// SPDX-License-Identifier: Apache-2.0
pragma solidity 0.8.18;


interface IERC1271Wallet {

  /**
   * @notice Verifies whether the provided signature is valid with respect to the provided data
   * @dev MUST return the correct magic value if the signature provided is valid for the provided data
   *   > The bytes4 magic value to return when signature is valid is 0x20c13b0b : bytes4(keccak256("isValidSignature(bytes,bytes)")
   *   > This function MAY modify Ethereum's state
   * @param _data       Arbitrary length data signed on the behalf of address(this)
   * @param _signature  Signature byte array associated with _data
   * @return magicValue Magic value 0x20c13b0b if the signature is valid and 0x0 otherwise
   */
  function isValidSignature(
    bytes calldata _data,
    bytes calldata _signature)
    external
    view
    returns (bytes4 magicValue);

  /**
   * @notice Verifies whether the provided signature is valid with respect to the provided hash
   * @dev MUST return the correct magic value if the signature provided is valid for the provided hash
   *   > The bytes4 magic value to return when signature is valid is 0x20c13b0b : bytes4(keccak256("isValidSignature(bytes,bytes)")
   *   > This function MAY modify Ethereum's state
   * @param _hash       keccak256 hash that was signed
   * @param _signature  Signature byte array associated with _data
   * @return magicValue Magic value 0x20c13b0b if the signature is valid and 0x0 otherwise
   */
  function isValidSignature(
    bytes32 _hash,
    bytes calldata _signature)
    external
    view
    returns (bytes4 magicValue);
}

// SPDX-License-Identifier: Apache-2.0
pragma solidity 0.8.18;

import "../interfaces/IERC1271Wallet.sol";
import "../utils/SignatureValidator.sol";

function absDiff(uint256 a, uint256 b) pure returns (bool, uint256) {
  if (a > b) {
    return (true, a - b);
  }

  return (false, b - a);
}

contract Trust is IERC1271Wallet {
  error UnlockInThePast(uint256 _unlocksAt, uint256 _elapsed);
  error UnlockTooEarly(uint256 _unlocksAt, uint256 _diff);

  error NotOwner(address _sender);
  error NotUnlocked(uint256 _unlocksAt);
  error FailedTransaction(address payable _to, uint256 _value, bytes _data, bytes _result);

  error EmptySignature();
  error InvalidSignatureFlag(bytes _signature, bytes1 _flag);
  error InvalidSignature(bytes32 _hash, bytes32 _rehash, address _signer, bytes _signature);

  event SetUnlocksAt(uint256 _unlocksAt);
  event SentTransaction(address payable _to, uint256 _value, bytes _data, bytes _result);

  address immutable public owner;
  address immutable public beneficiary;
  uint256 immutable public duration;

  uint256 public unlocksAt = type(uint256).max;

  constructor (
    address _owner,
    address _beneficiary,
    uint256 _duration
  ) {
    owner = _owner;
    beneficiary = _beneficiary;
    duration = _duration;
  }

  modifier onlyAllowed() {
    if (msg.sender != owner) {
      if (msg.sender != beneficiary) {
        revert NotOwner(msg.sender);
      }

      if (isLocked()) {
        revert NotUnlocked(unlocksAt);
      }
    }

    _;
  }

  modifier onlyMember() {
    if (msg.sender != owner && msg.sender != beneficiary) {
      revert NotOwner(msg.sender);
    }

    _;
  }

  function isLocked() public view returns (bool) {
    return block.timestamp < unlocksAt;
  }

  function setUnlocksAt(uint256 _unlocksAt) external onlyMember {
    // Diff between the current time and the unlock time must be
    // greater than the duration of the trust
    (bool isPast, uint256 elapsed) = absDiff(block.timestamp, _unlocksAt);
    if (isPast) {
      revert UnlockInThePast(_unlocksAt, elapsed);
    }

    if (elapsed < duration) {
      revert UnlockTooEarly(_unlocksAt, elapsed);
    }

    emit SetUnlocksAt(_unlocksAt);
    unlocksAt = _unlocksAt;
  }

  function sendTransaction(
    address payable _to,
    uint256 _value,
    bytes calldata _data
  ) external onlyAllowed returns (bytes memory) {
    (bool success, bytes memory result) = _to.call{value: _value}(_data);

    if (!success) {
      revert FailedTransaction(_to, _value, _data, result);
    }

    emit SentTransaction(_to, _value, _data, result);
    return result;
  }

  bytes4 internal constant SELECTOR_ERC1271_BYTES_BYTES = 0x20c13b0b;
  bytes4 internal constant SELECTOR_ERC1271_BYTES32_BYTES = 0x1626ba7e;

  function isValidSignature(
    bytes calldata _data,
    bytes calldata _signature
  ) external view returns (bytes4) {
    bytes4 res = Trust(payable(address((this)))).isValidSignature(
      keccak256(_data),
      _signature
    );

    assert(res == SELECTOR_ERC1271_BYTES32_BYTES);
    return SELECTOR_ERC1271_BYTES_BYTES;
  }

  function isValidSignature(
    bytes32 _hash,
    bytes calldata _signature
  ) external view returns (bytes4) {
    if (_signature.length == 0) {
      revert EmptySignature();
    }

