Openzeppelin学习记录

OpenZeppelin的智能合约代码库是以太坊开发者的宝库，OpenZeppelin代码库包含了经过社区审查的ERC代币标准、安全协议以及很多的辅助工具库，这些代码可以帮助开发者专注业务逻辑的，而无需重新发明轮子。

基于OpenZeppelin开发合约，即可以提高代码的安全性，又可以提高开发效率。（这两段话抄的登链社区哈哈哈）

本文只记录学习过程中的的一些想法和问题，目前没有实操。

本人英文文档阅读能力有限，这也是第一次尝试阅读英文文档（之前都是看的中文版，但这次搜到的都太老了，solidity还在用0.4+的版本~），如有错误欢迎大家批评指正！

模块结构

从github上下下来原始合约，目录结构如图所示：

-contracts-access//主要包含拥有者管理和角色管理AccessControl.sol               //角色管理，1对1AccessControlEnumerable.sol        //角色管理，1对多Ownable.sol                        //拥有者管理-finance  -governance -interfaces-metax-mocks-proxys-security-token-utils

今天先写一下access部分的笔记

1. access

1.1 AccessControl.sol

该文件为角色管理合约：其中有两个关键角色：role和roleAdmin

合约中提供了几个函数来进行角色的转换，其中包括一些查询函数，此外还有角色转变函数，和角色改变时会触发的event.

function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool){};//（没太懂）
function grantRole(bytes32 role, address account) public virtual override onlyRole(getRoleAdmin(role)){};
function revokeRole(bytes32 role, address account) public virtual override onlyRole(getRoleAdmin(role)){};
function renounceRole(bytes32 role, address account) public virtual override{};
function _setRoleAdmin(bytes32 role, bytes32 adminRole) internal virtual{};

其中，

admin:grantRolerevokeRolerole:renounonceRole更改admin的函数（可见性是internal的，应该是在使用者自己的合约中调用）
_setRoleAdmin

