private static PolicySet GetResponsePolicySet(DelegationRequestPolicySet maskPolicySet, PolicySet evidencePolicySet)
{
var responsePolicySet = new PolicySet
{
MaxDelegationDepth = evidencePolicySet.MaxDelegationDepth,
Target = evidencePolicySet.Target,
Policies = new List <Policy>()
};
foreach (var maskPolicy in maskPolicySet.Policies)
{
var matchingPolicies = evidencePolicySet.Policies.Where(e => IsMatchingPolicy(maskPolicy, e));
var responsePolicy = new Policy
{
Target = maskPolicy.Target,
Rules = new List <PolicyRule>()
};
var rule = PolicyRule.Permit();
if (!matchingPolicies.Any() || matchingPolicies.Any(e => AccessDeniedToContainers(maskPolicy, e)))
{
rule = PolicyRule.Deny();
}
AddRuleAndPolicy(responsePolicySet, responsePolicy, rule);
}
return(responsePolicySet);
}
public DelegationMask(IReadOnlyCollection <string> identifiers,
string policyIssuer,
string accessSubject,
IReadOnlyCollection <string> attributes,
IReadOnlyCollection <string> actions,
string resourceType,
string serviceProvider)
{
var policy = new Policy
{
Target = new PolicyTarget
{
Resource = new PolicyTargetResource
{
Type = resourceType,
Identifiers = identifiers.ToList(),
Attributes = attributes.ToList()
},
Actions = actions.ToList(),
Environment = new PolicyTargetEnvironment
{
ServiceProviders = new List <string> {
serviceProvider
}
}
},
Rules = new List <PolicyRule>
{
PolicyRule.Permit()
}
};
var policySet = new DelegationRequestPolicySet
{
Policies = new List <Policy>
{
policy
}
};
var request = new DelegationRequest
{
PolicyIssuer = policyIssuer,
Target = new Target
{
AccessSubject = accessSubject
},
PolicySets = new List <DelegationRequestPolicySet>
{
policySet
}
};
DelegationRequest = request;
}
public DelegationMask(string containerId,
string policyIssuer,
string accessSubject,
IReadOnlyCollection <string> attributes,
string action,
string resourceType = "CONTAINER.DATA")
{
var policy = new Policy
{
Target = new PolicyTarget
{
Resource = new PolicyTargetResource
{
Type = resourceType,
Identifiers = new List <string>
{
containerId.ToUpper(CultureInfo.CurrentCulture)
},
Attributes = attributes.ToList()
},
Actions = new List <string>
{
action.ToUpper(CultureInfo.CurrentCulture)
}
},
Rules = new List <PolicyRule>
{
PolicyRule.Permit()
}
};
var policySet = new DelegationRequestPolicySet
{
Policies = new List <Policy>
{
policy
}
};
var request = new DelegationRequest
{
PolicyIssuer = policyIssuer,
Target = new Target
{
AccessSubject = accessSubject
},
PolicySets = new List <DelegationRequestPolicySet>
{
policySet
}
};
DelegationRequest = request;
}
public DelegationMask(string containerId, string policyIssuer, string accessSubject, string attribute, string action)
{
var type = "CONTAINER.DATA";
var policy = new Policy
{
Target = new PolicyTarget
{
Resource = new PolicyTargetResource
{
Type = type,
Identifiers = new List <string>()
{
containerId.ToUpper()
},
Attributes = new List <string>()
{
type + ".ATTRIBUTE." + attribute?.ToUpper()
}
},
Actions = new List <string>()
{
"ISHARE." + action.ToUpper()
},
},
Rules = new List <PolicyRule>()
{
PolicyRule.Permit()
}
};
var policySet = new DelegationRequestPolicySet
{
Policies = new List <Policy>()
{
policy
}
};
var request = new DelegationRequest
{
PolicyIssuer = policyIssuer,
Target = new Target
{
AccessSubject = accessSubject
},
PolicySets = new List <DelegationRequestPolicySet>()
{
policySet
}
};
DelegationRequest = request;
}
public ValidationResult Validate(DelegationMask delegationMask)
{
var policySets = delegationMask.DelegationRequest.PolicySets;
for (int i = 0; i < policySets.Count; i++)
{
var policies = policySets[i].Policies;
for (int j = 0; j < policies.Count; j++)
{
if (!policies[j].Rules.Any(r => r.Effect == PolicyRule.Permit().Effect))
{
return(ValidationResult.Invalid(
"delegationRequest.policySets[" + i + "].policies[" + j + "] does not contain a rule with the Effect 'Permit'"));
}
}
}
return(ValidationResult.Valid());
}
