Merge pull request #282 from euler-xyz/integration-keyring

Add HookTargetAccessControlKeyring

Author: kasperpawlowski

docs/hook-target-access-control-keyring.md

@@ -0,0 +1,106 @@
+# HookTargetAccessControlKeyring
+
+## Overview
+
+The `HookTargetAccessControlKeyring` is a specialized hook target contract that combines selector-based access control with keyring credential verification. This contract enables vault operators to restrict access to critical vault operations, ensuring only authorized users with valid credentials can perform operations on vaults.
+
+## Purpose
+
+The primary purpose of the `HookTargetAccessControlKeyring` is to provide a robust, dual-layer authentication system for EVK vaults:
+
+1. **Selector-based access control** - Allows specific addresses to be whitelisted for particular function selectors
+2. **Keyring credential verification** - Requires users to possess valid credentials according to a specified policy
+
+This approach creates a flexible security model where:
+- Privileged addresses can bypass credential checks when needed
+- Regular users must possess valid credentials to interact with the vault
+- Different types of operations can have tailored access requirements
+
+## Components
+
+The `HookTargetAccessControlKeyring` integrates several components:
+
+- **BaseHookTarget** - Provides the foundation for intercepting vault operations
+- **SelectorAccessControl** - Provides role-based access control mapped to function selectors
+- **IKeyringCredentials** - External interface for credential verification
+
+## Authentication Mechanism
+
+The contract implements a sophisticated authentication workflow through the `_authenticateCallerAndAccount` function:
+
+1. **Initial Role Check**:
+   - First, check if the caller has either the `WILD_CARD` role or a specific role for the current function selector
+   - If yes, bypass the keyring credential check entirely
+
+2. **Caller Credential Check**:
+   - Determine the EVC owner of the calling account
+   - If no owner is registered, assume the caller itself is the owner
+   - Verify the owner has valid credentials according to the specified policy ID
+
+3. **Account Credential Check**:
+   - Only performed if the account being operated on has a different EVC owner than the caller
+   - Determine the EVC owner of the account being operated on
+   - If no owner is registered, assume the account itself is the owner
+   - Verify this owner also has valid credentials according to the policy ID
+
+4. **Optimization**:
+   - If the caller and the account being operated on share the same EVC owner, only one credential check is performed
+
+This mechanism ensures that both the entity initiating the operation and the entity being affected by it (if different) have proper authorization.
+
+## Hooked Operations
+
+The contract intercepts and applies its authentication mechanism to the following vault operations:
+
+1. **Asset Deposit/Mint Operations**:
+   - `deposit(uint256, address receiver)`
+   - `mint(uint256, address receiver)`
+   - `skim(uint256, address receiver)`
+
+2. **Asset Withdrawal/Redemption Operations**:
+   - `withdraw(uint256, address, address owner)`
+   - `redeem(uint256, address, address owner)`
+
+3. **Borrowing/Repayment Operations**:
+   - `borrow(uint256, address receiver)`
+   - `repay(uint256, address receiver)`
+   - `repayWithShares(uint256, address receiver)`
+   - `pullDebt(uint256, address from)`
+
+For each of these operations, the contract authenticates both the caller and the relevant account parameter (receiver or owner).
+
+### Fallback Mechanism
+
+The contract implements a fallback function that provides a catch-all authentication mechanism for any hooked operations that are not explicitly intercepted by the above functions.
+
+When a hooked operation is called that doesn't match any of the explicitly defined functions, the fallback function:
+- Authenticates only the caller using the `_authenticateCaller` function
+- Applies the same role-based access control rules (WILD_CARD and selector-specific roles)
+- Does not perform keyring credential checks on any additional accounts
+
+## Usage Patterns
+
+### Installation Pattern
+
+To use this hook target:
+
+1. Deploy an instance of `HookTargetAccessControlKeyring`, specifying:
+   - EVC address
+   - Admin address
+   - EVault factory address
+   - Keyring contract address
+   - Policy ID
+
+2. Grant roles to addresses that should bypass credential checks
+
+3. Install the hook target on the desired vault(s) and configure which operations should be hooked
+
+## Example Scenario
+
+A vault operator could use this hook target to create a vault cluster where:
+- Only users with valid credentials can perform operations on the vaults
+- Specific addresses (like chosen liquidators) are whitelisted to bypass credential checks
+
+To achieve the above, the following operations should be hooked: `OP_DEPOSIT`, `OP_MINT`, `OP_WITHDRAW`, `OP_REDEEM`, `OP_SKIM`, `OP_BORROW`, `OP_REPAY`, `OP_REPAY_WITH_SHARES`, `OP_PULL_DEBT`, `OP_LIQUIDATE` and `OP_FLASHLOAN`.
+
+The liquidators should be granted the `WILD_CARD` role so that they can liquidate and close the position without needing to obtain a Keyring credential.