具体文件如下（害怕出错，英文注释没有动，添加了一些自己理解的中文注释）

// SPDX-License-Identifier: MITpragma solidity ^0.8.0;import "../utils/Context.sol";
import "../utils/Strings.sol";
import "../utils/introspection/ERC165.sol";/*** @dev External interface of AccessControl declared to support ERC165 detection.*/
interface IAccessControl {function hasRole(bytes32 role, address account) external view returns (bool);function getRoleAdmin(bytes32 role) external view returns (bytes32);function grantRole(bytes32 role, address account) external;function revokeRole(bytes32 role, address account) external;function renounceRole(bytes32 role, address account) external;
}/*** @dev Contract module that allows children to implement role-based access* control mechanisms. This is a lightweight version that doesn't allow enumerating role* members except through off-chain means by accessing the contract event logs. Some* applications may benefit from on-chain enumerability, for those cases see* {AccessControlEnumerable}.** Roles are referred to by their `bytes32` identifier. These should be exposed* in the external API and be unique. The best way to achieve this is by* using `public constant` hash digests:** ```* bytes32 public constant MY_ROLE = keccak256("MY_ROLE");* ```** Roles can be used to represent a set of permissions. To restrict access to a* function call, use {hasRole}:** ```* function foo() public {*     require(hasRole(MY_ROLE, msg.sender));*     ...* }* ```** Roles can be granted and revoked dynamically via the {grantRole} and* {revokeRole} functions. Each role has an associated admin role, and only* accounts that have a role's admin role can call {grantRole} and {revokeRole}.** By default, the admin role for all roles is `DEFAULT_ADMIN_ROLE`, which means* that only accounts with this role will be able to grant or revoke other* roles. More complex role relationships can be created by using* {_setRoleAdmin}.** WARNING: The `DEFAULT_ADMIN_ROLE` is also its own admin: it has permission to* grant and revoke this role. Extra precautions should be taken to secure* accounts that have been granted it.*/
abstract contract AccessControl is Context, IAccessControl, ERC165 {struct RoleData {mapping(address => bool) members;bytes32 adminRole;}mapping(bytes32 => RoleData) private _roles;bytes32 public constant DEFAULT_ADMIN_ROLE = 0x00;/*** @dev Emitted when `newAdminRole` is set as ``role``'s admin role, replacing `previousAdminRole`** `DEFAULT_ADMIN_ROLE` is the starting admin for all roles, despite* {RoleAdminChanged} not being emitted signaling this.** _Available since v3.1._*///更改角色role管理员（0x00是所有角色的初始管理员，尽管刚开始的时候没有发出这个事件）event RoleAdminChanged(bytes32 indexed role, bytes32 indexed previousAdminRole, bytes32 indexed newAdminRole);/*** @dev Emitted when `account` is granted `role`.** `sender` is the account that originated the contract call, an admin role* bearer except when using {_setupRole}.*///sender(通常是admin)授予某accounte为roleevent RoleGranted(bytes32 indexed role, address indexed account, address indexed sender);/*** @dev Emitted when `account` is revoked `role`.** `sender` is the account that originated the contract call:*   - if using `revokeRole`, it is the admin role bearer*   - if using `renounceRole`, it is the role bearer (i.e. `account`)*///sender(通常是admin)撤销某accounte的roleevent RoleRevoked(bytes32 indexed role, address indexed account, address indexed sender);/*** @dev Modifier that checks that an account has a specific role. Reverts* with a standardized message including the required role.** The format of the revert reason is given by the following regular expression:**  /^AccessControl: account (0x[0-9a-f]{20}) is missing role (0x[0-9a-f]{32})$/** _Available since v4.1._*///检查调用者是否有某角色（没有进行一些处理（回复消息告知其不是该角色））modifier onlyRole(bytes32 role) {_checkRole(role, _msgSender());_;}/*** @dev See {IERC165-supportsInterface}.*/function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {return interfaceId == type(IAccessControl).interfaceId || super.supportsInterface(interfaceId);//当使用super时，调用的是继承的该函数，不是它自己}/*** @dev Returns `true` if `account` has been granted `role`.*/function hasRole(bytes32 role, address account) public view override returns (bool) {return _roles[role].members[account];}/*** @dev Revert with a standard message if `account` is missing `role`.** The format of the revert reason is given by the following regular expression:**  /^AccessControl: account (0x[0-9a-f]{20}) is missing role (0x[0-9a-f]{32})$/*/function _checkRole(bytes32 role, address account) internal view {if (!hasRole(role, account)) {revert(string(abi.encodePacked("AccessControl: account ",Strings.toHexString(uint160(account), 20)," is missing role ",Strings.toHexString(uint256(role), 32))));}}/*** @dev Returns the admin role that controls `role`. See {grantRole} and* {revokeRole}.** To change a role's admin, use {_setRoleAdmin}.*/function getRoleAdmin(bytes32 role) public view override returns (bytes32) {return _roles[role].adminRole;}/*** @dev Grants `role` to `account`.** If `account` had not been already granted `role`, emits a {RoleGranted}* event.** Requirements:** - the caller must have ``role``'s admin role.*///msg.sender= admin,授予account 的rolefunction grantRole(bytes32 role, address account) public virtual override onlyRole(getRoleAdmin(role)) {_grantRole(role, account);}/*** @dev Revokes `role` from `account`.** If `account` had been granted `role`, emits a {RoleRevoked} event.** Requirements:** - the caller must have ``role``'s admin role.*///admin撤销account 的rolefunction revokeRole(bytes32 role, address account) public virtual override onlyRole(getRoleAdmin(role)) {_revokeRole(role, account);}/*** @dev Revokes `role` from the calling account.** Roles are often managed via {grantRole} and {revokeRole}: this function's* purpose is to provide a mechanism for accounts to lose their privileges* if they are compromised (such as when a trusted device is misplaced).** If the calling account had been granted `role`, emits a {RoleRevoked}* event.** Requirements:** - the caller must be `account`.*///account 主动撤销自己的角色function renounceRole(bytes32 role, address account) public virtual override {require(account == _msgSender(), "AccessControl: can only renounce roles for self");_revokeRole(role, account);}/*** @dev Grants `role` to `account`.** If `account` had not been already granted `role`, emits a {RoleGranted}* event. Note that unlike {grantRole}, this function doesn't perform any* checks on the calling account.** [WARNING]* ====* This function should only be called from the constructor when setting* up the initial roles for the system.** Using this function in any other way is effectively circumventing the admin* system imposed by {AccessControl}.* ====*/function _setupRole(bytes32 role, address account) internal virtual {_grantRole(role, account);}/*** @dev Sets `adminRole` as ``role``'s admin role.** Emits a {RoleAdminChanged} event.*/function _setRoleAdmin(bytes32 role, bytes32 adminRole) internal virtual {emit RoleAdminChanged(role, getRoleAdmin(role), adminRole);_roles[role].adminRole = adminRole;}function _grantRole(bytes32 role, address account) private {if (!hasRole(role, account)) {_roles[role].members[account] = true;emit RoleGranted(role, account, _msgSender());}}function _revokeRole(bytes32 role, address account) private {if (hasRole(role, account)) {_roles[role].members[account] = false;emit RoleRevoked(role, account, _msgSender());}}
}

