15b76dd13SDaniel P. Berrange /* 25b76dd13SDaniel P. Berrange * QEMU authorization framework base class 35b76dd13SDaniel P. Berrange * 45b76dd13SDaniel P. Berrange * Copyright (c) 2018 Red Hat, Inc. 55b76dd13SDaniel P. Berrange * 65b76dd13SDaniel P. Berrange * This library is free software; you can redistribute it and/or 75b76dd13SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 85b76dd13SDaniel P. Berrange * License as published by the Free Software Foundation; either 9*036a80cdSChetan Pant * version 2.1 of the License, or (at your option) any later version. 105b76dd13SDaniel P. Berrange * 115b76dd13SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 125b76dd13SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 135b76dd13SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 145b76dd13SDaniel P. Berrange * Lesser General Public License for more details. 155b76dd13SDaniel P. Berrange * 165b76dd13SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 175b76dd13SDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 185b76dd13SDaniel P. Berrange * 195b76dd13SDaniel P. Berrange */ 205b76dd13SDaniel P. Berrange 21a8b991b5SMarkus Armbruster #ifndef QAUTHZ_BASE_H 22a8b991b5SMarkus Armbruster #define QAUTHZ_BASE_H 235b76dd13SDaniel P. Berrange 245b76dd13SDaniel P. Berrange #include "qapi/error.h" 255b76dd13SDaniel P. Berrange #include "qom/object.h" 265b76dd13SDaniel P. Berrange 275b76dd13SDaniel P. Berrange 285b76dd13SDaniel P. Berrange #define TYPE_QAUTHZ "authz" 295b76dd13SDaniel P. Berrange 30c821774aSEduardo Habkost OBJECT_DECLARE_TYPE(QAuthZ, QAuthZClass, 3130b5707cSEduardo Habkost QAUTHZ) 325b76dd13SDaniel P. Berrange 335b76dd13SDaniel P. Berrange 345b76dd13SDaniel P. Berrange /** 355b76dd13SDaniel P. Berrange * QAuthZ: 365b76dd13SDaniel P. Berrange * 375b76dd13SDaniel P. Berrange * The QAuthZ class defines an API contract to be used 385b76dd13SDaniel P. Berrange * for providing an authorization driver for services 395b76dd13SDaniel P. Berrange * with user identities. 405b76dd13SDaniel P. Berrange */ 415b76dd13SDaniel P. Berrange 425b76dd13SDaniel P. Berrange struct QAuthZ { 435b76dd13SDaniel P. Berrange Object parent_obj; 445b76dd13SDaniel P. Berrange }; 455b76dd13SDaniel P. Berrange 465b76dd13SDaniel P. Berrange 475b76dd13SDaniel P. Berrange struct QAuthZClass { 485b76dd13SDaniel P. Berrange ObjectClass parent_class; 495b76dd13SDaniel P. Berrange 505b76dd13SDaniel P. Berrange bool (*is_allowed)(QAuthZ *authz, 515b76dd13SDaniel P. Berrange const char *identity, 525b76dd13SDaniel P. Berrange Error **errp); 535b76dd13SDaniel P. Berrange }; 545b76dd13SDaniel P. Berrange 555b76dd13SDaniel P. Berrange 565b76dd13SDaniel P. Berrange /** 575b76dd13SDaniel P. Berrange * qauthz_is_allowed: 585b76dd13SDaniel P. Berrange * @authz: the authorization object 595b76dd13SDaniel P. Berrange * @identity: the user identity to authorize 605b76dd13SDaniel P. Berrange * @errp: pointer to a NULL initialized error object 615b76dd13SDaniel P. Berrange * 625b76dd13SDaniel P. Berrange * Check if a user @identity is authorized. If an error 635b76dd13SDaniel P. Berrange * occurs this method will return false to indicate 645b76dd13SDaniel P. Berrange * denial, as well as setting @errp to contain the details. 655b76dd13SDaniel P. Berrange * Callers are recommended to treat the denial and error 665b76dd13SDaniel P. Berrange * scenarios identically. Specifically the error info in 675b76dd13SDaniel P. Berrange * @errp should never be fed back to the user being 685b76dd13SDaniel P. Berrange * authorized, it is merely for benefit of administrator 695b76dd13SDaniel P. Berrange * debugging. 705b76dd13SDaniel P. Berrange * 715b76dd13SDaniel P. Berrange * Returns: true if @identity is authorized, false if denied or if 725b76dd13SDaniel P. Berrange * an error occurred. 735b76dd13SDaniel P. Berrange */ 745b76dd13SDaniel P. Berrange bool qauthz_is_allowed(QAuthZ *authz, 755b76dd13SDaniel P. Berrange const char *identity, 765b76dd13SDaniel P. Berrange Error **errp); 775b76dd13SDaniel P. Berrange 785b76dd13SDaniel P. Berrange 795b76dd13SDaniel P. Berrange /** 805b76dd13SDaniel P. Berrange * qauthz_is_allowed_by_id: 815b76dd13SDaniel P. Berrange * @authzid: ID of the authorization object 825b76dd13SDaniel P. Berrange * @identity: the user identity to authorize 835b76dd13SDaniel P. Berrange * @errp: pointer to a NULL initialized error object 845b76dd13SDaniel P. Berrange * 855b76dd13SDaniel P. Berrange * Check if a user @identity is authorized. If an error 865b76dd13SDaniel P. Berrange * occurs this method will return false to indicate 875b76dd13SDaniel P. Berrange * denial, as well as setting @errp to contain the details. 885b76dd13SDaniel P. Berrange * Callers are recommended to treat the denial and error 895b76dd13SDaniel P. Berrange * scenarios identically. Specifically the error info in 905b76dd13SDaniel P. Berrange * @errp should never be fed back to the user being 915b76dd13SDaniel P. Berrange * authorized, it is merely for benefit of administrator 925b76dd13SDaniel P. Berrange * debugging. 935b76dd13SDaniel P. Berrange * 945b76dd13SDaniel P. Berrange * Returns: true if @identity is authorized, false if denied or if 955b76dd13SDaniel P. Berrange * an error occurred. 965b76dd13SDaniel P. Berrange */ 975b76dd13SDaniel P. Berrange bool qauthz_is_allowed_by_id(const char *authzid, 985b76dd13SDaniel P. Berrange const char *identity, 995b76dd13SDaniel P. Berrange Error **errp); 1005b76dd13SDaniel P. Berrange 101a8b991b5SMarkus Armbruster #endif /* QAUTHZ_BASE_H */ 102