aboutsummaryrefslogtreecommitdiff
path: root/README.md
diff options
context:
space:
mode:
authorIgor Pashev <pashev.igor@gmail.com>2017-05-13 23:09:56 +0300
committerIgor Pashev <pashev.igor@gmail.com>2017-05-13 23:16:09 +0300
commit850e5cc2d4ef96a2dd2a43c9b8d4c1355eb7a148 (patch)
tree1ae2c8e9db2623235509a636e3e9a57ded083fae /README.md
parent4e115cca1db6ded1c11d970bdb2372da0ff6eb95 (diff)
downloadsproxy2-850e5cc2d4ef96a2dd2a43c9b8d4c1355eb7a148.tar.gz
Add end-point for checking access in a bunch
Diffstat (limited to 'README.md')
-rw-r--r--README.md72
1 files changed, 52 insertions, 20 deletions
diff --git a/README.md b/README.md
index 7795fd2..65f6839 100644
--- a/README.md
+++ b/README.md
@@ -140,32 +140,36 @@ Keep in mind that:
- SQL wildcards (`_` and `%`) are supported for emails, paths (this _will_ change in future versions).
-HTTP headers passed to the back-end server
-------------------------------------------
+Checking access in a bunch
+--------------------------
-All Sproxy headers are UTF8-encoded.
+There is an API end-point for checking access rights in a single POST query:
+`/.sproxy/access`. Users should be authenticated to use this end-point,
+otherwise the respond will be HTTP 511.
+The request body shall be a JSON object like this:
-header | value
--------------------- | -----
-`From:` | visitor's email address, lower case
-`X-Groups:` | all groups that granted access to this resource, separated by commas (see the note below)
-`X-Given-Name:` | the visitor's given (first) name
-`X-Family-Name:` | the visitor's family (last) name
-`X-Forwarded-Proto:` | the visitor's protocol of an HTTP request, always `https`
-`X-Forwarded-For` | the visitor's IP address (added to the end of the list if header is already present in client request)
+```json
+{
+ "tag1": {"path": "/foo", "method": "GET"},
+ "tag2": {"path": "/bar", "method": "GET"}
+}
+```
+And the respond will contain a JSON array with tag matching path and method
+pairs allowed to the user. For example:
-`X-Groups` denotes an intersection of the groups the visitor belongs to and the groups that granted access:
+```sh
+$ curl -d '{"foo": {"path":"/get", "method":"GET"}, "bar": {"path":"/post", "method":"POST"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ...
+["foo","bar"]
-Visitor's groups | Granted groups | `X-Groups`
----------------- | -------------- | ---------
-all | all, devops | all
-all, devops | all | all
-all, devops | all, devops | all,devops
-all, devops | devops | devops
-devops | all, devops | devops
-devops | all | Access denied
+$ curl -d '{"foo": {"path":"/get", "method":"POST"}, "bar": {"path":"/post", "method":"POST"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ...
+["bar"]
+
+$ curl -d '{"foo": {"path":"/", "method":"POST"}, "bar": {"path":"/post", "method":"GET"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ...
+[]
+
+```
Logout
@@ -188,6 +192,34 @@ Disallow: /
```
+HTTP headers passed to the back-end server
+------------------------------------------
+
+All Sproxy headers are UTF8-encoded.
+
+
+header | value
+-------------------- | -----
+`From:` | visitor's email address, lower case
+`X-Groups:` | all groups that granted access to this resource, separated by commas (see the note below)
+`X-Given-Name:` | the visitor's given (first) name
+`X-Family-Name:` | the visitor's family (last) name
+`X-Forwarded-Proto:` | the visitor's protocol of an HTTP request, always `https`
+`X-Forwarded-For` | the visitor's IP address (added to the end of the list if header is already present in client request)
+
+
+`X-Groups` denotes an intersection of the groups the visitor belongs to and the groups that granted access:
+
+Visitor's groups | Granted groups | `X-Groups`
+---------------- | -------------- | ---------
+all | all, devops | all
+all, devops | all | all
+all, devops | all, devops | all,devops
+all, devops | devops | devops
+devops | all, devops | devops
+devops | all | Access denied
+
+
Requirements
============
Sproxy2 is written in Haskell with [GHC](http://www.haskell.org/ghc/).