Normal users should not be able to create/end leases for other people

[joshmarsh]

Is your feature request related to a problem? Please describe.
While authenticating with temporary sts credentials mapped to a cognito user called testuser, I observed the following behavior.

~ dce leases create --budget-amount 100.0 --budget-currency USD --email jane.doe@optum.com --principle-id jdoe99
Lease created: {"accountId":"XXX","budgetAmount":100,"budgetCurrency":"USD","budgetNotificationEmails":["jane.doe@optum.com"],"createdOn":1574347343,"expiresOn":1574952143,"id":"d7586b82-2b57-4ba0-9469-ba59d865e823","lastModifiedOn":1574347343,"leaseStatus":"Active","leaseStatusModifiedOn":1574347343,"leaseStatusReason":"Active","principalId":"jdoe99"}
~ dce leases end --account-id XXX --principle-id jdoe99
Lease ended

Describe the solution you'd like
Respond with 403 for any leases requests involving a principaID that is not your own.

[joshmarsh]

Related CLI Issue: Optum/dce-cli#37

[eschwartz]

For sure.

We should probably step back and look at a authorization strategy for all our endpoints....

[kddejong]

agreed. Users when creating a lease shouldn't provide their principal. Admins should be able to override that value. I think these are things that get easier to do when we getting some of the code changes in.

[kapilt]

and a security oriented review