chore: update permission mechanism

Author: blockgroot

contracts/PoolSelector.sol

@@ -108,12 +108,15 @@ contract PoolSelector is IPoolSelector, AccessControlUpgradeable {
 
     /**
      * @notice update the target weights of existing pools
-     * @dev only `CONFIGURATOR's` can call,
+     * @dev only authorised callers can call,
      * @param _poolTargets new target weights of pools
      * `_poolTargets` array provide pool target in the same order of poolIDs that are stored in poolIdArray of poolUtils
      */
     function updatePoolWeights(uint256[] calldata _poolTargets) external {
-        UtilLib.onlyConfiguratorRole(msg.sender, staderConfig);
+        if (!staderConfig.isAllowedToCall(msg.sender, "updatePoolWeights(uint256[])")) {
+            revert AccessDenied(msg.sender);
+        }
+
         uint8[] memory poolIdArray = IPoolUtils(staderConfig.getPoolUtils()).getPoolIdArray();
         uint256 poolCount = poolIdArray.length;
         uint256 poolTargetLength = _poolTargets.length;

contracts/PoolUtils.sol

@@ -70,7 +70,10 @@ contract PoolUtils is IPoolUtils, AccessControlUpgradeable {
      * @dev emit an event containing validator pubkey for offchain to exit the validator
      */
     function processValidatorExitList(bytes[] calldata _pubkeys) external override {
-        UtilLib.onlyConfiguratorRole(msg.sender, staderConfig);
+        if (!staderConfig.isAllowedToCall(msg.sender, "processValidatorExitList(bytes[])")) {
+            revert AccessDenied(msg.sender);
+        }
+
         uint256 exitValidatorCount = _pubkeys.length;
         for (uint256 i; i < exitValidatorCount; ) {
             emit ExitValidator(_pubkeys[i]);

contracts/StaderConfig.sol

@@ -80,9 +80,6 @@ contract StaderConfig is IStaderConfig, AccessControlUpgradeable {
     bytes32 public constant override SD_UTILITY_POOL = keccak256("SD_UTILITY_POOL");
     bytes32 public constant override SD_INCENTIVE_CONTROLLER = keccak256("SD_INCENTIVE_CONTROLLER");
 
-    // Role define to manage pools config
-    bytes32 public constant override CONFIGURATOR = keccak256("CONFIGURATOR");
-
     /// @custom:oz-upgrades-unsafe-allow constructor
     constructor() {
         _disableInitializers();
@@ -300,6 +297,27 @@ contract StaderConfig is IStaderConfig, AccessControlUpgradeable {
         setContract(SD_INCENTIVE_CONTROLLER, _sdIncentiveController);
     }
 
+    // Access Control
+    function giveCallPermission(
+        address contractAddress,
+        string calldata functionSig,
+        address accountToPermit
+    ) external override onlyRole(DEFAULT_ADMIN_ROLE) {
+        bytes32 role = keccak256(abi.encodePacked(contractAddress, functionSig));
+        grantRole(role, accountToPermit);
+        emit PermissionGranted(accountToPermit, contractAddress, functionSig);
+    }
+
+    function revokeCallPermission(
+        address contractAddress,
+        string calldata functionSig,
+        address accountToRevoke
+    ) external override onlyRole(DEFAULT_ADMIN_ROLE) {
+        bytes32 role = keccak256(abi.encodePacked(contractAddress, functionSig));
+        revokeRole(role, accountToRevoke);
+        emit PermissionRevoked(accountToRevoke, contractAddress, functionSig);
+    }
+
     //Constants Getters
 
     function getStakedEthPerNode() external view override returns (uint256) {
@@ -540,8 +558,9 @@ contract StaderConfig is IStaderConfig, AccessControlUpgradeable {
         return hasRole(OPERATOR, account);
     }
 
-    function onlyConfiguratorRole(address account) external view override returns (bool) {
-        return hasRole(CONFIGURATOR, account);
+    function isAllowedToCall(address account, string calldata functionSig) external view override returns (bool) {
+        bytes32 role = keccak256(abi.encodePacked(msg.sender, functionSig));
+        return hasRole(role, account);
     }
 
     function verifyDepositAndWithdrawLimits() internal view {

contracts/interfaces/IPoolSelector.sol

@@ -6,6 +6,7 @@ interface IPoolSelector {
     error InvalidTargetWeight();
     error InvalidNewTargetInput();
     error InvalidSumOfPoolWeights();
+    error AccessDenied(address account);
 
     // Events
 

contracts/interfaces/IPoolUtils.sol

@@ -14,6 +14,7 @@ interface IPoolUtils {
     error OperatorIsNotOnboarded();
     error InvalidLengthOfSignature();
     error ExistingOrMismatchingPoolId();
+    error AccessDenied(address account);
 
     // Events
     event PoolAdded(uint8 indexed poolId, address poolAddress);

contracts/interfaces/IStaderConfig.sol

@@ -16,6 +16,8 @@ interface IStaderConfig {
     event SetAccount(bytes32 key, address newAddress);
     event SetContract(bytes32 key, address newAddress);
     event SetToken(bytes32 key, address newAddress);
+    event PermissionGranted(address indexed accountToPermit, address indexed contractAddress, string functionSig);
+    event PermissionRevoked(address indexed accountToRevoke, address indexed contractAddress, string functionSig);
 
