feature/group-rbac (#31)

* init RBACGroupable

* memory/calldata usage

* made hasPermission non-virtual

* added names to return params

* renamed enum constants & moved enum to contract

* reordered inheritance

* renamed method

* inline opt

* optimized storage mappings

* optimized

* added natspec & typo

* typo

* renamed init method & added mock

* fix

* fix & init tests

* got rid of enum

* typo

* fixed

* renamed vars

* typos

* fix mock & coverage 100%

* typos

* rm import & added dev note

Author: dovgopoly

contracts/access-control/RBAC.sol

@@ -133,7 +133,7 @@ abstract contract RBAC is IRBAC, Initializable {
     /**
      *  @notice The function to get the list of user roles
      *  @param who_ the user
-     *  @return roles_ the roes of the user
+     *  @return roles_ the roles of the user
      */
     function getUserRoles(address who_) public view override returns (string[] memory roles_) {
         return _userRoles[who_].values();
@@ -181,51 +181,30 @@ abstract contract RBAC is IRBAC, Initializable {
     }
 
     /**
-     *  @notice The function to check the user's possesion of the role
+     *  @dev DO NOT call `super.hasPermission(...)` in derived contracts, because this method
+     *  handles not 2 but 3 states: NO PERMISSION, ALLOWED, DISALLOWED
+     *  @notice The function to check the user's possession of the role
      *  @param who_ the user
      *  @param resource_ the resource the user has to have the permission of
      *  @param permission_ the permission the user has to have
-     *  @return true_ if user has the permission, false otherwise
+     *  @return isAllowed_ true if the user has the permission, false otherwise
      */
     function hasPermission(
         address who_,
         string memory resource_,
         string memory permission_
-    ) public view override returns (bool) {
-        StringSet.Set storage _roles = _userRoles[who_];
+    ) public view virtual override returns (bool isAllowed_) {
+        string[] memory roles_ = getUserRoles(who_);
 
-        uint256 length_ = _roles.length();
-        bool isAllowed_;
+        for (uint256 i = 0; i < roles_.length; i++) {
+            string memory role_ = roles_[i];
 
-        for (uint256 i = 0; i < length_; i++) {
-            string memory role_ = _roles.at(i);
-
-            StringSet.Set storage _allDisallowed = _rolePermissions[role_][false][ALL_RESOURCE];
-            StringSet.Set storage _allAllowed = _rolePermissions[role_][true][ALL_RESOURCE];
-
-            StringSet.Set storage _disallowed = _rolePermissions[role_][false][resource_];
-            StringSet.Set storage _allowed = _rolePermissions[role_][true][resource_];
-
-            if (
-                _allDisallowed.contains(ALL_PERMISSION) ||
-                _allDisallowed.contains(permission_) ||
-                _disallowed.contains(ALL_PERMISSION) ||
-                _disallowed.contains(permission_)
-            ) {
+            if (_isDisallowed(role_, resource_, permission_)) {
                 return false;
             }
 
-            if (
-                _allAllowed.contains(ALL_PERMISSION) ||
-                _allAllowed.contains(permission_) ||
-                _allowed.contains(ALL_PERMISSION) ||
-                _allowed.contains(permission_)
-            ) {
-                isAllowed_ = true;
-            }
+            isAllowed_ = isAllowed_ || _isAllowed(role_, resource_, permission_);
         }
-
-        return isAllowed_;
     }
 
     /**
@@ -296,4 +275,50 @@ abstract contract RBAC is IRBAC, Initializable {
 
         emit RemovedPermissions(role_, resourceToRemove_, permissionsToRemove_, allowed_);
     }
+
+    /**
+     *  @notice The function to check if the role has the permission
+     *  @param role_ the role to search the permission in
+     *  @param resource_ the role resource to search the permission in
+     *  @param permission_ the permission to search
+     *  @return true_ if the role has the permission, false otherwise
+     */
+    function _isAllowed(
+        string memory role_,
+        string memory resource_,
+        string memory permission_
+    ) internal view returns (bool) {
+        mapping(string => StringSet.Set) storage _resources = _rolePermissions[role_][true];
+
+        StringSet.Set storage _allAllowed = _resources[ALL_RESOURCE];
+        StringSet.Set storage _allowed = _resources[resource_];
+
+        return (_allAllowed.contains(ALL_PERMISSION) ||
+            _allAllowed.contains(permission_) ||
+            _allowed.contains(ALL_PERMISSION) ||
+            _allowed.contains(permission_));
+    }
+
+    /**
+     *  @notice The function to check if the role has the antipermission
+     *  @param role_ the role to search the antipermission in
+     *  @param resource_ the role resource to search the antipermission in
+     *  @param permission_ the antipermission to search
+     *  @return true_ if the role has the antipermission, false otherwise
+     */
+    function _isDisallowed(
+        string memory role_,
+        string memory resource_,
+        string memory permission_
+    ) internal view returns (bool) {
+        mapping(string => StringSet.Set) storage _resources = _rolePermissions[role_][false];
+
+        StringSet.Set storage _allDisallowed = _resources[ALL_RESOURCE];
+        StringSet.Set storage _disallowed = _resources[resource_];
+
+        return (_allDisallowed.contains(ALL_PERMISSION) ||
+            _allDisallowed.contains(permission_) ||
+            _disallowed.contains(ALL_PERMISSION) ||
+            _disallowed.contains(permission_));
+    }
 }

