How-to
Deny a specific sender
Goal
Block messages from a specific identity. The deny rule overrides any allow rule that would otherwise match.
Code
using HexaEight.Bridge;
using HexaEight.Bridge.Authorization;
var client = new Client();
var policies = (CasbinAuthorizationProvider)client.Authorization;
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "[email protected]",
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "deny")); Verifying the rule fired
var msg = await client.DecryptEnvelopeAsync(envelopeFromHacker);
Console.WriteLine($"Authorized: {msg.Authorized}"); // Denied
Console.WriteLine($"DenyTier: {msg.DenyTier}"); // Default
Console.WriteLine($"DenialReason: {msg.DenialReason}");
Console.WriteLine($"Body: {msg.Body}");
// Body: "redacted due to authorization enforcement" Blocking a whole domain
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*@evil.com",
Destination: "self",
Realm: "default",
Direction: "inbound",
Effect: "deny")); Blocking outbound to a destination
To prevent your agent from sending to a particular destination:
await policies.AddPolicyRuleAsync(new PolicyRule(
Sender: "*",
Destination: "untrusted-service.com",
Realm: "default",
Direction: "outbound",
Effect: "deny")); If your code calls EncryptEnvelopeAsync with that destination, the SDK throws instead of producing an envelope.
See also
- The authorization model Concept
- Allow a specific sender How-to
- Handle a denied message How-to