xref: /qemu/include/authz/base.h (revision 8110fa1d) 
1 /*
2  * QEMU authorization framework base class
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef QAUTHZ_BASE_H
22 #define QAUTHZ_BASE_H
23 
24 #include "qapi/error.h"
25 #include "qom/object.h"
26 
27 
28 #define TYPE_QAUTHZ "authz"
29 
30 typedef struct QAuthZ QAuthZ;
31 typedef struct QAuthZClass QAuthZClass;
32 DECLARE_OBJ_CHECKERS(QAuthZ, QAuthZClass,
33                      QAUTHZ, TYPE_QAUTHZ)
34 
35 
36 /**
37  * QAuthZ:
38  *
39  * The QAuthZ class defines an API contract to be used
40  * for providing an authorization driver for services
41  * with user identities.
42  */
43 
44 struct QAuthZ {
45     Object parent_obj;
46 };
47 
48 
49 struct QAuthZClass {
50     ObjectClass parent_class;
51 
52     bool (*is_allowed)(QAuthZ *authz,
53                        const char *identity,
54                        Error **errp);
55 };
56 
57 
58 /**
59  * qauthz_is_allowed:
60  * @authz: the authorization object
61  * @identity: the user identity to authorize
62  * @errp: pointer to a NULL initialized error object
63  *
64  * Check if a user @identity is authorized. If an error
65  * occurs this method will return false to indicate
66  * denial, as well as setting @errp to contain the details.
67  * Callers are recommended to treat the denial and error
68  * scenarios identically. Specifically the error info in
69  * @errp should never be fed back to the user being
70  * authorized, it is merely for benefit of administrator
71  * debugging.
72  *
73  * Returns: true if @identity is authorized, false if denied or if
74  * an error occurred.
75  */
76 bool qauthz_is_allowed(QAuthZ *authz,
77                        const char *identity,
78                        Error **errp);
79 
80 
81 /**
82  * qauthz_is_allowed_by_id:
83  * @authzid: ID of the authorization object
84  * @identity: the user identity to authorize
85  * @errp: pointer to a NULL initialized error object
86  *
87  * Check if a user @identity is authorized. If an error
88  * occurs this method will return false to indicate
89  * denial, as well as setting @errp to contain the details.
90  * Callers are recommended to treat the denial and error
91  * scenarios identically. Specifically the error info in
92  * @errp should never be fed back to the user being
93  * authorized, it is merely for benefit of administrator
94  * debugging.
95  *
96  * Returns: true if @identity is authorized, false if denied or if
97  * an error occurred.
98  */
99 bool qauthz_is_allowed_by_id(const char *authzid,
100                              const char *identity,
101                              Error **errp);
102 
103 #endif /* QAUTHZ_BASE_H */
104