contracts/access-control/extensions/RBACGroupable.sol

@@ -0,0 +1,191 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.4;
+
+import "../../interfaces/access-control/extensions/IRBACGroupable.sol";
+
+import "../RBAC.sol";
+
+/**
+ *  @notice The Role Based Access Control (RBAC) module
+ *
+ *  This contract is an extension for the RBAC contract to provide the ability to organize roles
+ *  into groups and assign users to them.
+ */
+abstract contract RBACGroupable is IRBACGroupable, RBAC {
+    using StringSet for StringSet.Set;
+    using SetHelper for StringSet.Set;
+
+    mapping(address => StringSet.Set) private _userGroups;
+    mapping(string => StringSet.Set) private _groupRoles;
+
+    /**
+     *  @notice The init function
+     */
+    function __RBACGroupable_init() internal onlyInitializing {
+        __RBAC_init();
+    }
+
+    /**
+     *  @notice The function to assign the user to groups
+     *  @param who_ the user to be assigned
+     *  @param groupsToAddTo_ the list of groups to assign the user to
+     */
+    function addUserToGroups(
+        address who_,
+        string[] memory groupsToAddTo_
+    ) public virtual override onlyPermission(RBAC_RESOURCE, CREATE_PERMISSION) {
+        require(groupsToAddTo_.length > 0, "RBACGroupable: empty groups");
+
+        _addUserToGroups(who_, groupsToAddTo_);
+    }
+
+    /**
+     *  @notice The function to remove the user from groups
+     *  @param who_ the user to be removed from groups
+     *  @param groupsToRemoveFrom_ the list of groups to remove the user from
+     */
+    function removeUserFromGroups(
+        address who_,
+        string[] memory groupsToRemoveFrom_
+    ) public virtual override onlyPermission(RBAC_RESOURCE, DELETE_PERMISSION) {
+        require(groupsToRemoveFrom_.length > 0, "RBACGroupable: empty groups");
+
+        _removeUserFromGroups(who_, groupsToRemoveFrom_);
+    }
+
+    /**
+     *  @notice The function to grant roles to the group
+     *  @param groupTo_ the group to grant roles to
+     *  @param rolesToGrant_ the list of roles to grant
+     */
+    function grantGroupRoles(
+        string memory groupTo_,
+        string[] memory rolesToGrant_
+    ) public virtual override onlyPermission(RBAC_RESOURCE, CREATE_PERMISSION) {
+        require(rolesToGrant_.length > 0, "RBACGroupable: empty roles");
+
+        _grantGroupRoles(groupTo_, rolesToGrant_);
+    }
+
+    /**
+     *  @notice The function to revoke roles from the group
+     *  @param groupFrom_ the group to revoke roles from
+     *  @param rolesToRevoke_ the list of roles to revoke
+     */
+    function revokeGroupRoles(
+        string memory groupFrom_,
+        string[] memory rolesToRevoke_
+    ) public virtual override onlyPermission(RBAC_RESOURCE, DELETE_PERMISSION) {
+        require(rolesToRevoke_.length > 0, "RBACGroupable: empty roles");
+
+        _revokeGroupRoles(groupFrom_, rolesToRevoke_);
+    }
+
+    /**
+     *  @notice The function to get the list of user groups
+     *  @param who_ the user
+     *  @return groups_ the list of user groups
+     */
+    function getUserGroups(address who_) public view override returns (string[] memory groups_) {
+        return _userGroups[who_].values();
+    }
+
+    /**
+     *  @notice The function to get the list of groups roles
+     *  @param group_ the group
+     *  @return roles_ the list of group roles
+     */
+    function getGroupRoles(
+        string memory group_
+    ) public view override returns (string[] memory roles_) {
+        return _groupRoles[group_].values();
+    }
+
+    /**
+     *  @dev DO NOT call `super.hasPermission(...)` in derived contracts, because this method
+     *  handles not 2 but 3 states: NO PERMISSION, ALLOWED, DISALLOWED
+     *  @notice The function to check the user's possession of the role. Unlike the base method,
+     *  this method also looks up the required permission in the user's groups
+     *  @param who_ the user
+     *  @param resource_ the resource the user has to have the permission of
+     *  @param permission_ the permission the user has to have
+     *  @return isAllowed_ true if the user has the permission, false otherwise
+     */
+    function hasPermission(
+        address who_,
+        string memory resource_,
+        string memory permission_
+    ) public view virtual override returns (bool isAllowed_) {
+        string[] memory roles_ = getUserRoles(who_);
+
+        for (uint256 i = 0; i < roles_.length; i++) {
+            string memory role_ = roles_[i];
+
+            if (_isDisallowed(role_, resource_, permission_)) {
+                return false;
+            }
+
+            isAllowed_ = isAllowed_ || _isAllowed(role_, resource_, permission_);
+        }
+
+        string[] memory groups_ = getUserGroups(who_);
+
+        for (uint256 i = 0; i < groups_.length; i++) {
+            roles_ = getGroupRoles(groups_[i]);
+
+            for (uint256 j = 0; j < roles_.length; j++) {
+                string memory role_ = roles_[j];
+
+                if (_isDisallowed(role_, resource_, permission_)) {
+                    return false;
+                }
+
+                isAllowed_ = isAllowed_ || _isAllowed(role_, resource_, permission_);
+            }
+        }
+    }
+
+    /**
+     *  @notice The internal function to assign groups to the user
+     *  @param who_ the user to assign groups to
+     *  @param groupsToAddTo_ the list of groups to be assigned
+     */
+    function _addUserToGroups(address who_, string[] memory groupsToAddTo_) internal {
+        _userGroups[who_].add(groupsToAddTo_);
+
+        emit AddedToGroups(who_, groupsToAddTo_);
+    }
+
+    /**
+     *  @notice The internal function to remove the user from groups
+     *  @param who_ the user to be removed from groups
+     *  @param groupsToRemoveFrom_ the list of groups to remove the user from
+     */
+    function _removeUserFromGroups(address who_, string[] memory groupsToRemoveFrom_) internal {
+        _userGroups[who_].remove(groupsToRemoveFrom_);
+
+        emit RemovedFromGroups(who_, groupsToRemoveFrom_);
+    }
+
+    /**
+     *  @notice The internal function to grant roles to the group
+     *  @param groupTo_ the group to grant roles to
+     *  @param rolesToGrant_ the list of roles to grant
+     */
+    function _grantGroupRoles(string memory groupTo_, string[] memory rolesToGrant_) internal {
+        _groupRoles[groupTo_].add(rolesToGrant_);
+
+        emit GrantedGroupRoles(groupTo_, rolesToGrant_);
+    }
+
+    /**
+     *  @notice The internal function to revoke roles from the group
+     *  @param groupFrom_ the group to revoke roles from
+     *  @param rolesToRevoke_ the list of roles to revoke
+     */
+    function _revokeGroupRoles(string memory groupFrom_, string[] memory rolesToRevoke_) internal {
+        _groupRoles[groupFrom_].remove(rolesToRevoke_);
+
+        emit RevokedGroupRoles(groupFrom_, rolesToRevoke_);
+    }
+}

