CCIP-4105: adds OZ AccessControl support to the registry module (#15067)

* adds OZ AccessControl support to the registry module

* [Bot] Update changeset file with jira issues

* fix snap

* update version

---------

Co-Authored-By: app-token-issuer-infra-releng[bot] <120227048+app-token-issuer-infra-releng[bot]@users.noreply.github.com>

contracts/.changeset/metal-ducks-hunt.md

@@ -0,0 +1,10 @@
+---
+'@chainlink/contracts': patch
+---
+
+#feature adds OZ AccessControl support to the registry module
+
+
+PR issue: CCIP-4105
+
+Solidity Review issue: CCIP-3966

contracts/gas-snapshots/ccip.gas-snapshot

@@ -920,11 +920,13 @@ RateLimiter_consume:test_TokenRateLimitReached_Revert() (gas: 24886)
 RateLimiter_currentTokenBucketState:test_CurrentTokenBucketState_Success() (gas: 38944)
 RateLimiter_currentTokenBucketState:test_Refill_Success() (gas: 46849)
 RateLimiter_setTokenBucketConfig:test_SetRateLimiterConfig_Success() (gas: 38506)
-RegistryModuleOwnerCustom_constructor:test_constructor_Revert() (gas: 36033)
-RegistryModuleOwnerCustom_registerAdminViaGetCCIPAdmin:test_registerAdminViaGetCCIPAdmin_Revert() (gas: 19739)
-RegistryModuleOwnerCustom_registerAdminViaGetCCIPAdmin:test_registerAdminViaGetCCIPAdmin_Success() (gas: 130086)
-RegistryModuleOwnerCustom_registerAdminViaOwner:test_registerAdminViaOwner_Revert() (gas: 19559)
-RegistryModuleOwnerCustom_registerAdminViaOwner:test_registerAdminViaOwner_Success() (gas: 129905)
+RegistryModuleOwnerCustom_constructor:test_constructor_Revert() (gas: 36107)
+RegistryModuleOwnerCustom_registerAccessControlDefaultAdmin:test_registerAccessControlDefaultAdmin_Revert() (gas: 20206)
+RegistryModuleOwnerCustom_registerAccessControlDefaultAdmin:test_registerAccessControlDefaultAdmin_Success() (gas: 130628)
+RegistryModuleOwnerCustom_registerAdminViaGetCCIPAdmin:test_registerAdminViaGetCCIPAdmin_Revert() (gas: 19773)
+RegistryModuleOwnerCustom_registerAdminViaGetCCIPAdmin:test_registerAdminViaGetCCIPAdmin_Success() (gas: 130108)
+RegistryModuleOwnerCustom_registerAdminViaOwner:test_registerAdminViaOwner_Revert() (gas: 19593)
+RegistryModuleOwnerCustom_registerAdminViaOwner:test_registerAdminViaOwner_Success() (gas: 129927)
 Router_applyRampUpdates:test_OffRampMismatch_Revert() (gas: 89366)
 Router_applyRampUpdates:test_OffRampUpdatesWithRouting() (gas: 10662612)
 Router_applyRampUpdates:test_OnRampDisable() (gas: 56007)

contracts/src/v0.8/ccip/test/tokenAdminRegistry/RegistryModuleOwnerCustom.t.sol

@@ -8,6 +8,7 @@ import {RegistryModuleOwnerCustom} from "../../tokenAdminRegistry/RegistryModule
 import {TokenAdminRegistry} from "../../tokenAdminRegistry/TokenAdminRegistry.sol";
 import {BurnMintERC677Helper} from "../helpers/BurnMintERC677Helper.sol";
 