     //Contracts
     function POOL_UTILS() external view returns (bytes32);
@@ -74,8 +76,6 @@ interface IStaderConfig {
 
     function OPERATOR() external view returns (bytes32);
 
-    function CONFIGURATOR() external view returns (bytes32);
-
     // Constants
     function getStakedEthPerNode() external view returns (uint256);
 
@@ -174,5 +174,13 @@ interface IStaderConfig {
 
     function onlyOperatorRole(address account) external view returns (bool);
 
-    function onlyConfiguratorRole(address account) external view returns (bool);
+    function isAllowedToCall(address account, string calldata functionSig) external view returns (bool);
+
+    function giveCallPermission(address contractAddress, string calldata functionSig, address accountToPermit) external;
+
+    function revokeCallPermission(
+        address contractAddress,
+        string calldata functionSig,
+        address accountToRevoke
+    ) external;
 }

contracts/library/UtilLib.sol

@@ -14,7 +14,6 @@ library UtilLib {
     error CallerNotStaderContract();
     error CallerNotWithdrawVault();
     error TransferFailed();
-    error CallerNotConfigurator();
 
     uint64 private constant VALIDATOR_PUBKEY_LENGTH = 48;
 
@@ -36,12 +35,6 @@ library UtilLib {
         }
     }
 
-    function onlyConfiguratorRole(address _addr, IStaderConfig _staderConfig) internal view {
-        if (!_staderConfig.onlyConfiguratorRole(_addr)) {
-            revert CallerNotConfigurator();
-        }
-    }
-
     //checks if caller is a stader contract address
     function onlyStaderContract(address _addr, IStaderConfig _staderConfig, bytes32 _contractName) internal view {
         if (!_staderConfig.onlyStaderContract(_addr, _contractName)) {

test/foundry_tests/PoolSelector.t.sol

@@ -17,6 +17,7 @@ contract PoolSelectorTest is Test {
     address staderManager;
     address operator;
     address configurator;
+    address naiveAddress;
 
     address staderStakePoolManager;
 
@@ -30,6 +31,7 @@ contract PoolSelectorTest is Test {
         staderManager = vm.addr(101);
         operator = vm.addr(102);
         configurator = vm.addr(116);
+        naiveAddress = vm.addr(117);
         staderStakePoolManager = vm.addr(110);
 
         address ethDepositAddr = vm.addr(103);
@@ -61,7 +63,7 @@ contract PoolSelectorTest is Test {
         staderConfig.updateStakePoolManager(staderStakePoolManager);
         staderConfig.grantRole(staderConfig.MANAGER(), staderManager);
         staderConfig.grantRole(staderConfig.OPERATOR(), operator);
-        staderConfig.grantRole(staderConfig.CONFIGURATOR(), configurator);
+        staderConfig.giveCallPermission(address(poolSelector), "updatePoolWeights(uint256[])", configurator);
         vm.stopPrank();
     }
 
@@ -98,7 +100,8 @@ contract PoolSelectorTest is Test {
         invalidSizePoolWeight[1] = 4000;
         invalidSizePoolWeight[2] = 4000;
 
-        vm.expectRevert(UtilLib.CallerNotConfigurator.selector);
+        vm.prank(naiveAddress);
+        vm.expectRevert(abi.encodeWithSignature("AccessDenied(address)", naiveAddress));
         poolSelector.updatePoolWeights(poolWeight);
 
         vm.startPrank(configurator);

test/foundry_tests/PoolUtils.t.sol

@@ -18,6 +18,7 @@ contract PoolUtilsTest is Test {
     address staderManager;
     address operator;
     address configurator;
+    address naiveAddress;
 
     PoolUtils poolUtils;
     StaderConfig staderConfig;
@@ -33,6 +34,7 @@ contract PoolUtilsTest is Test {
         staderManager = vm.addr(101);
         operator = vm.addr(102);
         configurator = vm.addr(114);
+        naiveAddress = vm.addr(117);
 
         address ethDepositAddr = vm.addr(103);
         nodeRegistry = new NodeRegistryMock(operator);
@@ -61,7 +63,7 @@ contract PoolUtilsTest is Test {
         vm.startPrank(staderAdmin);
         staderConfig.grantRole(staderConfig.MANAGER(), staderManager);
         staderConfig.grantRole(staderConfig.OPERATOR(), operator);
-        staderConfig.grantRole(staderConfig.CONFIGURATOR(), configurator);
+        staderConfig.giveCallPermission(address(poolUtils), "processValidatorExitList(bytes[])", configurator);
         vm.stopPrank();
     }
 
@@ -137,7 +139,8 @@ contract PoolUtilsTest is Test {
         pubkey[0] = "0x8faa339ba46c649885ea0fc9c34d32f9d99c5bde336750";
         pubkey[1] = "0x8faa339ba46c649885ea0fc9c34d32f9d99c5bde336750";
 
-        vm.expectRevert(UtilLib.CallerNotConfigurator.selector);
+        vm.prank(naiveAddress);
+        vm.expectRevert(abi.encodeWithSignature("AccessDenied(address)", naiveAddress));
         poolUtils.processValidatorExitList(pubkey);
 
         vm.prank(configurator);