xref: /qemu/include/authz/base.h (revision e3a6e0da) 
1 /*
2  * QEMU authorization framework base class
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef QAUTHZ_BASE_H
22 #define QAUTHZ_BASE_H
23 
24 #include "qapi/error.h"
25 #include "qom/object.h"
26 
27 
28 #define TYPE_QAUTHZ "authz"
29 
30 OBJECT_DECLARE_TYPE(QAuthZ, QAuthZClass,
31                     qauthz, QAUTHZ)
32 
33 
34 /**
35  * QAuthZ:
36  *
37  * The QAuthZ class defines an API contract to be used
38  * for providing an authorization driver for services
39  * with user identities.
40  */
41 
42 struct QAuthZ {
43     Object parent_obj;
44 };
45 
46 
47 struct QAuthZClass {
48     ObjectClass parent_class;
49 
50     bool (*is_allowed)(QAuthZ *authz,
51                        const char *identity,
52                        Error **errp);
53 };
54 
55 
56 /**
57  * qauthz_is_allowed:
58  * @authz: the authorization object
59  * @identity: the user identity to authorize
60  * @errp: pointer to a NULL initialized error object
61  *
62  * Check if a user @identity is authorized. If an error
63  * occurs this method will return false to indicate
64  * denial, as well as setting @errp to contain the details.
65  * Callers are recommended to treat the denial and error
66  * scenarios identically. Specifically the error info in
67  * @errp should never be fed back to the user being
68  * authorized, it is merely for benefit of administrator
69  * debugging.
70  *
71  * Returns: true if @identity is authorized, false if denied or if
72  * an error occurred.
73  */
74 bool qauthz_is_allowed(QAuthZ *authz,
75                        const char *identity,
76                        Error **errp);
77 
78 
79 /**
80  * qauthz_is_allowed_by_id:
81  * @authzid: ID of the authorization object
82  * @identity: the user identity to authorize
83  * @errp: pointer to a NULL initialized error object
84  *
85  * Check if a user @identity is authorized. If an error
86  * occurs this method will return false to indicate
87  * denial, as well as setting @errp to contain the details.
88  * Callers are recommended to treat the denial and error
89  * scenarios identically. Specifically the error info in
90  * @errp should never be fed back to the user being
91  * authorized, it is merely for benefit of administrator
92  * debugging.
93  *
94  * Returns: true if @identity is authorized, false if denied or if
95  * an error occurred.
96  */
97 bool qauthz_is_allowed_by_id(const char *authzid,
98                              const char *identity,
99                              Error **errp);
100 
101 #endif /* QAUTHZ_BASE_H */
102