From 850e5cc2d4ef96a2dd2a43c9b8d4c1355eb7a148 Mon Sep 17 00:00:00 2001 From: Igor Pashev Date: Sat, 13 May 2017 23:09:56 +0300 Subject: Add end-point for checking access in a bunch --- README.md | 72 +++++++++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 52 insertions(+), 20 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 7795fd2..65f6839 100644 --- a/README.md +++ b/README.md @@ -140,32 +140,36 @@ Keep in mind that: - SQL wildcards (`_` and `%`) are supported for emails, paths (this _will_ change in future versions). -HTTP headers passed to the back-end server ------------------------------------------- +Checking access in a bunch +-------------------------- -All Sproxy headers are UTF8-encoded. +There is an API end-point for checking access rights in a single POST query: +`/.sproxy/access`. Users should be authenticated to use this end-point, +otherwise the respond will be HTTP 511. +The request body shall be a JSON object like this: -header | value --------------------- | ----- -`From:` | visitor's email address, lower case -`X-Groups:` | all groups that granted access to this resource, separated by commas (see the note below) -`X-Given-Name:` | the visitor's given (first) name -`X-Family-Name:` | the visitor's family (last) name -`X-Forwarded-Proto:` | the visitor's protocol of an HTTP request, always `https` -`X-Forwarded-For` | the visitor's IP address (added to the end of the list if header is already present in client request) +```json +{ + "tag1": {"path": "/foo", "method": "GET"}, + "tag2": {"path": "/bar", "method": "GET"} +} +``` +And the respond will contain a JSON array with tag matching path and method +pairs allowed to the user. For example: -`X-Groups` denotes an intersection of the groups the visitor belongs to and the groups that granted access: +```sh +$ curl -d '{"foo": {"path":"/get", "method":"GET"}, "bar": {"path":"/post", "method":"POST"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ... +["foo","bar"] -Visitor's groups | Granted groups | `X-Groups` ----------------- | -------------- | --------- -all | all, devops | all -all, devops | all | all -all, devops | all, devops | all,devops -all, devops | devops | devops -devops | all, devops | devops -devops | all | Access denied +$ curl -d '{"foo": {"path":"/get", "method":"POST"}, "bar": {"path":"/post", "method":"POST"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ... +["bar"] + +$ curl -d '{"foo": {"path":"/", "method":"POST"}, "bar": {"path":"/post", "method":"GET"}}' -XPOST -k 'https://example.ru:8443/.sproxy/access' ... +[] + +``` Logout @@ -188,6 +192,34 @@ Disallow: / ``` +HTTP headers passed to the back-end server +------------------------------------------ + +All Sproxy headers are UTF8-encoded. + + +header | value +-------------------- | ----- +`From:` | visitor's email address, lower case +`X-Groups:` | all groups that granted access to this resource, separated by commas (see the note below) +`X-Given-Name:` | the visitor's given (first) name +`X-Family-Name:` | the visitor's family (last) name +`X-Forwarded-Proto:` | the visitor's protocol of an HTTP request, always `https` +`X-Forwarded-For` | the visitor's IP address (added to the end of the list if header is already present in client request) + + +`X-Groups` denotes an intersection of the groups the visitor belongs to and the groups that granted access: + +Visitor's groups | Granted groups | `X-Groups` +---------------- | -------------- | --------- +all | all, devops | all +all, devops | all | all +all, devops | all, devops | all,devops +all, devops | devops | devops +devops | all, devops | devops +devops | all | Access denied + + Requirements ============ Sproxy2 is written in Haskell with [GHC](http://www.haskell.org/ghc/). -- cgit v1.2.3