xref: /qemu/include/authz/base.h (revision abff1abf) 
1 /*
2  * QEMU authorization framework base class
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef QAUTHZ_BASE_H
22 #define QAUTHZ_BASE_H
23 
24 #include "qapi/error.h"
25 #include "qom/object.h"
26 
27 
28 #define TYPE_QAUTHZ "authz"
29 
30 #define QAUTHZ_CLASS(klass) \
31      OBJECT_CLASS_CHECK(QAuthZClass, (klass), \
32                         TYPE_QAUTHZ)
33 #define QAUTHZ_GET_CLASS(obj) \
34      OBJECT_GET_CLASS(QAuthZClass, (obj), \
35                       TYPE_QAUTHZ)
36 #define QAUTHZ(obj) \
37      OBJECT_CHECK(QAuthZ, (obj), \
38                   TYPE_QAUTHZ)
39 
40 typedef struct QAuthZ QAuthZ;
41 typedef struct QAuthZClass QAuthZClass;
42 
43 /**
44  * QAuthZ:
45  *
46  * The QAuthZ class defines an API contract to be used
47  * for providing an authorization driver for services
48  * with user identities.
49  */
50 
51 struct QAuthZ {
52     Object parent_obj;
53 };
54 
55 
56 struct QAuthZClass {
57     ObjectClass parent_class;
58 
59     bool (*is_allowed)(QAuthZ *authz,
60                        const char *identity,
61                        Error **errp);
62 };
63 
64 
65 /**
66  * qauthz_is_allowed:
67  * @authz: the authorization object
68  * @identity: the user identity to authorize
69  * @errp: pointer to a NULL initialized error object
70  *
71  * Check if a user @identity is authorized. If an error
72  * occurs this method will return false to indicate
73  * denial, as well as setting @errp to contain the details.
74  * Callers are recommended to treat the denial and error
75  * scenarios identically. Specifically the error info in
76  * @errp should never be fed back to the user being
77  * authorized, it is merely for benefit of administrator
78  * debugging.
79  *
80  * Returns: true if @identity is authorized, false if denied or if
81  * an error occurred.
82  */
83 bool qauthz_is_allowed(QAuthZ *authz,
84                        const char *identity,
85                        Error **errp);
86 
87 
88 /**
89  * qauthz_is_allowed_by_id:
90  * @authzid: ID of the authorization object
91  * @identity: the user identity to authorize
92  * @errp: pointer to a NULL initialized error object
93  *
94  * Check if a user @identity is authorized. If an error
95  * occurs this method will return false to indicate
96  * denial, as well as setting @errp to contain the details.
97  * Callers are recommended to treat the denial and error
98  * scenarios identically. Specifically the error info in
99  * @errp should never be fed back to the user being
100  * authorized, it is merely for benefit of administrator
101  * debugging.
102  *
103  * Returns: true if @identity is authorized, false if denied or if
104  * an error occurred.
105  */
106 bool qauthz_is_allowed_by_id(const char *authzid,
107                              const char *identity,
108                              Error **errp);
109 
110 #endif /* QAUTHZ_BASE_H */
111