+import {AccessControl} from "../../../vendor/openzeppelin-solidity/v5.0.2/contracts/access/AccessControl.sol";
 import {Test} from "forge-std/Test.sol";
 
 contract RegistryModuleOwnerCustomSetup is Test {
@@ -102,3 +103,54 @@ contract RegistryModuleOwnerCustom_registerAdminViaOwner is RegistryModuleOwnerC
     s_registryModuleOwnerCustom.registerAdminViaOwner(s_token);
   }
 }
+
+contract AccessController is AccessControl {
+  constructor(
+    address admin
+  ) {
+    _grantRole(DEFAULT_ADMIN_ROLE, admin);
+  }
+}
+
+contract RegistryModuleOwnerCustom_registerAccessControlDefaultAdmin is RegistryModuleOwnerCustomSetup {
+  function setUp() public override {
+    super.setUp();
+
+    s_token = address(new AccessController(OWNER));
+  }
+
+  function test_registerAccessControlDefaultAdmin_Success() public {
+    assertEq(s_tokenAdminRegistry.getTokenConfig(s_token).administrator, address(0));
+
+    bytes32 defaultAdminRole = AccessController(s_token).DEFAULT_ADMIN_ROLE();
+
+    vm.expectCall(address(s_token), abi.encodeWithSelector(AccessControl.hasRole.selector, defaultAdminRole, OWNER), 1);
+    vm.expectCall(
+      address(s_tokenAdminRegistry),
+      abi.encodeWithSelector(TokenAdminRegistry.proposeAdministrator.selector, s_token, OWNER),
+      1
+    );
+
+    vm.expectEmit();
+    emit RegistryModuleOwnerCustom.AdministratorRegistered(s_token, OWNER);
+
+    s_registryModuleOwnerCustom.registerAccessControlDefaultAdmin(s_token);
+
+    assertEq(s_tokenAdminRegistry.getTokenConfig(s_token).pendingAdministrator, OWNER);
+  }
+
+  function test_registerAccessControlDefaultAdmin_Revert() public {
+    bytes32 defaultAdminRole = AccessController(s_token).DEFAULT_ADMIN_ROLE();
+
+    address wrongSender = makeAddr("Not_expected_owner");
+    vm.startPrank(wrongSender);
+
+    vm.expectRevert(
+      abi.encodeWithSelector(
+        RegistryModuleOwnerCustom.RequiredRoleNotFound.selector, wrongSender, defaultAdminRole, s_token
+      )
+    );
+
+    s_registryModuleOwnerCustom.registerAccessControlDefaultAdmin(s_token);
+  }
+}

contracts/src/v0.8/ccip/tokenAdminRegistry/RegistryModuleOwnerCustom.sol

@@ -6,13 +6,16 @@ import {IGetCCIPAdmin} from "../interfaces/IGetCCIPAdmin.sol";
 import {IOwner} from "../interfaces/IOwner.sol";
 import {ITokenAdminRegistry} from "../interfaces/ITokenAdminRegistry.sol";
 
+import {AccessControl} from "../../vendor/openzeppelin-solidity/v5.0.2/contracts/access/AccessControl.sol";
+
 contract RegistryModuleOwnerCustom is ITypeAndVersion {
   error CanOnlySelfRegister(address admin, address token);
+  error RequiredRoleNotFound(address msgSender, bytes32 role, address token);
   error AddressZero();
 
   event AdministratorRegistered(address indexed token, address indexed administrator);
 
-  string public constant override typeAndVersion = "RegistryModuleOwnerCustom 1.5.0";
+  string public constant override typeAndVersion = "RegistryModuleOwnerCustom 1.6.0";
 
   // The TokenAdminRegistry contract
   ITokenAdminRegistry internal immutable i_tokenAdminRegistry;
@@ -38,6 +41,20 @@ contract RegistryModuleOwnerCustom is ITypeAndVersion {
     _registerAdmin(token, IOwner(token).owner());
   }
 
+  /// @notice Registers the admin of the token using OZ's AccessControl DEFAULT_ADMIN_ROLE.
+  /// @param token The token to register the admin for.
+  /// @dev The caller must have the DEFAULT_ADMIN_ROLE as defined by the contract itself.
+  function registerAccessControlDefaultAdmin(
+    address token
+  ) external {
+    bytes32 defaultAdminRole = AccessControl(token).DEFAULT_ADMIN_ROLE();
+    if (!AccessControl(token).hasRole(defaultAdminRole, msg.sender)) {
+      revert RequiredRoleNotFound(msg.sender, defaultAdminRole, token);
+    }
+
+    _registerAdmin(token, msg.sender);
+  }
+
   /// @notice Registers the admin of the token to msg.sender given that the
   /// admin is equal to msg.sender.
   /// @param token The token to register the admin for.