private static PolicySet GetResponsePolicySet(DelegationRequestPolicySet maskPolicySet, PolicySet evidencePolicySet) { var responsePolicySet = new PolicySet { MaxDelegationDepth = evidencePolicySet.MaxDelegationDepth, Target = evidencePolicySet.Target, Policies = new List <Policy>() }; foreach (var maskPolicy in maskPolicySet.Policies) { var matchingPolicies = evidencePolicySet.Policies.Where(e => IsMatchingPolicy(maskPolicy, e)); var responsePolicy = new Policy { Target = maskPolicy.Target, Rules = new List <PolicyRule>() }; var rule = PolicyRule.Permit(); if (!matchingPolicies.Any() || matchingPolicies.Any(e => AccessDeniedToContainers(maskPolicy, e))) { rule = PolicyRule.Deny(); } AddRuleAndPolicy(responsePolicySet, responsePolicy, rule); } return(responsePolicySet); }
private static bool AccessDeniedToContainers(Policy maskPolicy, Policy evidencePolicy) { var reversed = evidencePolicy.Rules.ToList(); reversed.Reverse(); var maskResource = maskPolicy.Target.Resource; return(reversed.Any(rule => rule.Effect == PolicyRule.Deny().Effect&& maskResource.Type == rule.Target.Resource.Type && maskResource.Identifiers.Any(mId => rule.Target.Resource.Identifiers.Contains("*") || rule.Target.Resource.Identifiers.Contains(mId)) && maskResource.Attributes.Any(mAtt => rule.Target.Resource.Attributes.Contains("*") || rule.Target.Resource.Attributes.Contains(mAtt)) )); }