Enhancement: Enforcing Superset Access Check for Approving Apps

[sitaram-kalluri]

Is your feature request related to a problem? Please describe.

Implement a feature to ensure that an "approving" app can only approve enrollment requests if it has access to all the namespaces requested by the "enrolling" app. If the approving app lacks access to any of the namespaces included in the enrollment request, it should not be able to approve the request.

Describe the solution you'd like

• When executing "enroll:approve" add a check on the client/server to verify the list of namespaces the approving app is authorized for. If the approving app is not authorized for any namespace in the enrollment request, return an exception.

[sitaram-kalluri]

A current pull request includes changes in secondary server (at_server) to prevent approval or denial of enrollment request if the approving app lacks authorization for the namespaces specified in the enrollment request.

Additionally, to avoid unnecessary notifications in the approving app, proposing the following implementation: In the at_client SDK, when a notification is received, check if it pertains to an enrollment request. If it does, verify whether the approving app has authorization for the namespaces in the request. If authorized, forward the notification to the app; otherwise, ignore the notification.

@gkc : Please share your thoughts on this.

[gkc]

@sitaram-kalluri Good idea, makes sense to me