fix logic

apps/authz/src/app/opa/rego/lib/criterias/principal.rego

@@ -2,6 +2,14 @@ package main
 
 import future.keywords.in
 
+is_principal_root_user {
+	principal.role == "root"
+}
+
+is_principal_assigned_to_wallet {
+	principal.uid in resource.assignees
+}
+
 check_principal_id(values) {
 	values == wildcard
 }
@@ -25,4 +33,4 @@ check_principal_groups(values) {
 check_principal_groups(values) {
 	group := principal_groups[_]
 	group in values
-}
+}

apps/authz/src/app/opa/rego/lib/criterias/resource.rego

@@ -38,4 +38,4 @@ check_wallet_assignees(values) {
 check_wallet_assignees(values) {
 	assignee := resource.assignees[_]
 	assignee in values
-}
+}

apps/authz/src/app/opa/rego/lib/criterias/source.rego

@@ -28,4 +28,4 @@ check_source_classification(values) {
 
 check_source_classification(values) {
 	source.classification in values
-}
+}

apps/authz/src/app/opa/rego/lib/criterias/transfer_token.rego

@@ -62,4 +62,4 @@ check_transfer_token_operation(operation) {
 check_transfer_token_operation(operation) {
 	operation.operator == "lte"
 	operation.value >= input.intent.amount
-}
+}

apps/authz/src/app/opa/rego/lib/data.json

@@ -22,7 +22,7 @@
             "uid": "eip155:eoa:0xddcf208f219a6e6af072f2cfdc615b2c1805f98e",
             "address": "0xddcf208f219a6e6af072f2cfdc615b2c1805f98e",
             "accountType": "eoa",
-            "assignees": ["test-bob-uid", "test-bar-uid"]
+            "assignees": ["test-bob-uid", "test-bar-uid", "test-foo-uid"]
         }},
         "user_groups": {
             "test-user-group-one-uid": {

apps/authz/src/app/opa/rego/lib/input.json

@@ -1,6 +1,6 @@
 {
   "action": "signTransaction",
-  "principal": {"uid": "test-bob-uid"},
+  "principal": {"uid": "test-foo-uid"},
   "resource": {"uid": "eip155:eoa:0xddcf208f219a6e6af072f2cfdc615b2c1805f98e"},
   "request": {
       "type": "eip1559",

apps/authz/src/app/opa/rego/lib/main.rego

@@ -12,21 +12,22 @@ default evaluate := {
 }
 
 evaluate := decision {
-	confirm_set := {p | p = permit[_]}
+	permit_set := {p | p = permit[_]}
 	forbid_set := {f | f = forbid[_]}
-	count(confirm_set) > 0
+
 	count(forbid_set) == 0
+	count(permit_set) > 0
 
-	# If ALL Approval in confirm_set has count(approval.approvalsMissing) == 0, set "permit": true.
+	# If ALL Approval in permit_set has count(approval.approvalsMissing) == 0, set "permit": true.
 	# We "Stack" approvals, so multiple polices that match & each have different requirements, ALL must succeed.
 	# If you want to avoid this, the rules should get upper bounded so they're mutually exlusive, but that's done at the policy-builder time, not here.
 
-	# Filter confirm_set to only include objects where approvalsMissing is empty
-	filtered_confirm_set := {p | p = confirm_set[_]; count(p.approvalsMissing) == 0}
+	# Filter permit_set to only include objects where approvalsMissing is empty
+	filtered_permit_set := {p | p = permit_set[_]; count(p.approvalsMissing) == 0}
 
 	decision := {
-		"permit": count(filtered_confirm_set) == count(confirm_set),
-		"reasons": confirm_set,
+		"permit": count(filtered_permit_set) == count(permit_set),
+		"reasons": permit_set,
 	}
 }
 
@@ -44,6 +45,16 @@ evaluate := decision {
 	}
 }
 
-forbid[{"policyId": "test-forbid-policy"}] {
-	2 == 1
+permit[{"policyId": "allow-root-user"}] := reason {
+	is_principal_root_user
+
+	reason := {
+		"policyId": "allow-root-user",
+		"approvalsSatisfied": [],
+		"approvalsMissing": [],
+	}
+}
+
+forbid[{"policyId": "default-forbid-policy"}] {
+	false
 }

apps/authz/src/app/opa/rego/lib/utils/utils.rego

@@ -73,4 +73,4 @@ signers_groups = result {
 check_transfer_resource_integrity {
 	contains(input.resource.uid, input.request.from)
 	input.resource.uid == input.intent.from.uid
-}
+}