include/authz/base.h

   1 /*
   2  * QEMU authorization framework base class
   3  *
   4  * Copyright (c) 2018 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18  *
  19  */
  20
  21 #ifndef QAUTHZ_BASE_H
  22 #define QAUTHZ_BASE_H
  23
  24 #include "qapi/error.h"
  25 #include "qom/object.h"
  26
  27
  28 #define TYPE_QAUTHZ "authz"
  29
  30 OBJECT_DECLARE_TYPE(QAuthZ, QAuthZClass,
  31                     QAUTHZ)
  32
  33
  34 /**
  35  * QAuthZ:
  36  *
  37  * The QAuthZ class defines an API contract to be used
  38  * for providing an authorization driver for services
  39  * with user identities.
  40  */
  41
  42 struct QAuthZ {
  43     Object parent_obj;
  44 };
  45
  46
  47 struct QAuthZClass {
  48     ObjectClass parent_class;
  49
  50     bool (*is_allowed)(QAuthZ *authz,
  51                        const char *identity,
  52                        Error **errp);
  53 };
  54
  55
  56 /**
  57  * qauthz_is_allowed:
  58  * @authz: the authorization object
  59  * @identity: the user identity to authorize
  60  * @errp: pointer to a NULL initialized error object
  61  *
  62  * Check if a user @identity is authorized. If an error
  63  * occurs this method will return false to indicate
  64  * denial, as well as setting @errp to contain the details.
  65  * Callers are recommended to treat the denial and error
  66  * scenarios identically. Specifically the error info in
  67  * @errp should never be fed back to the user being
  68  * authorized, it is merely for benefit of administrator
  69  * debugging.
  70  *
  71  * Returns: true if @identity is authorized, false if denied or if
  72  * an error occurred.
  73  */
  74 bool qauthz_is_allowed(QAuthZ *authz,
  75                        const char *identity,
  76                        Error **errp);
  77
  78
  79 /**
  80  * qauthz_is_allowed_by_id:
  81  * @authzid: ID of the authorization object
  82  * @identity: the user identity to authorize
  83  * @errp: pointer to a NULL initialized error object
  84  *
  85  * Check if a user @identity is authorized. If an error
  86  * occurs this method will return false to indicate
  87  * denial, as well as setting @errp to contain the details.
  88  * Callers are recommended to treat the denial and error
  89  * scenarios identically. Specifically the error info in
  90  * @errp should never be fed back to the user being
  91  * authorized, it is merely for benefit of administrator
  92  * debugging.
  93  *
  94  * Returns: true if @identity is authorized, false if denied or if
  95  * an error occurred.
  96  */
  97 bool qauthz_is_allowed_by_id(const char *authzid,
  98                              const char *identity,
  99                              Error **errp);
 100
 101 #endif /* QAUTHZ_BASE_H */