    // The last byte determines how the signature is going to be interpreted
    // 0x00 -> Signed by the owner
    // 0x01 -> Signed by the beneficiary
    // 0x02 -> Signed by the owner for any network
    // 0x03 -> Signed by the beneficiary for any network
    address signer;
    uint256 chainId;

    {
      bytes1 flag = _signature[_signature.length - 1];

      if (flag == 0x00) {
        signer = owner;
        chainId = block.chainid;
      } else if (flag == 0x01) {
        signer = beneficiary;
        chainId = block.chainid;
      } else if (flag == 0x02) {
        signer = owner;
        chainId = 0;
      } else if (flag == 0x03) {
        signer = beneficiary;
        chainId = 0;
      } else {
        revert InvalidSignatureFlag(_signature, flag);
      }
    }

    if (signer != owner && isLocked()) {
      revert NotUnlocked(unlocksAt);
    }

    // Re-hash the hash adding the address of the trust
    // otherwise the signature will be valid for any trust
    bytes32 rehash = keccak256(abi.encode(address(this), _hash, chainId));

    // Validate the signature
    if (!SignatureValidator.isValidSignature(rehash, signer, _signature[0:_signature.length - 1])) {
      revert InvalidSignature(_hash, rehash, signer, _signature[0:_signature.length - 1]);
    }

    return SELECTOR_ERC1271_BYTES32_BYTES;
  }

  receive() external payable {}
  fallback() external payable {}
}

// SPDX-License-Identifier: Apache-2.0
pragma solidity 0.8.18;

import "./Trust.sol";


contract TrustFactory {
  function trustCreationCode() external pure returns (bytes memory) {
    return type(Trust).creationCode;
  }

  function addressOf(
    address _owner,
    address _beneficiary,
    uint256 _duration
  ) external view returns (address) {
    return address(uint160(uint(keccak256(abi.encodePacked(
      bytes1(0xff),
      address(this),
      bytes32(0),
      keccak256(abi.encodePacked(
        type(Trust).creationCode,
        abi.encode(_owner, _beneficiary, _duration)
      ))
    )))));
  }

  function deploy(
    address _owner,
    address _beneficiary,
    uint256 _duration
  ) external returns (Trust) {
    return new Trust{ salt: bytes32(0) }( _owner, _beneficiary, _duration);
  }
}

// SPDX-License-Identifier: Apache-2.0
pragma solidity 0.8.18;


/**
 * @title Library for reading data from bytes arrays
 * @author Agustin Aguilar (aa@horizon.io)
 * @notice This library contains functions for reading data from bytes arrays.
 *
 * @dev These functions do not check if the input index is within the bounds of the data array.
 *         Reading out of bounds may return dirty values.
 */
library LibBytes {

  /**
   * @notice Returns the bytes32 value at the given index in the input data.
   * @param data The input data.
   * @param index The index of the value to retrieve.
   * @return a The bytes32 value at the given index.
   */
  function readBytes32(
    bytes calldata data,
    uint256 index
  ) internal pure returns (
    bytes32 a
  ) {
    assembly {
      a := calldataload(add(data.offset, index))
    }
  }

  /**
   * @notice Returns the uint8 value at the given index in the input data.
   * @param data The input data.
   * @param index The index of the value to retrieve.
   * @return a The uint8 value at the given index.
   */
  function readUint8(
    bytes calldata data,
    uint256 index
  ) internal pure returns (
    uint8 a
  ) {
    assembly {
      let word := calldataload(add(index, data.offset))
      a := shr(248, word)
    }
  }

  /**
   * @notice Returns the first uint16 value in the input data.
   * @param data The input data.
   * @return a The first uint16 value in the input data.
   */
  function readFirstUint16(
    bytes calldata data
  ) internal pure returns (
    uint16 a
  ) {
    assembly {
      let word := calldataload(data.offset)
      a := shr(240, word)
    }
  }

  /**
   * @notice Returns the uint32 value at the given index in the input data.
   * @param data The input data.
   * @param index The index of the value to retrieve.
   * @return a The uint32 value at the given index.
   */
  function readUint32(
    bytes calldata data,
    uint256 index
  ) internal pure returns (
    uint32 a
  ) {
    assembly {
      let word := calldataload(add(index, data.offset))
      a := shr(224, word)
    }
  }
}

// SPDX-License-Identifier: Apache-2.0
pragma solidity 0.8.18;

import "../interfaces/IERC1271Wallet.sol";

import "./LibBytes.sol";

