, address encryptor) internal pure returns (bytes32) { |
There was a problem hiding this comment.
I don't think encryptor applies here anymore since this method is also used for administrator addresses, spender addresses etc. Should we use a more generic name eg. anAddress or associatedAddress or ...
There was a problem hiding this comment.
It's true it's not strictly accurate here, but the hierarchy of roles/names is getting quite unwieldy. Maybe we can rename encryptor --> encryptAdmin and then rename this admin or anAdmin.
There was a problem hiding this comment.
Since this is a library code and is re-used in a couple of places, perhaps we should rename it to just _address. encryptor and admin are terms from specific contexts.
| mnaged_allow_list = deployer.deploy(project.ManagedAllowList) | ||
| deployments = [mnaged_allow_list] |
There was a problem hiding this comment.
| mnaged_allow_list = deployer.deploy(project.ManagedAllowList) | |
| deployments = [mnaged_allow_list] | |
| managed_allow_list = deployer.deploy(project.ManagedAllowList) | |
| deployments = [managed_allow_list] |
| for (uint256 i = 0; i < addresses.length; i++) { | ||
| require( | ||
| authActions[ritualId] < | ||
| subscription.authorizationActionsCap(ritualId, addresses[i]), | ||
| "Authorization cap exceeded" |
There was a problem hiding this comment.
I may be misunderstanding, but this logic is a little unclear to me:
- Should we only be checking caps if
valueisTruei.e. we are authorizing? If deauthorizing (i.e. value is False), there are no caps. - I'm unclear what we are checking in the
requirestatement.canSetAuthorizationsalready checks whether the sender is a valid admin for the ritual - great, but I assumed here you need to check 2 things (not in a loop):- the remaining allowance for the admin making the authorization request (i.e. sender) allows for the set of encryptor addresses to be authorized, so:
require(getAllowance(ritualId, msg.sender) >= addresses.length, "Administrator cap exceeded")
- That the total cap across all administrators for a specific ritual is not being exceeded, so:
require(authActions[ritualId] >= addresses.length, "Ritual-wide cap exceeded")
There was a problem hiding this comment.
My calls may be wrong above ^, but the pseudocode I'm looking for is:
i. remaining allowance for administrator for ritual >= the number of encryptor addresses to authorize
ii. remaining allowed actions for ritual (based on cap) >= the number of encryptor addresses to authorize
There was a problem hiding this comment.
the remaining allowance for the admin making the authorization request (i.e. sender) allows for the set of encryptor addresses to be authorized, so:
This maybe needs to call a partner-defined contract, so they can write their own logic for limits placed on authAdmins?
There was a problem hiding this comment.
Just to give more context, I wasn't sure how to use value here: Should setting authorization to false (so, removing authorization) count towards billable actions?
We may treat adding and removing authorization differently, but I think it's application-specific (the frequency of actions, but also the application-specific meaning of authorizing/deauthorizing)
| emit AddressAuthorizationSet(ritualId, addresses[i], value); | ||
| } | ||
|
|
||
| authActions[ritualId] += addresses.length; |
There was a problem hiding this comment.
Is incrementing only applicable if value is True? If value is False should this be decrementing instead?
There was a problem hiding this comment.
For this version, the goal was to charge per action, regardless if it's authorizing or deauthorizing. But more recent variations proposed to some adopters will use something different (e.g. charging for authorized slots). I think we can leave it as is because it's only a starting point anyway, and the more recent design of subscription contracts will refactor everything
There was a problem hiding this comment.
👍 I see, so every action (authorize or deauthorize) is a charge.
There was a problem hiding this comment.
I'm confused about the relationship between value and charging for authorizations/deauthorizations.
Doesn't * @param value The authorization status imply that this is just a boolean check as to whether the ritualID is active? (Separately, what is the evidence that confirms this?)
As @cygnusv mentions, we're not charging for authorizations/deauthorizations, these are unlimited and can be executed at will – and the cohortAdmin/sponsor pays the gas, possibly passing that cost to an authAdmin (btw, do we have an estimate for how much this will be per action? how much is saved by batching?)
I guess #253 will cover the rules of adding/removing encryptor credits (or 'slots') and we can leave the option of charging for authorizations/deauthorizations in some later version.
There was a problem hiding this comment.
Excellent work, think you can claim to be at least somewhat-versed in Solidity now.
Still quite a few things to clarify and decide, particularly with respect to #253-driven refactoring. I suggest we do a PR walkthrough, maybe on Friday?
| require(coordinator.isRitualActive(ritualId), "Only active rituals can add authorizations"); | ||
| require(coordinator.isRitualActive(ritualId), "Only active rituals can set authorizations"); | ||
|
|
||
| require(addresses.length <= MAX_AUTH_ACTIONS, "Too many addresses"); |
There was a problem hiding this comment.
Is this a maximum per batch of authorizations?
There was a problem hiding this comment.
Yes, per one setAuthorizations call
| emit AddressAuthorizationSet(ritualId, addresses[i], value); | ||
| } | ||
|
|
||
| authActions[ritualId] += addresses.length; |
There was a problem hiding this comment.
I'm confused about the relationship between value and charging for authorizations/deauthorizations.
Doesn't * @param value The authorization status imply that this is just a boolean check as to whether the ritualID is active? (Separately, what is the evidence that confirms this?)
As @cygnusv mentions, we're not charging for authorizations/deauthorizations, these are unlimited and can be executed at will – and the cohortAdmin/sponsor pays the gas, possibly passing that cost to an authAdmin (btw, do we have an estimate for how much this will be per action? how much is saved by batching?)
I guess #253 will cover the rules of adding/removing encryptor credits (or 'slots') and we can leave the option of charging for authorizations/deauthorizations in some later version.
| for (uint256 i = 0; i < addresses.length; i++) { | ||
| require( | ||
| authActions[ritualId] < | ||
| subscription.authorizationActionsCap(ritualId, addresses[i]), | ||
| "Authorization cap exceeded" |
There was a problem hiding this comment.
the remaining allowance for the admin making the authorization request (i.e. sender) allows for the set of encryptor addresses to be authorized, so:
This maybe needs to call a partner-defined contract, so they can write their own logic for limits placed on authAdmins?
| * @param encryptor The address of the encryptor | ||
| * @return The key used to lookup authorizations | ||
| */ | ||
| function lookupKey(uint32 ritualId, address encryptor) internal pure returns (bytes32) { |
There was a problem hiding this comment.
It's true it's not strictly accurate here, but the hierarchy of roles/names is getting quite unwieldy. Maybe we can rename encryptor --> encryptAdmin and then rename this admin or anAdmin.
|
@arjunhassard @derekpierre The work @vzotova is doing on #264 will be based directly on this (as you can see in #265, Vicky is already working on top of this PR). The plan we laid out is that this is good foundational work, but that will require a lot of changes in light of the recent design for Subscriptions and the newer requirements for the AllowList contract. I propose we merge this now, either as-is or with minor changes (like renames). |
Type of PR:
Required reviews:
What this does:
Issues fixed/closed:
Why it's needed:
Notes for reviewers: