at_server icon indicating copy to clipboard operation
at_server copied to clipboard

Published 20 hours ago verified publisher icon atsign-foundation

feat: Enforce superset access check for approving apps

Open sitaram-kalluri opened this issue 7 months ago • 2 comments

- What I did

  • Implement a verification process ensuring that only client possessing the super-set privileges or clients authorized for the specified namespaces in the enrollment request can approve it.

- How I did it

  • Add a new method called "verifyIfClientIsAuthorized" to the "enroll_verb_handler.dart" file to enforce the validation described above.

  • In the "verifyIfClientIsAuthorized" method, retrieve the enrollment ID from the inbound connection representing the client's enrollment ID. Then, obtain the enrollment details associated with this ID to verify if the client is authorized to approve or deny the enrollment request.

    • Allow client to perform enrollment operations if any of the below criteria are met:
      • If the client enrollment contains access to "__manage" namespace or "*" namespace, then it corresponds to admin privileges. So allow client to perform enrollment operations.
      • If the enrollment id is null, then client is authenticated via the PKAM which will have admin privileges.
      • If the client enrollment is authorized for the namespaces that are mentioned in the enrollment request.

  • Invoke "verifyIfClientIsAuthorized" method in "_handleEnrollmentOperations" to enforce the validation during the enrollment operations.

- How to verify it

  • Added the following unit tests:
    • A test to verify that the authorization check returns false when the client is not authorized for the requested namespace
    • A test to verify that the authorization check returns true when the client is authorized to the namespace
    • A test to verify that the authorization check returns true when the client is authorized for manage namespace
    • A test to verify that the authorization check returns true when the client is authorized to * namespaces
    • A test to verify that the authorization check returns true when the client is PKAM authentication and enrollment id is null
  • Added the following functional tests:
    • A test to assert that an authenticated connection without namespace authorization cannot approve-deny requests for that namespace
    • A test to assert that an authenticated connection without namespace authorization cannot revoke request for that namespace

- Description for the changelog

  • Enforce superset access check for approving apps

sitaram-kalluri avatar Jul 11 '24 06:07 sitaram-kalluri