/**
 * @dev Contains logic for signature validation.
 * Signatures from wallet contracts assume ERC-1271 support (https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1271.md)
 * Notes: Methods are strongly inspired by contracts in https://github.com/0xProject/0x-monorepo/blob/development/
 */
library SignatureValidator {
  // Errors
  error InvalidSignatureLength(bytes _signature);
  error EmptySignature();
  error InvalidSValue(bytes _signature, bytes32 _s);
  error InvalidVValue(bytes _signature, uint256 _v);
  error UnsupportedSignatureType(bytes _signature, uint256 _type, bool _recoverMode);
  error SignerIsAddress0(bytes _signature);

  using LibBytes for bytes;

  /***********************************|
  |             Variables             |
  |__________________________________*/

  // bytes4(keccak256("isValidSignature(bytes,bytes)"))
  bytes4 constant internal ERC1271_MAGICVALUE = 0x20c13b0b;

  // bytes4(keccak256("isValidSignature(bytes32,bytes)"))
  bytes4 constant internal ERC1271_MAGICVALUE_BYTES32 = 0x1626ba7e;

  // Allowed signature types.
  uint256 private constant SIG_TYPE_EIP712 = 1;
  uint256 private constant SIG_TYPE_ETH_SIGN = 2;
  uint256 private constant SIG_TYPE_WALLET_BYTES32 = 3;

  /***********************************|
  |        Signature Functions        |
  |__________________________________*/

 /**
   * @notice Recover the signer of hash, assuming it's an EOA account
   * @dev Only for SignatureType.EIP712 and SignatureType.EthSign signatures
   * @param _hash      Hash that was signed
   *   encoded as (bytes32 r, bytes32 s, uint8 v, ... , SignatureType sigType)
   */
  function recoverSigner(
    bytes32 _hash,
    bytes calldata _signature
  ) internal pure returns (address signer) {
    if (_signature.length != 66) revert InvalidSignatureLength(_signature);
    uint256 signatureType = _signature.readUint8(_signature.length - 1);

    // Variables are not scoped in Solidity.
    uint8 v = _signature.readUint8(64);
    bytes32 r = _signature.readBytes32(0);
    bytes32 s = _signature.readBytes32(32);

    // EIP-2 still allows signature malleability for ecrecover(). Remove this possibility and make the signature
    // unique. Appendix F in the Ethereum Yellow paper (https://ethereum.github.io/yellowpaper/paper.pdf), defines
    // the valid range for s in (281): 0 < s < secp256k1n ÷ 2 + 1, and for v in (282): v ∈ {27, 28}. Most
    // signatures from current libraries generate a unique signature with an s-value in the lower half order.
    //
    // If your library generates malleable signatures, such as s-values in the upper range, calculate a new s-value
    // with 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 - s1 and flip v from 27 to 28 or
    // vice versa. If your library also generates signatures with 0/1 for v instead 27/28, add 27 to v to accept
    // these malleable signatures as well.
    //
    // Source OpenZeppelin
    // https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/cryptography/ECDSA.sol

    if (uint256(s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0) {
      revert InvalidSValue(_signature, s);
    }

    if (v != 27 && v != 28) {
      revert InvalidVValue(_signature, v);
    }

    // Signature using EIP712
    if (signatureType == SIG_TYPE_EIP712) {
      signer = ecrecover(_hash, v, r, s);

    // Signed using web3.eth_sign() or Ethers wallet.signMessage()
    } else if (signatureType == SIG_TYPE_ETH_SIGN) {
      signer = ecrecover(
        keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", _hash)),
        v,
        r,
        s
      );

    } else {
      // We cannot recover the signer for any other signature type.
      revert UnsupportedSignatureType(_signature, signatureType, true);
    }

    // Prevent signer from being 0x0
    if (signer == address(0x0)) revert SignerIsAddress0(_signature);

    return signer;
  }

 /**
   * @notice Returns true if the provided signature is valid for the given signer.
   * @dev Supports SignatureType.EIP712, SignatureType.EthSign, and ERC1271 signatures
   * @param _hash      Hash that was signed
   * @param _signer    Address of the signer candidate
   * @param _signature Signature byte array
   */
  function isValidSignature(
    bytes32 _hash,
    address _signer,
    bytes calldata _signature
  ) internal view returns (bool valid) {
    if (_signature.length == 0) {
      revert EmptySignature();
    }

    uint256 signatureType = uint8(_signature[_signature.length - 1]);
    if (signatureType == SIG_TYPE_EIP712 || signatureType == SIG_TYPE_ETH_SIGN) {
      // Recover signer and compare with provided
      valid = recoverSigner(_hash, _signature) == _signer;

    } else if (signatureType == SIG_TYPE_WALLET_BYTES32) {
      // Remove signature type before calling ERC1271, restore after call
      valid = ERC1271_MAGICVALUE_BYTES32 == IERC1271Wallet(_signer).isValidSignature(_hash, _signature[0:_signature.length - 1]);

    } else {
      // We cannot validate any other signature type.
      // We revert because we can say nothing about its validity.
      revert UnsupportedSignatureType(_signature, signatureType, false);
    }
  }
}