1.2 AccessControlEnumerable.sol

1.1 是一对一，这个是一对多，就是管理一个同为role的集合roles,大体功能是一样的，我没仔细看，把代码贴这吧

// SPDX-License-Identifier: MITpragma solidity ^0.8.0;import "./AccessControl.sol";
import "../utils/structs/EnumerableSet.sol";/*** @dev External interface of AccessControlEnumerable declared to support ERC165 detection.*/
interface IAccessControlEnumerable {function getRoleMember(bytes32 role, uint256 index) external view returns (address);function getRoleMemberCount(bytes32 role) external view returns (uint256);
}/*** @dev Extension of {AccessControl} that allows enumerating the members of each role.*/
abstract contract AccessControlEnumerable is IAccessControlEnumerable, AccessControl {using EnumerableSet for EnumerableSet.AddressSet;mapping(bytes32 => EnumerableSet.AddressSet) private _roleMembers;/*** @dev See {IERC165-supportsInterface}.*/function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {return interfaceId == type(IAccessControlEnumerable).interfaceId || super.supportsInterface(interfaceId);}/*** @dev Returns one of the accounts that have `role`. `index` must be a* value between 0 and {getRoleMemberCount}, non-inclusive.** Role bearers are not sorted in any particular way, and their ordering may* change at any point.** WARNING: When using {getRoleMember} and {getRoleMemberCount}, make sure* you perform all queries on the same block. See the following* https://forum.openzeppelin.com/t/iterating-over-elements-on-enumerableset-in-openzeppelin-contracts/2296[forum post]* for more information.*/function getRoleMember(bytes32 role, uint256 index) public view override returns (address) {return _roleMembers[role].at(index);}/*** @dev Returns the number of accounts that have `role`. Can be used* together with {getRoleMember} to enumerate all bearers of a role.*/function getRoleMemberCount(bytes32 role) public view override returns (uint256) {return _roleMembers[role].length();}/*** @dev Overload {grantRole} to track enumerable memberships*/function grantRole(bytes32 role, address account) public virtual override {super.grantRole(role, account);_roleMembers[role].add(account);}/*** @dev Overload {revokeRole} to track enumerable memberships*/function revokeRole(bytes32 role, address account) public virtual override {super.revokeRole(role, account);_roleMembers[role].remove(account);}/*** @dev Overload {renounceRole} to track enumerable memberships*/function renounceRole(bytes32 role, address account) public virtual override {super.renounceRole(role, account);_roleMembers[role].remove(account);}/*** @dev Overload {_setupRole} to track enumerable memberships*/function _setupRole(bytes32 role, address account) internal virtual override {super._setupRole(role, account);_roleMembers[role].add(account);}
}

1.3 Ownable.sol

该合约用的最多了，给所部署的合约设置一个拥有者，一次来约束合约中和某些操作的权限。可以称得上典中典！

// SPDX-License-Identifier: MITpragma solidity ^0.8.0;import "../utils/Context.sol";/*** @dev Contract module which provides a basic access control mechanism, where* there is an account (an owner) that can be granted exclusive access to* specific functions.** By default, the owner account will be the one that deploys the contract. This* can later be changed with {transferOwnership}.** This module is used through inheritance. It will make available the modifier* `onlyOwner`, which can be applied to your functions to restrict their use to* the owner.*默认情况下，所有者帐户将是部署合约的帐户。这以后可以用 {transferOwnership} 更改。*该模块通过继承使用。它将使修饰符可用`onlyOwner`，可以应用于您的函数以限制它们的使用者。*/abstract contract Ownable is Context {address private _owner;//拥有者身份转移event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);/*** @dev Initializes the contract setting the deployer as the initial owner.*///初始化合约，将部署者设置为初始所有者constructor() {address msgSender = _msgSender();_owner = msgSender;emit OwnershipTransferred(address(0), msgSender);}/*** @dev Returns the address of the current owner.*/function owner() public view virtual returns (address) {return _owner;}/*** @dev Throws if called by any account other than the owner.*/modifier onlyOwner() {require(owner() == _msgSender(), "Ownable: caller is not the owner");_;}/*** @dev Leaves the contract without owner. It will not be possible to call* `onlyOwner` functions anymore. Can only be called by the current owner.** NOTE: Renouncing ownership will leave the contract without an owner,* thereby removing any functionality that is only available to the owner.*///使合约没有所有者。将无法调用`onlyOwner` 不再起作用。只能由当前所有者调用。// 注意：放弃所有权将使合约没有所有者，从而删除任何仅对所有者可用的功能function renounceOwnership() public virtual onlyOwner {emit OwnershipTransferred(_owner, address(0));_owner = address(0);}/*** @dev Transfers ownership of the contract to a new account (`newOwner`).* Can only be called by the current owner.*///原拥有者将权力交接给新人（青天已死，黄天当立）function transferOwnership(address newOwner) public virtual onlyOwner {require(newOwner != address(0), "Ownable: new owner is the zero address");emit OwnershipTransferred(_owner, newOwner);_owner = newOwner;}
}

OK,access看完啦！