contracts/interfaces/access-control/IRBAC.sol

@@ -23,9 +23,9 @@ interface IRBAC {
         bool allowed
     );
 
-    function grantRoles(address to_, string[] memory rolesToGrant_) external;
+    function grantRoles(address to_, string[] calldata rolesToGrant_) external;
 
-    function revokeRoles(address from_, string[] memory rolesToRevoke_) external;
+    function revokeRoles(address from_, string[] calldata rolesToRevoke_) external;
 
     function addPermissionsToRole(
         string calldata role_,
@@ -39,7 +39,7 @@ interface IRBAC {
         bool allowed_
     ) external;
 
-    function getUserRoles(address who_) external view returns (string[] memory roles_);
+    function getUserRoles(address who_) external view returns (string[] calldata roles_);
 
     function getRolePermissions(
         string calldata role_
@@ -55,5 +55,5 @@ interface IRBAC {
         address who_,
         string calldata resource_,
         string calldata permission_
-    ) external view returns (bool);
+    ) external view returns (bool isAllowed_);
 }

contracts/interfaces/access-control/extensions/IRBACGroupable.sol

@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.4;
+
+/**
+ *  @notice The RBAC module
+ */
+interface IRBACGroupable {
+    event AddedToGroups(address who, string[] groupsToAddTo);
+    event RemovedFromGroups(address who, string[] groupsToRemoveFrom);
+
+    event GrantedGroupRoles(string groupTo, string[] rolesToGrant);
+    event RevokedGroupRoles(string groupFrom, string[] rolesToRevoke);
+
+    function addUserToGroups(address who_, string[] calldata groupsToAddTo_) external;
+
+    function removeUserFromGroups(address who_, string[] calldata groupsToRemoveFrom_) external;
+
+    function grantGroupRoles(string calldata groupTo_, string[] calldata rolesToGrant_) external;
+
+    function revokeGroupRoles(
+        string calldata groupFrom_,
+        string[] calldata rolesToRevoke_
+    ) external;
+
+    function getUserGroups(address who_) external view returns (string[] calldata groups_);
+
+    function getGroupRoles(
+        string calldata group_
+    ) external view returns (string[] calldata roles_);
+}

contracts/mock/access-control/extensions/RBACGroupableMock.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.4;
+
+import "../../../access-control/extensions/RBACGroupable.sol";
+
+contract RBACGroupableMock is RBACGroupable {
+    using ArrayHelper for string;
+
+    function __RBACGroupableMock_init() external initializer {
+        __RBACGroupable_init();
+
+        _grantRoles(msg.sender, MASTER_ROLE.asArray());
+    }
+
+    function mockInit() external {
+        __RBACGroupable_init();
+    }
+}