Merge pull request #192 from mijinummi/security/138-access-controls-sensitive-functions

Security/138 access controls sensitive functions

Author: ISTIFANUS-N

contracts/access_control/Cargo.toml

@@ -0,0 +1,46 @@
+#![cfg_attr(not(feature = "std"), no_std)]
+
+#[ink::contract]
+mod access_control {
+    use ink::storage::Mapping;
+
+    #[derive(scale::Encode, scale::Decode, Clone, Debug, PartialEq, Eq)]
+    #[cfg_attr(feature = "std", derive(scale_info::TypeInfo))]
+    pub enum Role {
+        Admin,
+        Governor,
+        Emergency,
+    }
+
+    #[ink(storage)]
+    pub struct AccessControl {
+        roles: Mapping<AccountId, Role>,
+    }
+
+    impl AccessControl {
+        #[ink(constructor)]
+        pub fn new(admin: AccountId) -> Self {
+            let mut roles = Mapping::default();
+            roles.insert(admin, &Role::Admin);
+            Self { roles }
+        }
+
+        #[ink(message)]
+        pub fn assign_role(&mut self, account: AccountId, role: Role) {
+            let caller = self.env().caller();
+            let caller_role = self.roles.get(caller).unwrap_or(Role::Governor);
+            assert!(caller_role == Role::Admin, "Only Admin can assign roles");
+            self.roles.insert(account, &role);
+        }
+
+        #[ink(message)]
+        pub fn get_role(&self, account: AccountId) -> Option<Role> {
+            self.roles.get(account)
+        }
+
+        pub fn ensure_role(&self, account: AccountId, required: Role) {
+            let role = self.roles.get(account).expect("No role assigned");
+            assert!(role == required, "Access denied");
+        }
+    }
+}

contracts/access_control/src/lib.rs

@@ -0,0 +1,47 @@
+#![cfg_attr(not(feature = "std"), no_std)]
+
+#[ink::contract]
+mod emergency {
+    use ink::storage::Mapping;
+
+    #[ink(storage)]
+    pub struct EmergencyControl {
+        approvals: Mapping<AccountId, bool>,
+        required_signatures: u8,
+        paused: bool,
+    }
+
+    impl EmergencyControl {
+        #[ink(constructor)]
+        pub fn new(required_signatures: u8) -> Self {
+            Self {
+                approvals: Mapping::default(),
+                required_signatures,
+                paused: false,
+            }
+        }
+
+        #[ink(message)]
+        pub fn approve_pause(&mut self) {
+            let caller = self.env().caller();
+            self.approvals.insert(caller, &true);
+        }
+
+        #[ink(message)]
+        pub fn execute_pause(&mut self) {
+            let mut count = 0;
+            for (account, approved) in self.approvals.iter() {
+                if approved {
+                    count += 1;
+                }
+            }
+            assert!(count >= self.required_signatures, "Not enough approvals");
+            self.paused = true;
+        }
+
+        #[ink(message)]
+        pub fn is_paused(&self) -> bool {
+            self.paused
+        }
+    }
+}

contracts/emergency/Cargo.toml

@@ -0,0 +1,39 @@
+#![cfg_attr(not(feature = "std"), no_std)]
+
+#[ink::contract]
+mod governance {
+    use ink::storage::Mapping;
+
+    #[ink(storage)]
+    pub struct Governance {
+        pending_actions: Mapping<u32, (AccountId, u64)>, // actionId → (initiator, timestamp)
+        delay: u64,
+    }
+
+    impl Governance {
+        #[ink(constructor)]
+        pub fn new(delay: u64) -> Self {
+            Self {
+                pending_actions: Mapping::default(),
+                delay,
+            }
+        }
+
+        #[ink(message)]
+        pub fn propose_action(&mut self, action_id: u32) {
+            let caller = self.env().caller();
+            let now = self.env().block_timestamp();
+            self.pending_actions.insert(action_id, &(caller, now));
+        }
+
+        #[ink(message)]
+        pub fn execute_action(&mut self, action_id: u32) {
+            if let Some((initiator, timestamp)) = self.pending_actions.get(action_id) {
+                let now = self.env().block_timestamp();
+                assert!(now >= timestamp + self.delay, "Action delay not met");
+                // Execute governance action here
+                self.pending_actions.remove(action_id);
+            }
+        }
+    }
+}

contracts/emergency/src/lib.rs

@@ -0,0 +1,13 @@
+#[test]
+fn test_admin_can_assign_roles() {
+    let mut ac = AccessControl::new(admin);
+    ac.assign_role(user, Role::Governor);
+    assert_eq!(ac.get_role(user), Some(Role::Governor));
+}
+
+#[test]
+#[should_panic(expected = "Access denied")]
+fn test_non_admin_cannot_assign_roles() {
+    let mut ac = AccessControl::new(admin);
+    ac.assign_role(user, Role::Governor); // should fail if caller != admin
+}