Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Enforcing Superset Access Check for Approving Apps #2016

Closed
sitaram-kalluri opened this issue Jul 8, 2024 · 2 comments · Fixed by #2023
Closed

Enhancement: Enforcing Superset Access Check for Approving Apps #2016

sitaram-kalluri opened this issue Jul 8, 2024 · 2 comments · Fixed by #2023
Assignees
@sitaram-kalluri
Labels
enhancement New feature or request

Comments

@sitaram-kalluri
Copy link
Member

sitaram-kalluri commented Jul 8, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Implement a feature to ensure that an "approving" app can only approve enrollment requests if it has access to all the namespaces requested by the "enrolling" app. If the approving app lacks access to any of the namespaces included in the enrollment request, it should not be able to approve the request.

Describe the solution you'd like

  • When executing "enroll:approve" add a check on the client/server to verify the list of namespaces the approving app is authorized for. If the approving app is not authorized for any namespace in the enrollment request, return an exception.
@sitaram-kalluri sitaram-kalluri added the enhancement New feature or request label Jul 8, 2024
@sitaram-kalluri sitaram-kalluri self-assigned this Jul 8, 2024
@sitaram-kalluri sitaram-kalluri linked a pull request Jul 11, 2024 that will close this issue
feat: Enforce superset access check for approving apps #2023
Merged
@sitaram-kalluri
Copy link
Member Author

sitaram-kalluri commented Jul 11, 2024
edited
Loading

A current pull request includes changes in secondary server (at_server) to prevent approval or denial of enrollment request if the approving app lacks authorization for the namespaces specified in the enrollment request.

Additionally, to avoid unnecessary notifications in the approving app, proposing the following implementation: In the at_client SDK, when a notification is received, check if it pertains to an enrollment request. If it does, verify whether the approving app has authorization for the namespaces in the request. If authorized, forward the notification to the app; otherwise, ignore the notification.

@gkc : Please share your thoughts on this.

@gkc
Copy link
Contributor

gkc commented Jul 11, 2024

@sitaram-kalluri Good idea, makes sense to me

@gkc gkc closed this as completed in #2023 Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sitaram-kalluri sitaram-kalluri

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Enforce superset access check for approving apps atsign-foundation/at_server
2 participants
@gkc @sitaram-kalluri