diff --git a/apps/authz/Makefile b/apps/authz/Makefile index 5ccfb31ce..b2b98b316 100644 --- a/apps/authz/Makefile +++ b/apps/authz/Makefile @@ -52,6 +52,7 @@ authz/rego/bundle: opa build \ --bundle ${AUTHZ_PROJECT_DIR}/src/app/opa/rego \ + --ignore "__test__" \ --output ${AUTHZ_PROJECT_DIR}/src/app/opa/rego/build/policies.tar.gz authz/rego/eval: diff --git a/apps/authz/src/app/opa/rego/lib/main.rego b/apps/authz/src/app/opa/rego/lib/main.rego index cefd4bec3..a7ff90ff2 100644 --- a/apps/authz/src/app/opa/rego/lib/main.rego +++ b/apps/authz/src/app/opa/rego/lib/main.rego @@ -2,7 +2,7 @@ package main import future.keywords.in -evaluate := { +default evaluate := { "permit": false, "reasons": set(), # The default flag indicates whether the rule was evaluated as expected or if @@ -11,9 +11,23 @@ evaluate := { "default": true, } -permit[{}] := {} +permit[{"policyId": "permit-default-policy"}] := reason { + false -forbid[{}] := {} + reason := { + "policyId": "permit-default-policy", + "reason": "This is the default policy, it always returns false.", + } +} + +forbid[{"policyId": "frobid-default-policy"}] := reason { + false + + reason := { + "policyId": "forbid-default-policy", + "reason": "This is the default policy, it always returns false.", + } +} evaluate := decision { permit_set := {p | p = permit[_]} @@ -45,6 +59,6 @@ evaluate := decision { # TODO: forbid rules need the same response structure as permit so we can have the policyId decision := { "permit": false, - "reasons": set(), + "reasons": forbid_set, } } diff --git a/apps/authz/src/app/opa/rego/policies/policy1.rego b/apps/authz/src/app/opa/rego/policies/policy1.rego index 392921118..d0d32b14b 100644 --- a/apps/authz/src/app/opa/rego/policies/policy1.rego +++ b/apps/authz/src/app/opa/rego/policies/policy1.rego @@ -5,8 +5,10 @@ import future.keywords.in permit[{"policyId": "test-policy-1"}] := reason { check_principal - check_transfer_token_type({"transferToken"}) - check_transfer_token_address({"0x2791bca1f2de4661ed88a30c99a7a9449aa84174"}) + input.action == "signTransaction" + + check_transfer_token_type({"transferERC20"}) + check_transfer_token_address({"eip155:137/erc20:0x2791bca1f2de4661ed88a30c99a7a9449aa84174"}) check_transfer_token_operation({"operator": "lte", "value": "1000000000000000000"}) approvalsRequired = [{ diff --git a/apps/authz/src/app/opa/rego/policies/policy2.rego b/apps/authz/src/app/opa/rego/policies/policy2.rego index c1b0bd30d..987226af6 100644 --- a/apps/authz/src/app/opa/rego/policies/policy2.rego +++ b/apps/authz/src/app/opa/rego/policies/policy2.rego @@ -5,8 +5,10 @@ import future.keywords.in permit[{"policyId": "test-policy-2"}] := reason { check_principal - check_transfer_token_type({"transferToken"}) - check_transfer_token_address({"0x2791bca1f2de4661ed88a30c99a7a9449aa84174"}) + input.action == "signTransaction" + + check_transfer_token_type({"transferERC20"}) + check_transfer_token_address({"eip155:137/erc20:0x2791bca1f2de4661ed88a30c99a7a9449aa84174"}) check_transfer_token_operation({"operator": "lte", "value": "1000000000000000000"}) approvalsRequired = [{ diff --git a/apps/authz/src/app/opa/rego/policies/policy3.rego b/apps/authz/src/app/opa/rego/policies/policy3.rego index 879f9d518..1176ca66e 100644 --- a/apps/authz/src/app/opa/rego/policies/policy3.rego +++ b/apps/authz/src/app/opa/rego/policies/policy3.rego @@ -5,9 +5,11 @@ import future.keywords.in permit[{"policyId": "test-policy-3"}] := reason { check_principal - check_transfer_token_type({"transferToken"}) - check_transfer_token_address({"0x2791bca1f2de4661ed88a30c99a7a9449aa84174"}) - check_transfer_token_operation({"operator": "eq", "value": "1000000000000000000"}) + input.action == "signTransaction" + + check_transfer_token_type({"transferERC20"}) + check_transfer_token_address({"eip155:137/erc20:0x2791bca1f2de4661ed88a30c99a7a9449aa84174"}) + check_transfer_token_operation({"operator": "lte", "value": "1000000000000000000"}) approvalsRequired = [{ "threshold": 2,