private static PolicySet GetResponsePolicySet(DelegationRequestPolicySet maskPolicySet, PolicySet evidencePolicySet)
{
var responsePolicySet = new PolicySet
{
MaxDelegationDepth = evidencePolicySet.MaxDelegationDepth,
Target = evidencePolicySet.Target,
Policies = new List <Policy>()
};
foreach (var maskPolicy in maskPolicySet.Policies)
{
var matchingPolicies = evidencePolicySet.Policies.Where(e => IsMatchingPolicy(maskPolicy, e));
var responsePolicy = new Policy
{
Target = maskPolicy.Target,
Rules = new List <PolicyRule>()
};
var rule = PolicyRule.Permit();
if (!matchingPolicies.Any() || matchingPolicies.Any(e => AccessDeniedToContainers(maskPolicy, e)))
{
rule = PolicyRule.Deny();
}
AddRuleAndPolicy(responsePolicySet, responsePolicy, rule);
}
return(responsePolicySet);
}
private static bool AccessDeniedToContainers(Policy maskPolicy, Policy evidencePolicy)
{
var reversed = evidencePolicy.Rules.ToList();
reversed.Reverse();
var maskResource = maskPolicy.Target.Resource;
return(reversed.Any(rule =>
rule.Effect == PolicyRule.Deny().Effect&&
maskResource.Type == rule.Target.Resource.Type &&
maskResource.Identifiers.Any(mId =>
rule.Target.Resource.Identifiers.Contains("*") ||
rule.Target.Resource.Identifiers.Contains(mId)) &&
maskResource.Attributes.Any(mAtt =>
rule.Target.Resource.Attributes.Contains("*") ||
rule.Target.Resource.Attributes.Contains(mAtt))
));
}