src/HookTarget/HookTargetAccessControlKeyring.sol

@@ -0,0 +1,139 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+pragma solidity ^0.8.0;
+
+import {BaseHookTarget} from "./BaseHookTarget.sol";
+import {SelectorAccessControl} from "../AccessControl/SelectorAccessControl.sol";
+
+interface IKeyringCredentials {
+    function checkCredential(address, uint32) external view returns (bool);
+}
+
+/// @title HookTargetAccessControlKeyring
+/// @custom:security-contact security@euler.xyz
+/// @author Euler Labs (https://www.eulerlabs.com/)
+/// @notice Hook target contract that allows specific functions on the vault to be called only by authorized callers.
+contract HookTargetAccessControlKeyring is BaseHookTarget, SelectorAccessControl {
+    /// @notice The Keyring contract used for credential checking
+    IKeyringCredentials public immutable keyring;
+
+    /// @notice The policy ID used when checking credentials against the Keyring contract
+    uint32 public immutable policyId;
+
+    /// @notice Initializes the HookTargetAccessControlKeyring contract
+    /// @param _evc The address of the EVC.
+    /// @param _admin The address to be granted the DEFAULT_ADMIN_ROLE.
+    /// @param _eVaultFactory The address of the EVault factory.
+    /// @param _keyring The address of the Keyring contract.
+    /// @param _policyId The policy ID to be used for credential checking.
+    constructor(address _evc, address _admin, address _eVaultFactory, address _keyring, uint32 _policyId)
+        BaseHookTarget(_eVaultFactory)
+        SelectorAccessControl(_evc, _admin)
+    {
+        keyring = IKeyringCredentials(_keyring);
+        policyId = _policyId;
+    }
+
+    /// @notice Fallback function to revert if the address is not whitelisted to call the selector.
+    fallback() external {
+        _authenticateCaller();
+    }
+
+    /// @notice Intercepts EVault deposit operations to authenticate the caller and the receiver
+    /// @param receiver The address that will receive shares
+    function deposit(uint256, address receiver) external view {
+        _authenticateCallerAndAccount(receiver);
+    }
+
+    /// @notice Intercepts EVault mint operations to authenticate the caller and the receiver
+    /// @param receiver The address that will receive shares
+    function mint(uint256, address receiver) external view {
+        _authenticateCallerAndAccount(receiver);
+    }
+
+    /// @notice Intercepts EVault withdraw operations to authenticate the caller and the owner
+    /// @param owner The address whose balance will change
+    function withdraw(uint256, address, address owner) external view {
+        _authenticateCallerAndAccount(owner);
+    }
+
+    /// @notice Intercepts EVault redeem operations to authenticate the caller and the owner
+    /// @param owner The address whose balance will change
+    function redeem(uint256, address, address owner) external view {
+        _authenticateCallerAndAccount(owner);
+    }
+
+    /// @notice Intercepts EVault skim operations to authenticate the caller and the receiver
+    /// @param receiver The address that will receive shares
+    function skim(uint256, address receiver) external view {
+        _authenticateCallerAndAccount(receiver);
+    }
+
+    /// @notice Intercepts EVault borrow operations to authenticate the caller and the receiver
+    /// @param receiver The address that will receive borrowed assets
+    function borrow(uint256, address receiver) external view {
+        _authenticateCallerAndAccount(receiver);
+    }
+
+    /// @notice Intercepts EVault repay operations to authenticate the caller and the receiver
+    /// @param receiver The address that will receive the repaid assets
+    function repay(uint256, address receiver) external view {
+        _authenticateCallerAndAccount(receiver);
+    }
+
+    /// @notice Intercepts EVault repayWithShares operations to authenticate the caller and the receiver
+    /// @param receiver The address that will receive the repaid assets
+    function repayWithShares(uint256, address receiver) external view {
+        _authenticateCallerAndAccount(receiver);
+    }
+
+    /// @notice Intercepts EVault pullDebt operations to authenticate the caller and the from address
+    /// @param from The address from which debt is being pulled
+    function pullDebt(uint256, address from) external view {
+        _authenticateCallerAndAccount(from);
+    }
+
+    /// @notice Checks if the EVC owner of the account has valid Keyring credential
+    /// @dev If the EVC owner is not registered yet, the account is assumed to be the owner
+    /// @param account The address to check credential for
+    /// @return bool True if the EVC owner of the account has valid Keyring credential
+    function checkKeyringCredential(address account) external view returns (bool) {
+        address owner = evc.getAccountOwner(account);
+        return keyring.checkCredential(owner == address(0) ? account : owner, policyId);
+    }
+
+    /// @notice Authenticates both the caller and the specified account for access control
+    /// @dev This function checks if either the caller or the account owner are authorized to call the function
+    /// @param account The account to be authenticated
+    function _authenticateCallerAndAccount(address account) internal view {
+        address caller = _msgSender();
+
+        // Skip Keyring authentication if caller has wildcard role or specific function selector role
+        if (hasRole(WILD_CARD, caller) || hasRole(msg.sig, caller)) return;
+
+        address owner = evc.getAccountOwner(caller);
+
+        // If the EVC owner is not registered yet, assume the caller is the owner
+        if (owner == address(0)) owner = caller;
+        if (!keyring.checkCredential(owner, policyId)) revert NotAuthorized();
+
+        // If caller and account don't share the same EVC owner, authenticate the account separately
+        if (!_haveCommonOwner(owner, account)) {
+            owner = evc.getAccountOwner(account);
+
+            // If the EVC owner is not registered yet, assume the account is the owner
+            if (owner == address(0)) owner = account;
+            if (!keyring.checkCredential(owner, policyId)) revert NotAuthorized();
+        }
+    }
+
+    /// @notice Retrieves the message sender in the context of the EVC or calling vault.
+    /// @dev If the caller is a vault deployed by the recognized EVault factory, this function extracts the real
+    /// caller address from the calldata. Otherwise, this function returns the account on behalf of which the current
+    /// operation is being performed, which is either msg.sender or the account authenticated by the EVC.
+    /// @return The address of the message sender.
+    function _msgSender() internal view virtual override (BaseHookTarget, SelectorAccessControl) returns (address) {
+        address msgSender = BaseHookTarget._msgSender();
+        return msg.sender == msgSender ? SelectorAccessControl._msgSender() : msgSender;
+    }
+}