Bug: Policies with broad Deny statements are incorrectly interpreted as internet accessible

[tweedge]

Pulling an example from the AWS documentation for API Gateway resource policies here:

% cat test.py
from policyuniverse.policy import Policy
from json import loads
from pprint import pprint

json_policy = loads("""
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "execute-api:/*"
            ],
            "Condition" : {
                "StringNotEquals": {
                   "aws:SourceVpc": "vpc-1a2b3c4d"
                }
            }
        }
    ]
}
""")

pu_policy = Policy(json_policy)
pprint(pu_policy.is_internet_accessible())

% python3 test.py
True

This is because Policy Universe interprets each statement's internet accessibility separately, marking the policy as internet accessible if any statement individually appears internet accessible, and does not include logic for explicit Deny statements taking precedence over Allow statements.

I'm investigating some options for fixing this though unfortunately, seems a bit of a lift. Will create a PR if I come up with something clean!