1 /* 2 * QEMU authorization framework base class 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef QAUTHZ_BASE_H 22 #define QAUTHZ_BASE_H 23 24 #include "qapi/error.h" 25 #include "qom/object.h" 26 27 28 #define TYPE_QAUTHZ "authz" 29 30 typedef struct QAuthZ QAuthZ; 31 typedef struct QAuthZClass QAuthZClass; 32 DECLARE_OBJ_CHECKERS(QAuthZ, QAuthZClass, 33 QAUTHZ, TYPE_QAUTHZ) 34 35 36 /** 37 * QAuthZ: 38 * 39 * The QAuthZ class defines an API contract to be used 40 * for providing an authorization driver for services 41 * with user identities. 42 */ 43 44 struct QAuthZ { 45 Object parent_obj; 46 }; 47 48 49 struct QAuthZClass { 50 ObjectClass parent_class; 51 52 bool (*is_allowed)(QAuthZ *authz, 53 const char *identity, 54 Error **errp); 55 }; 56 57 58 /** 59 * qauthz_is_allowed: 60 * @authz: the authorization object 61 * @identity: the user identity to authorize 62 * @errp: pointer to a NULL initialized error object 63 * 64 * Check if a user @identity is authorized. If an error 65 * occurs this method will return false to indicate 66 * denial, as well as setting @errp to contain the details. 67 * Callers are recommended to treat the denial and error 68 * scenarios identically. Specifically the error info in 69 * @errp should never be fed back to the user being 70 * authorized, it is merely for benefit of administrator 71 * debugging. 72 * 73 * Returns: true if @identity is authorized, false if denied or if 74 * an error occurred. 75 */ 76 bool qauthz_is_allowed(QAuthZ *authz, 77 const char *identity, 78 Error **errp); 79 80 81 /** 82 * qauthz_is_allowed_by_id: 83 * @authzid: ID of the authorization object 84 * @identity: the user identity to authorize 85 * @errp: pointer to a NULL initialized error object 86 * 87 * Check if a user @identity is authorized. If an error 88 * occurs this method will return false to indicate 89 * denial, as well as setting @errp to contain the details. 90 * Callers are recommended to treat the denial and error 91 * scenarios identically. Specifically the error info in 92 * @errp should never be fed back to the user being 93 * authorized, it is merely for benefit of administrator 94 * debugging. 95 * 96 * Returns: true if @identity is authorized, false if denied or if 97 * an error occurred. 98 */ 99 bool qauthz_is_allowed_by_id(const char *authzid, 100 const char *identity, 101 Error **errp); 102 103 #endif /* QAUTHZ_BASE_H */ 104